Security expert identifies iPhone security loophole

The issue, says Brian Krebs, of the Krebs on Security website, is that if you use your iPhone to connect to open or public wireless networks, it's a good idea to tell the device to forget the network's name after you have finished, "as failing to do so could make it easier for snoops to eavesdrop on your iPhone data usage."

For example, says Krebs, if you use your iPhone to connect to an open wireless network called Linksys – which happens to be the default, out-of-the-box name assigned to all Linksys home WiFi routers – your iPhone will automatically connect to any WiFi network by that same name.

"The potential security and privacy threat here is that an attacker could abuse this behaviour to sniff the network for passwords and other sensitive information transmitted from nearby iPhones, even when the owners of those phones have no intention of connecting to a wireless network", he said in his security blog.

Infosecurity notes that there is a second potential security loophole lurking in the electronic undergrowth, as anyone wanting to gain unauthorized access to a secured WiFi access point could create a second rogue access point nearby and wait for the legitimate user's iPhone to come into range and attempt an authentication cycle.

According to Peter Wood, CEO of First Base Technologies and an ISACA conference committee member, this attack vector is know as the'evil twin' hacker methodology.

"It's a problem that affects portable devices like the iPhone because the security settings on mobiles tend not to be as strong as on, say, a company system. My colleague Didi Barnes carried out research on this issue some time ago and discovered that Windows, as well as Apple OS-based, laptops also suffer from a similar security issue", he said.

"When a Windows or Apple laptop has WiFi turned on, it will search for any wireless networks which it has connected to in the past. If an attacker sets up a rogue access point with an SSID (network name) the same as one in the laptop’s list, it will attempt to log into it. Corporate security systems will lock down this sort of behaviour, but on a mobile or handheld device, it can be a problem", he said.

What’s hot on Infosecurity Magazine?