The vulnerability is dependent on how the network is added to the device and stems from the procedure where Mobile devices keep a list of manually configured wireless networks plus any networks it has previously connected to on a Preferred Network List (PNL).
Every time the Wi-Fi interface is switched on, and on a periodic basis, the device checks through 802.11 probe requests what networks on its PNL are available in the current location. Based on the responses obtained, it tries to connect to the most preferred network.
In the past, this network discovery process was performed by sending a generic probe request as an open broadcast plus specific requests for every network in the PNL. This meant devices disclosed the full PNL in the air exposing themselves to karma-like attacks where an attacker can identify all the networks (or access points) the mobile device is trying to connect to and impersonate them. These fake networks can trick a victim’s device into connecting to the attacker's network that then captures and manipulate its traffic to launch additional advanced attacks.
“This situation has been known since 2004; Microsoft fixed it for Windows XP in 2007 and recently in Windows Phone devices but it seems the other mobile device vendors are not as concerned,” says Siles.
This “PNL disclosure” still applies to the latest Android 4.x versions and was acknowledged but not fixed since Android 2.x-3.x dating back to 2011. It is also prevalent when adding Wi-Fi networks manually in iOS 1.x-6.x and in BlackBerry 7.x although in this platform it can be resolved from the advanced Wi-Fi settings, and in particular by enabling the "SSID broadcasted" option.
“In some cases, there are options that can be changed to avoid this issue but on most devices when a Wi-Fi network is added manually it presents the vulnerable behavior and few users are aware of the security implications” Siles adds.
End users, corporate administrators, and security professionals, using or managing Android, iOS or BlackBerry mobile devices should become more aware of this behavior and ensure that all the Wi-Fi networks available on the device PNL are treated as visible. “I need to stress that these types of client attacks are commonly left unchecked and without consideration, the modern smartphone could become the ultimate digital ‘Trojan Horse’ allowing attacks to breach ultra-secure locations. The threat grows as individuals start mixing personal and corporate activities, logons, confidential data and applications all on the same device.”
Siles also believes that the lack of attention to Wi-Fi security is not an oversight but intent by Google, Apple, and others to make device operation simpler for users, “Unfortunately, a clever and targeted attack can use these simplifications as a staging post for more damaging assault which traditional detection capabilities would be unlikely to spot.”
Android should add a new configuration setting to the user interface that allows the user to specify if the network must be considered hidden or visible every time a new Wi-Fi network is added to the mobile device. This option should be independent of the method used, or at least when it is manually added through the vulnerable “Add Wi-Fi Network” or “+” button.
Siles adds: “The default value for this new setting must reflect that the network to connect to is visible unless the user specifies otherwise by changing the default value, this change would at least stop Karma-like attacks by default unless a user intentionally exposed the full PNL to the open air.”
The situation in Apple iOS mobile devices is even worse in Siles view. Within iOS additional security settings are limited and user cannot even manage the device PNL. The user does not know what networks the device has connected to previously and cannot easily delete Wi-Fi networks from the PNL unless within the area of coverage of the network. A new free tool called iStupid (indiscreet SSID Tool (for the) Unknown PNL (on) iOS Devices) which is based on the result of Siles’ research presented in March, will be released this month for that specific purpose.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.