Wednesday, April 17, 2013

How To Add Wi-Fi Networks To Mobile Devices?

One of the first things I learned during my recently published Wi-Fi security research is that mobile vendors do not read Taddong's Security Blog ;-) During the RootedCON2013 conference celebrated in Madrid last month, March 7-9, I talked about the still prevalent Wi-Fi weaknesses, or vulnerabilities (depending on how relevant you think they are), in mobile devices. The full presentation, called "Wi-Fi: Why iOS (Android, and others) Fail inexplicably?", has been published in Taddong's lab, and by the RootedCON organization (check the other great presentations too). The minimalism applied to the user interface in mobile platforms clearly impacts, still nowadays, their Wi-Fi capabilities and security stance.
In 2010 I published a Windows Mobile 6.5 vulnerability in its indiscreet Wi-Fi interface (TAD-2010-003) in which the "This is a hidden network" configuration setting didn't have any effect. In the same way this setting existed since the Windows XP SP2 days and through all the subsequent Windows versions (Vista, 7, 8…), it was not working for Windows Mobile, so all Wi-Fi networks were managed as hidden and disclosed for free by the device.BTW, this behavior does not affect Windows Phone 7.x or 8.
This insecure Wi-Fi client behavior is well known since 2004, when the original Karma-like attack were published (so old that link does not exist anymore :-), and was fixed in 2007 in Windows XP through the KB917021 optional update. Why in 2013 most mobile platforms still expose client devices to Wi-Fi network impersonation attacks…?
In 2011 I published a similar Preferred Network List (PNL) disclosure vulnerability for Android 2.x-3.x (TAD-2011-003) depending on how you add a Wi-Fi network to the mobile device: automatically from the list of available Wi-Fi networks (expected behavior) by selecting it, or manually from the "Add Wi-Fi network" button (now the "+" button in Android 4.x) at the bottom of that list (vulnerable behavior, as the network is considered as hidden again).

During 2012 I explored new vulnerability research and disclosure approaches and strategies. Due to the fact vendors (IMHO) do not pay enough attention to and do not spend enough time on these issues, I decided to mimic them and not to spend too much time on thoroughly reporting and documenting these vulnerabilities though a detailed security advisory, as I did in the past. Instead, I notified the vendors, and the conference presentation (from page 5-24 of 68) plus this blog post become the technical report for these vulnerabilities that affect the main mobile platforms still today. I simply gave each of them a vulnerability ID to keep track of them (if required):  
  • TAD-2013-001: PNL disclosure in iOS 1.x-6.x when adding Wi-Fi networks manually. 
  • TAD-2013-002: PNL disclosure in BlackBerry 7.x when adding Wi-Fi networks manually (at least it can be changed afterwards from the advanced Wi-Fi settings, and in particular, through the "SSID broadcasted" option). 
  • TAD-2011-003 still applies to the latest Android 4.x versions, and has not been fixed since Android 2.x-3.x (2011).

Apart from manually adding new Wi-Fi networks to the device, there are other weird situations where mobile devices might disclose their PNL… by mistake. Mobile vendors need to pay close attention to this issue and avoid their devices became easy victims of Karma-like attacks, where an attacker impersonates the legitimate Wi-Fi network and shares the network at layer 2 with the victim for further attacks (independently of the Wi-Fi network security settings, as there are ways to get the network key just interacting with the Wi-Fi clients). I also suggest mobile vendors to include an option to easily determine if a Wi-Fi network is considered as hidden or not by the device, as we have in the traditional operating systems.

This specific vulnerable behavior associated to Wi-Fi clients is reflected in the OWISAM Top 10 methodology, as "OWISAM-TR-009: Client trying to connect to insecure networks". OWISAM is a new Wi-Fi project by Tarlogic that was also presented during RootedCON 2013 (OWISAM). If you are working on Wi-Fi security I recommend you to get involved.

The tools I demoed during the presentation, such as iStupid (indescreet SSID Tool (for the) Unknown PNL (on) iOS Devices), will be released in the upcoming weeks. Other mobile device Wi-Fi vulnerabilities that affect Wi-Fi enterprise networks are covered on my RootedCON 2013 presentation (pages 40-60 of 68), and potentially, on a future blog post.


Anonymous said...

IMHO hidden SSID is the insecurity worth mentioning for probe request have to be send by the client when trying to connect to them.

Both iOS and Android do not send PR for visible networks anymore, so they are improving.

Raul Siles said...

As you can read from slide 23 of my RootedCON presentation, I agree we should get rid off 802.11 hidden networks.

Mobile devices tend not to send probe requests for visible networks, but it is not always the case (slide 24)... :)

Post a Comment