WLAN DISCUSSION
 

Are iPhones, iPads, and Androids vulnerable to WLAN attack?

Are iPhones, iPads, and Androids vulnerable to WLAN attack?

Postby cheryl » Thu Jun 23, 2011 8:05 pm

question from ABCs of wireless exploits and vulnerabilities webinar

Are iPhones, iPads, and Android phones vulnerable to WLAN attacks?¬
cheryl
Global Moderator
 
Posts: 22
Joined: Tue Mar 17, 2009 12:15 pm

Re: Are iPhones, iPads, and Androids vulnerable to WLAN attack?

Postby LPhifer » Fri Jun 24, 2011 12:16 pm

Like any other kind of endpoint device, smartphones need to be defended against network-borne attacks - that means over Wi-Fi, 3G/4G, and Bluetooth.

Smartphones don't ship with host firewall protection, so can often be pinged and port-scanned by other devices. For example, if I scan an Android (HTC) phone connected to the same WLAN, I can find it listening to ICMP ping. If I scan an iOS4 (iPod, iPhone, iPad) device connected to the same WLAN, I can find it listening to ping AND the iPhone sync port. All listening services present opportunities for attack; installing a host firewall on your smartphone can deter this.

Smartphones also have vulnerabilities that are network-type specific. A large number of Bluetooth vulnerabilities and exploits are described here, many of which can be employed against Bluetooth-enabled smartphones: http://airodump.net/bluetooth-security-vulnerabilities.

When it comes to Wi-Fi, smartphones share many of the same vulnerabilities associated with other kinds of Wi-FI devices. For example, they can be tricked into connecting to Evil Twins and fall victim to application man-in-the-middle attacks (phony web servers, phony mail servers). MitM can be used for identity theft (by grabbing logins and passwords) or it can be used to try remote exploits. For example, Metasploit modules can be used to launch Android XSSF, iPhone Safari, and iPhone MobileMail exploits against smartphones. To search the many vulnerabilities reported in mobile devices, visit http://cve.mitre.org

Another less obvious Wi-Fi vulnerability found in many smartphones concerns how they manage Wi-Fi (re)connections. For example, your iPhone may well be probing for SSIDs (wireless network names) you connected to in the distant past. However, you will not see them in the "Choose a network" list if no nearby WLAN is currently beaconing that SSID. This can result in accidental reconnection to a previously-used Wi-Fi hotspot, followed by auto-synchronization of email and calendar data over an unencrypted network. For more discussion, see this AirWise post: http://bit.ly/mjx9o4

These are just a few of the ways in which smartphones are vulnerable to wireless attack.
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 177
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US

Re: Are iPhones, iPads, and Androids vulnerable to WLAN attack?

Postby LPhifer » Mon Jul 18, 2011 12:20 pm

A lot of iOS vulnerability activity this month, with Comex's JailbreakMe 3.0 PDF exploit, countered by Apple's iOS 4.3.4 update. Read more here: http://www.iphonehacks.com/jailbreakme

These aren't specific to Wi-Fi, but wireless can play a role delivering malicious PDFs, enabling detection of hacked iDevices, etc..

Anyone generally interested in iOS vulnerabilities and defenses might want to check out these upcoming sessions at BlackHat USA 2011:

https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Zovi
Apple iOS Security Evaluation: Vulnerability Analysis - Dino Dai Zovi

https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Esser
Exploiting the iOS Kernel - Stefan Esser

https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Schuetz
Inside Apple's MDM Black Box - David Schuetz
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 177
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US

Re: Are iPhones, iPads, and Androids vulnerable to WLAN attack?

Postby LPhifer » Sun Aug 14, 2011 9:58 am

Anyone interested in this BlackHat session on Apple's MDM:

https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Schuetz
Inside Apple's MDM Black Box - David Schuetz

should read Schuetz's blog post:

http://intrepidusgroup.com/insight/2011/08/apple-mdm-talk/
Strengths and Weaknesses in Apple’s MDM System

Schuetz describes how Apple's MDM uses Push Notification messages to awaken iOS4 devices (iPhones, iPads, iPods) to enable relay of device management commands and responses between server and client. He then identifies related vulnerabilities, such as the fact that the MDM EraseDevice command doesn’t require authentication. "If an attacker is able to get a device to communicate with a rogue MDM server using traditional Man-in-the-Middle (MITM) techniques, then they could cause that device to erase itself the next time it checks in with MDM," wrote Shuetz.

Follow links in Shuetz's post to read his BlackHat slides and a white paper which further explores Apple's MDM architecture, how it works, and how it could be exploited by those with malcious intent.
-- Lisa Phifer
User avatar
LPhifer
Registered User
 
Posts: 177
Joined: Fri Jun 25, 2010 10:42 am
Location: Pennsylvania, US


Return to WLAN Security



Who is online

Users browsing this forum: No registered users and 1 guest

 

 

 

 
Read
»
Whitepaper: WLAN Design and Site Survey
 
»
Site Survey Check List
 
»
802.11n Reference Guide
 
Watch
»
RF Basics
 
»
Planning for 802.11n
 
»
Voice-over-Wireless Best Practices
 
 
Home  |  Security Center  |  All Things Wi-Fi  |  Blog  |  Library  |  AirMagnet.com  |  FlukeNetworks.com
© 2006-2013 Fluke Corporation. All rights reserved.