RSS Alerts

Share

More services

Related Links

  • Krebs on Security
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Comment: SaaS Offerings for Wireless PCI Compliance
    The first PCI DSS compliance deadline is approaching in September, and with that comes the ever-growing concerns over protecting payment card information transmitted over wireless connections. Ajay Kumar Gupta of AirTight Networks discusses the various SaaS offerings that allow small and medium-sized business to achieve compliance while improving WiFi security.
  • iPad gets secure remote access for free
    Unlike the iPhone, there is every sign that the Apple iPad will be adopted by companies looking for alternatives to laptops and netbooks, but when it comes to remote authentication, iPad support is a bit thin on the ground. Until now, however, as Astaro has developed a secure remote access solution for iPad users.
  • Android beats iPhone as Blackberry leads US smartphone sales
    Blackberry and Android have beaten iPhone into third place as US consumers' favourite mobile operating system, according to market analyst NPD Group.
  • Apple could face investigation over iPhone software
    Apple could face an investigation by US competition authorities into whether the latest version of the software for the firm's iPhone unfairly locks out competitors.
  • Rutgers team demonstrates new smart phone security threat
    A team of investigators at Rutgers University has revealed research indicating that smart phones can be compromised by sophisticated rootkits.

Top 5 Stories

News

Security expert identifies iPhone security loophole

02 June 2010

An IT security expert has identified a potentially serious security loophole in the Apple iPhone's software, due to its ability to automatically remember and log into a familiar WiFi access point.

The issue, says Brian Krebs, of the Krebs on Security website, is that if you use your iPhone to connect to open or public wireless networks, it's a good idea to tell the device to forget the network's name after you have finished, "as failing to do so could make it easier for snoops to eavesdrop on your iPhone data usage."

For example, says Krebs, if you use your iPhone to connect to an open wireless network called Linksys – which happens to be the default, out-of-the-box name assigned to all Linksys home WiFi routers – your iPhone will automatically connect to any WiFi network by that same name.

"The potential security and privacy threat here is that an attacker could abuse this behaviour to sniff the network for passwords and other sensitive information transmitted from nearby iPhones, even when the owners of those phones have no intention of connecting to a wireless network", he said in his security blog.

Infosecurity notes that there is a second potential security loophole lurking in the electronic undergrowth, as anyone wanting to gain unauthorized access to a secured WiFi access point could create a second rogue access point nearby and wait for the legitimate user's iPhone to come into range and attempt an authentication cycle.

According to Peter Wood, CEO of First Base Technologies and an ISACA conference committee member, this attack vector is know as the'evil twin' hacker methodology.

"It's a problem that affects portable devices like the iPhone because the security settings on mobiles tend not to be as strong as on, say, a company system. My colleague Didi Barnes carried out research on this issue some time ago and discovered that Windows, as well as Apple OS-based, laptops also suffer from a similar security issue", he said.

"When a Windows or Apple laptop has WiFi turned on, it will search for any wireless networks which it has connected to in the past. If an attacker sets up a rogue access point with an SSID (network name) the same as one in the laptop’s list, it will attempt to log into it. Corporate security systems will lock down this sort of behaviour, but on a mobile or handheld device, it can be a problem", he said.

This article is featured in:
Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012