Google Android, Apple iOS, BlackBerry, and Windows Mobile devices have an inherent security weakness in the method they use for connecting to Wi-Fi networks that has the potential for exploitation by skilled cyber-attackers says Raul Siles, a SANS instructor.
The vulnerability is dependent on how the network is added to the device and stems from the procedure where Mobile devices keep a list of manually configured wireless networks plus any networks it has previously connected to on a Preferred Network List (PNL). Every time the Wi-Fi interface is switched on, and on a periodic basis, the device checks through 802.11 probe requests what networks on its PNL are available in the current location. Based on the responses obtained, it tries to connect to the most preferred network.
In the past, this network discovery process was performed by sending a generic probe request as an open broadcast plus specific requests for every network in the PNL. This meant devices disclosed the full PNL in the air exposing themselves to karma-like attacks where an attacker can identify all the networks (or access points) the mobile device is trying to connect to and impersonate them. These fake networks can trick a victim’s device into connecting to the attacker’s network that then captures and manipulate its traffic to launch additional advanced attacks.
“This situation has been known since 2004; Microsoft fixed it for Windows XP in 2007 and recently in Windows Phone devices but it seems the other mobile device vendors are not as concerned,” says Siles.
This “PNL disclosure” still applies to the latest Android 4.x versions and was acknowledged but not fixed since Android 2.x-3.x dating back to 2011. It is also prevalent when adding Wi-Fi networks manually in iOS 1.x-6.x and in BlackBerry 7.x although in this platform it can be resolved from the advanced Wi-Fi settings, and in particular by enabling the “SSID broadcasted” option.
“In some cases, there are options that can be changed to avoid this issue but on most devices when a Wi-Fi network is added manually it presents the vulnerable behaviour and few users are aware of the security implications” Siles adds.
Raul Siles is a founder and senior security analyst with Taddong and has over a decade expertise performing advanced security services and solutions in various worldwide industries include security architecture design and reviews, penetration tests, incident handling, forensic analysis, security assessments, and information security research in new technologies.
He is also a SANS Institute author and instructor of penetration testing courses, a regular speaker at security conferences, author of security books and articles, and contributes to research and open-source projects. Siles recently presented his research into several mobile security vulnerabilities at the RootedCON2013 conference in Madrid last March.
The expert believes that end users, corporate administrators, and security professionals, using or managing Android, iOS or BlackBerry mobile devices should become more aware of this behaviour and ensure that all the Wi-Fi networks available on the device PNL are treated as visible. “I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital ‘Trojan Horse’ allowing attacks to breach ultra-secure locations. The threat grows as individuals start mixing personal and corporate activities, logons, confidential data and applications all on the same device.”
Siles also believes that the lack of attention to Wi-Fi security is not an oversight but intent by Google, Apple, and others to make device operation simpler for users, “Unfortunately, a clever and targeted attack can use these simplifications as a staging post for more damaging assault which traditional detection capabilities would be unlikely to spot.”
Siles recommends that Google Android should add a new configuration setting to the user interface that allows the user to specify if the network must be considered hidden or visible every time a new Wi-Fi network is added to the mobile device. This option should be independent of the method used, or at least when it is manually added through the vulnerable “Add Wi-Fi Network” or “+” button.
Siles adds, “The default value for this new setting must reflect that the network to connect to is visible unless the user specifies otherwise by changing the default value, this change would at least stop Karma-like attacks by default unless a user intentionally exposed the full PNL to the open air.”
The situation in Apple iOS mobile devices is even worse in Siles view. Within iOS additional security settings are limited and user cannot even manage the device PNL. The user does not know what networks the device has connected to previously and cannot easily delete Wi-Fi networks from the PNL unless within the area of coverage of the network. A new free tool called iStupid (indiscreet SSID Tool (for the) Unknown PNL (on) iOS Devices) which is based on the result of Siles’ research presented in March, will be released this month for that specific purpose.
Siles research also extends the analysis of mobile vulnerabilities affecting Wi-Fi Enterprise (802.1x/EAP) networks previously included in the SANS SEC575 material. As a result, an attacker can force an Android, iOS, BlackBerry and Windows Phone mobile device to disclose the user credentials (username and password) when trying to connect to a fake corporate Wi-Fi network.
Siles will be teaching the SEC575: Mobile Device Security and Ethical Hacking at the SANS Institute Pen Test Berlin, the largest dedicated training event for ethical hackers in Europe, which runs from June 3 to 8 2013 at the Radisson Blu Hotel on the bank of Berlin’s River Spree.
The course is designed to help organisations struggling with mobile device security by equipping personnel with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches the critical skills necessary to support the secure deployment and use of mobile phones and tablets within any organisation. The four courses offered at Pen Test Berlin provide essential preparation for a number of Global Information Assurance Certification (GIAC) exams.
For more information regarding the SEC575 course and training event including GIAC Certification, visit: http://www.sans.org/info/130677
