WLAN DISCUSSION
 

Do you know what your smartphone is sending?

Do you know what your smartphone is sending?

Postby LPhifer » Wed May 18, 2011 8:53 am

Here's one of many possible vulnerabilities you might find by using a Wi-Fi analyzer to look for cleartext credentials sent by your Wi-Fi smartphone:

Android phones vulnerable to Google ClientLogin AuthToken attack
http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html

In this case, UULM researchers observed that smartphones running Android 2.3.3 or earlier used an OS-supplied ClientLogin API to auto-sync Google contacts and calendars, causing an authentication token to be returned over HTTP rather than HTTPS. When that's done over an unencrypted network (like an open Wi-Fi hotspot), the cleartext AuthToken is easily intercepted and can be used to impersonate the smartphone's user. Conceptually, this is similar to the browser side-jacking vulnerability exploited by FireSheep last year.

What can we learn from this vulnerability? Not that sending cleartext credentials over a Wi-Fi hotspot is risky - surely everyone knows that by now. Rather, the lesson here is that your smartphone may be sending cleartext credentials automatically, synchronizing many accounts on your behalf, when you don't realize it. Even phones that use a VPN to protect corporate traffic may be synchronizing personal contacts and calendars outside of that tunnel (when split tunneling is used or the VPN is disconnected).

I highly recommend using a Wi-Fi analyzer to watch what your smartphone sends automatically upon connecting to any open Wi-Fi network. If you don't like what you see, inspect your phone's application and OS settings to disable auto-sync before connecting to any unencrypted network. (On Android, see Settings -> Accounts & Sync -> Auto-sync and Background data.) Or use a VPN client that runs full-time, without split tunneling. And always retest after making changes to verify they had the desired effect.

As for the UULM-identified vulnerability, Android users may want to check OS version (see Settings -> About Phone). Android 2.3.4 fixed this particular vulnerability by syncing contacts/calendars over HTTPS, but other apps may still be vulnerable (e.g., Picasa). Unfortunately, smartphone users depend upon cellular providers for OS updates, so those still running older Android versions simply have to be patient. But remember - this isn't really about plugging one hole - it's about knowing and protecting what your smartphone is sending automatically on your behalf.
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 165
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US

Re: Do you know what your smartphone is sending?

Postby LPhifer » Wed May 18, 2011 2:43 pm

In statements published this afternoon, Google is said to be fixing the AuthToken vulnerability by deploying a server-side fix that requires no client-side OS update:

http://www.computerworld.com/s/article/9216835/Google_moves_fast_to_plug_Android_Wi_Fi_data_leaks

This is excellent news, but don't let one important vendor fix stop you from getting a grip on what your smartphone might be auto-sending over Wi-Fi.
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 165
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US

Re: Do you know what your smartphone is sending?

Postby LPhifer » Thu Aug 04, 2011 11:23 am

Follow the link below for an interesting interview with Dasient CTO Neil Daswani about his BlackHat session demonstrating a drive-by attack against Android that exploits known Webkit and Skype vulnerabilities. Daswani talks about the consequences of Android malware, the need to accelerate vulnerability patching throughout the Android ecosystem, and how many Android apps share sensitive information with remote sites, such as a smartphone's IMEI and IMSI:

http://searchsecurity.techtarget.com/video/Black-Hat-2011-Android-attacks-and-smartphone-privacy-leaks

More Android smarthphone privacy (or lack thereof) presos from BlackHat USA 2011 can be found here, including "Hacking Androids for Profit" and "Don't Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle" --

https://www.blackhat.com/html/bh-us-11/bh-us-11-schedule.html
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 165
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US


Return to WLAN Security



Who is online

Users browsing this forum: No registered users and 2 guests

 

 

 

 
Read
»
Whitepaper: WLAN Design and Site Survey
 
»
Site Survey Check List
 
»
802.11n Reference Guide
 
Watch
»
RF Basics
 
»
Planning for 802.11n
 
»
Voice-over-Wireless Best Practices
 
 
Home  |  Security Center  |  All Things Wi-Fi  |  Blog  |  Library  |  AirMagnet.com  |  FlukeNetworks.com
© 2006-2013 Fluke Corporation. All rights reserved.