Vulnerability ID: TAD-2010-003
Credits: This vulnerability was discovered by Raul Siles, Founder and Senior Security Analyst with Taddong (www.taddong.com)
Publication date: September 1, 2010
Last update: September 1, 2010 (7:45am CET) - Vendor statement updated
Vendors contacted: Microsoft
Windows Mobile manages Wi-Fi (or 802.11) wireless communications through the Wireless Zero Configuration (WZC) client or service, similarly to the equivalent Windows-based desktop operating systems. Windows Mobile, as most Wi-Fi clients, keeps a list of the wireless networks manually configured, plus the networks it has connected to in the past, on the Preferred Network List (PNL).
Every time the Wi-Fi interface is turned on, and periodically once it has been activated (for example, to roam between access points), the device checks through 802.11 probe requests what networks in its PNL are available in the current location. Based on the responses obtained, it tries to connect to the most preferred network.
In the past, this network discovery process was performed by sending a generic probe request for the broadcast (or any) network plus specific requests for every network in the PNL. This meant devices disclosed the full PNL in the air , exposing themselves to karma-like attacks , where an attacker can identify the hidden networks (or access points) the mobile device is trying to connect to and impersonate them, forcing the target device to connect to the attacker's network to capture its traffic and launch more advanced attacks.
In order to avoid this vulnerable behavior, Microsoft released the Wireless Client Update (or patch) for Windows XP SP2 in January 2007 (KB917021) , changing the previous behaviour of Wireless Auto Configuration: "This update helps prevent a Windows wireless client from advertising the wireless networks in its preferred networks list."
The new update mitigates the vulnerability, as the wireless device or client only generates 802.11 probe requests for the broadcast network, generically asking for the networks available in the area. An exception to this behavior is presented by the existence of Wi-Fi hidden networks in the PNL: due to the fact hidden (or nonbroadcast) networks do not include their SSID (Wi-Fi network name) in the beacon frames, and do not respond to generic queries asking for any network available, the Wi-Fi clients need to specifically ask for these hidden networks, disclosing its name and existence on the device PNL. This makes devices vulnerable again to the aforementioned attacks.
The new functionality in KB917021 for Windows XP added a user configurable option, "Connect even if this network is not broadcasting", to be able to specify a Wi-Fi network as hidden (nonbroadcast) or visible (broadcast):
A similar configuration option is implemented in Windows Mobile. However, Windows Mobile 6.5 is vulnerable to an information disclosure flaw where the mobile device reveals its complete PNL every few seconds (30 or 120 seconds in the tests performed). As a result it presents (again) the old vulnerable behavior where 802.11 probe requests asking for the broadcast network plus all the networks available on the device PNL, hidden and visible, are revealed into the air. The expected non-vulnerable behavior implies the generation of probe requests for the broadcast network plus all the hidden networks in the PNL, but not for the non-hidden networks.
The images above show the generated 802.11 probe requests for the broadcast network, two hidden networks ("wifi" and "Taddong") and two visible networks ("hotspot" and "ejemplo").
The disclosure of the non-hidden or visible networks available on the device Preferred Network List (PNL) makes the "This is a hidden network" configuration option useless (the "Esta es una red oculta" option in the Spanish version of WM 6.5 below), as Windows Mobile 6.5 behaves as if all networks are hidden:
This behavior can be used by a potential attacker to launch karma-like attacks .
The vulnerability exists on the default configuration and there is no setup option to mitigate it or make the mobile device not vulnerable.
Security solutions, workarounds and countermeasures:
We think Microsoft should release a software update to change this vulnerable behavior in Windows Mobile 6.5 and make the "This is a hidden network" configuration option effective, as it did with the Windows-based desktop operating systems .
Due to the absence of a current or future software update, users must evaluate the contents of their PNL at any time. The only effective countermeasure against this vulnerability is to keep an always empty PNL, that is, the user has to actively remove the networks added to the PNL. This means the user must review the PNL and remove any new entries after finishing using the Wi-Fi capabilities every time she establishes a connection with any Wi-Fi network.
If a single network is left on the PNL, the device will try to discover its presence and connect to it, and a potential attacker will be able to launch the karma-like attacks previously mentioned. This kind of attack is especially critical when the user connects to not secure Wi-Fi networks, such as open hotspots or WEP-based networks, enabling unauthorized connections to the mobile device.
Unfortunately, Windows Mobile 6.5 does not have an equivalent option to the automatic connection switch available on Windows XP: "Connect when this network is in range".
The security recommendation of removing all the hidden networks from the PNL, only allowing connections to not hidden or broadcast Wi-Fi networks, is completely ineffective to mitigate the impact of this vulnerability and the associated karma-like attacks (in fact, it is the main victim of this vulnerability).
Windows Mobile 6.5 Professional (5.2.21869 - 218220.127.116.11)
Windows Mobile 6.1 Professional
Windows Phone 7 (*)
(*) Microsoft states Windows Phone 7 is not affected by this vulnerability, but this fact has not been tested and/or confirmed.
Microsoft has confirmed the existence of this vulnerability, although an update for the Windows Mobile WZC won't be released:
"We have completed our investigations and can confirm that we saw the behavior reported by you on the Windows Mobile 6.5 phone. However, this issues constitutes a Low severity Information Disclosure issue which does not meet our bar for a security bulletin release."
The following statement is provided per the vendor request, but its inclusion into this security advisory does not mean we fully agree on its contents:
"As discussed previously during our investigation, we can confirm that Windows Mobile 6.5 does broadcasts the PNL. However, because of the low severity impact of the information disclosed combined with the fact that the attack would be untargeted (i.e. the attacker cannot force the mobile device to disclose the PNL), Microsoft would not issue a public security update to address this issue. Instead we would address this via next version of the product or service pack if it applies. As you've pointed out, this same issue was addressed on the desktop Windows platform via service pack described here http://support.microsoft.com/
We at Taddong honestly believe this finding must be publicly known by the information security community in order to take appropriate countermeasures and mitigate the vulnerable behavior. Therefore, we have coordinated the release of this security advisory together with the vendor, following responsible disclosure principles. This vulnerability is especially relevant considering the extensive number of Windows Mobile 6.5 devices available in the market and the potential impact of the associated attacks.
Vulnerability report timeline:
2010-08-05: Taddong notifies the Microsoft security team about the vulnerability and sends a brief technical report.
2010-08-05: The Microsoft security team acknowledges the vulnerability report.
2010-08-20: The Microsoft security team confirms the vulnerability and notifies that an associated security bulletin or software update won't be released.
2010-08-23: Taddong notifies the Microsoft security team about the behaviour in Windows Mobile 6.1 (initial research was focused on Windows Mobile 6.5).
2010-08-23: The Microsoft security team acknowledges the vulnerability update.
2010-09-01: Taddong publishes security advisory TAD-2010-003.
 "Trying to shut up your wireless chatty Windows". Raul Siles. 2005.
 "KARMA Wireless Client Security Assessment Tools". Dino A. Dai Zovi. 2004.
 "Description of the Wireless Client Update for Windows XP with Service Pack 2". Microsoft. January 2007.
Taddong (www.taddong.com) is a company established in Spain in 2010 with the purpose of improving customer's information security, by discovering and eliminating or mitigating the real risks that threaten their networking and information technology infrastructures. To achieve this goal, Taddong's portfolio includes specialized information security services, requiring an in-depth technical knowledge and broad understanding of the information technology market, as well as training services, focused on providing customers with auto-defense skills. Taddong remains at the forefront of the security market through continuous research and education activities.
The contents of this security advisory are copyright (c) 2010 Taddong S.L., and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.