According to researchers at Sophos, the ability of smartphones to retain identifiers for the trusted Wi-Fi networks they attach to automatically offers criminals a window into daily habits – and exploitable information.
“A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be ‘passive’ - listening for networks which are broadcasting themselves - or ‘active’ - sending out probe request packets in search of a network to connect to,” said Sophos blogger Julian Bhardwaj. “It’s very likely that your smartphone is broadcasting the names (SSIDs) of your favorite networks for anyone to see.”
It means that a would-be criminal can find out a lot about a person’s daily movements – which coffee shops they visit, what their home network is called, which bookstores are frequented, and so on. But aside from being a nice toolkit for a stalker, it also gives cybercriminals a way into the person’s smartphone. Specifically, an attacker could set up a rogue Wi-Fi network with the same SSID as the one the user is trying to connect to, with the aim of forcing the phone to connect and transfer data through it.
“So while someone knowing that your phone is trying to connect to ‘BTHomeHub-XYZ’ isn’t immediately condemning, it may allow for them to launch a ‘man-in-the-middle’ attack against you, intercepting data sent between you and a friend, giving the impression you’re talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker,” explained Bhardwaj. “An ‘evil twin’ attack could even accomplish this without needing any knowledge of your Wi-Fi password – very damaging for all of those who use mobile banking for instance.”
All of that data darting across airwaves in an unencrypted fashion clearly offers a potentially huge security hole for an enterprising cybercriminal. In an effort to find out how real the danger is, Bhardwaj launched an experiment at a recent university open day in Warwick, UK.
He ran a security demo in which he collected data from people walking by, displaying it for them to see. In just five hours, 246 wireless devices came into range. Almost half – 49% – of these devices were actively probing for their preferred networks to connect to, resulting in 365 network names being broadcast. Of those, 25% were customized, non-standard network names. However, 7% of the names revealed location information, including three where the network name was actually the first line of an address.
“What makes this even more worrying was how easily I was able to capture this sensitive information,” he explained. “A tiny wireless router I purchased from eBay for $23.95 and some freely available software I found on Google was all I needed. I didn’t even need to understand anything about the 802.1 protocols that govern Wi-Fi to carry out this attack.”
Coupled with a portable power source, a device could easily be hidden in a plant pot, garbage can, park bench and so on to lure Wi-Fi devices to attach to it.
Mobile phone users can protect themselves somewhat by telling your phones to ‘forget’ networks you no longer use to minimize the amount of data leakage, he said. But, “the unfortunate news is there doesn’t appear to be an easy way to disable active wireless scanning on smartphones like Androids and iPhones,” he noted, other than shutting Wi-Fi access completely off or disabling location-aware smartphone apps.