Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/6/2009
03:32 PM
Robert Graham
Robert Graham
Commentary
50%
50%

WiFi = Mobile Phone

Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.

Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.In the next year, more mobile phones will ship with WiFi than notebook computers. This is going to change how we look at WiFi, and for security people, it's going to change how they secure corporate WiFi networks.

This issue crept up on me. I've been developing my own WiFi assessment tool, and whereas most tools focus on access points (in order to crack WEP), I put stuff into my tool to track client devices. I was working on the code at an airport while waiting for a flight. Rather than seeing the occasional notebook computer, I was astonished to see hundreds of mobile phones around me. A new device would appear at least once a minute.

Here is a sample output from the program from only a couple minutes of monitoring, showing the hardware IDs (with final two bytes obfuscated), followed by the manufacturer name and SSIDs the devices were trying to connect to:

[00:23:12:bb:xx:xx] Apple "" [00:24:7d:25:xx:xx] Nokia "" [00:1c:b3:04:xx:xx] Apple "" [00:1e:52:88:xx:xx] Apple "" [00:24:7c:65:xx:xx] Nokia "" [00:1c:cc:33:xx:xx] BlackBerry "NETGEAR" [00:24:9f:ba:xx:xx] BlackBerry "tmobile", "@Home" [00:23:df:65:xx:xx] Apple "" [00:23:7a:95:xx:xx] BlackBerry "tmobile", "@Home" [00:25:00:75:xx:xx] Apple "ostra" [04:1e:64:1f:xx:xx] Apple "" [00:1c:cc:8d:xx:xx] BlackBerry "ibahn", "It's A Grind" [00:21:06:b0:xx:xx] BlackBerry "ATL-WIFI" [00:24:9f:d3:xx:xx] BlackBerry "tmobile", "@Home", "Primeline", "theBatCave" [00:26:b0:94:xx:xx] Apple ""

While Apple and BlackBerry dominate the list, that's not necessarily because they have the most WiFi-enabled phones. Instead, it's due to the fact that these phone encourage the user to turn on WiFi and leave it on.

In BlackBerry's case, it's because T-Mobile offers something called "unlicensed mobile accesss" (UMA), which means "making calls over WiFi." While at home near your access point, you can make calls over WiFi. The phone makes a VPN tunnel over your home network back to T-Mobile and uses standard VoIP protocols like SIP to make and receive phone calls. If you make a call at home and drive away, then the phone will automatically hand off the connection to the nearest cell tower, allowing a seamless phone call. Most important, while making calls at home, you aren't charged for any minutes. It will also work whenever you are near a T-Mobile hotspot. That is why in the above list so many BlackBerrys are searching for "tmobile" and "@Home" access points.

Apple encourages WiFi for other reasons. It has a ton of apps that rely on Internet connections, such as Twitter. The worst, of course, is iTunes (I missed an episode of SouthPark while on the road recently, so of course I simply downloaded it to the iPhone and watched it). According to reports, AT&T's network is already overloaded by iPhones, so everything Apple can do to encourage people to switch to WiFi will help.

There are a lot of other phones with WiFi, but it's typically turned off by default because there's no compelling reason to leave it on: They don't have good Web browsers, they don't have good applications, and they have features like T-Mobile's UMA. Thus, while I see the occasional Nokia, Palm, HTC, Samsung, or Windows Mobile device, they are pretty rare. This is going to change in the next year: Everybody is trying to catch up to Apple's runaway success.

This will change how companies deploy their own WiFi networks. During a recent corporate WiFi assessment, we were at a big campus that was blanketed by a typical Cisco WiFi corporate deployment. The company gave Dell laptops to all their employees, configured to hook up to the corporate network. The campus was full of cafes, little nooks, and conference rooms where people could get out of their cubicle and go work somewhere else.

Yet even in this laptop-rich environment, mobile phones accounted for half the devices trying to connect to WiFi. This poses a problem. For example, the notebooks all had the Cisco supplicant for connecting to the WPA2 corporate network. You can't get specific supplicants for the mobile phones, which poses a problem if companies want custom features in their supplicants. They had an unencrypted "guest" network, but apps on the iPhone can quickly screw that up. For example, an employee will often choose the same password for his Twitter account, then use a Twitter iPhone app that sends the password in the clear to anybody running a WiFi sniffer.

Another interesting problem is vulnerabilities. We reported a typical WiFi vuln in Windows Mobile to Microsoft three years ago (sending a long SSID in a Beacon packet). This was never patched. That's because Microsoft does not sell cell phones: It provides the Windows Mobile phones to device manufacturers (in this case, HTC). The device manufacturers aren't responsible either; they just provide the phones to the carriers (AT&T in this example). While Microsoft worked with us and HTC to make sure the problem was fixed in the code, AT&T had no interest in the vuln and refused to provide the patch to their customers. In contrast, Apple ships security fixes to the iPhone every couple months. Of course, everyone knows the Windows Mobile business model is fatally flawed -- the inability of Windows Mobile bugs to be fixed is just one example.

Apple has the worst problem: All of those apps written by third parties are horrible, with all the old vulnerabilities. In our penetration tests, the first thing we do is look for an iPhone app written by the customer. After simple reverse-engineering, we find we can break into the iPhone, the server it's talking to, or both. Exploitable smartphone? There's an app for that.

I don't know the exact numbers of WiFi-equipped mobile phones versus laptops, but a good number to start with is Apple's recent quarterly report. It shipped 7.4 million iPhones last quarter, compared to about 120 million laptops from all vendors shipped worldwide. And Apple has roughly 30 percent market share among smartphones. So that's maybe 20 million WiFi phones last quarter. However, the numbers are growing fast: I predict that by this time next year, WiFi phones will be exceeding laptops in shipments.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.