Surprised there wasn’t more coverage on this story in the news on Friday… Basically, Mark Wuergler of Immunity Inc. found that the iPhone advertises the last three SSIDs it connected to, exposing the MAC addresses of those routers/access points as well. With this information anyone could then use a service like Google Location Services or Wireless Geographic Logging Engine to pinpoint exactly where a particular user has been. The same vulnerability is present on many of Apple’s other WiFi-enabled iOS devices as well. Here’s the relevant part of the ArsTechnica “Loose-lipped iPhones top the list of smartphones exploited by hacker” article I came across.
That’s because the iPhone is the only smartphone he knows of that transmits to anyone within range the unique identifiers of the past three wireless access points the user has logged into. He can then use off-the-shelf hardware to passively retrieve the routers’ MAC (media access control) addresses and look them up in databases such as Google Location Services and the Wireless Geographic Logging Engine. By allowing him to pinpoint the precise location of the wireless network, iPhones give him a quick leg-up when performing reconnaissance on prospective marks.
The article goes on to discuss an app Mark created called “Stalker” that automates collecting, parsing, and viewing not only of this iPhone data but tons of other sensitive information from any open WiFi hotspot. Previously, slurping this network traffic could have been done by anyone just sniffing an open wireless network but Stalker obviously “firesheeps” things to the next level.
Running on a laptop, Stalker vacuums up passwords, images, email and any other data that is sent unencrypted and organizes it in an easy-to-read interface.
Previously accessed network names and unencrypted Facebook chats, emails, and attached documents are all there, along with the name of each smartphone user who exposed them. Stalker presents the collected data in aggregate or allows the user to view the contents retrieved from a specific smartphone owner. Stalker also calls on programming interfaces offered by Google and other location services to automatically plot the recently connected Wi-Fi networks on a map.
The Stalker app also performs some advanced compromises, e.g., stealing login credentials, using a “Man Within Range of You” attack. In this scenario, a local malicious hacker simply returns a spoofed response faster than the legitimate service can.
Stalker also has the capability to steal login credentials from browsers that store passwords. It works by injecting hidden forms into a user’s browsing session that mimic the forms used to log in to corporate email accounts and websites. Because the fields are invisible, they can be added even when the target is visiting a completely unrelated site, giving little indication anything is awry.
Stalker relies on what its author calls a “Man Within Range of You” attack. Unlike man-in-the-middle exploits—in which a hacker sits between the victim and the site he’s connecting to and monitors or tampers with data as its passed from one to the other—the app plucks data from radio signals transmitted in the vicinity of the smartphone and relies on the same airwaves to broadcast spoofed information back to the targeted device. When successful, so-called race conditions work by zapping the falsified data to the target before the legitimate source can.
Looks like Stalker will be available … but only to Immunity’s SILICA subscribers according to a comment on Mark’s Twitter feed. As of Sunday night I did a site specific Google search on Immunity’s website for Stalker but to no avail. So for now you can also get a better feel for how the iPhone hack works as well as more details on Stalker from a Prezi he posted earlier this month. The audio/video of the related INFILTRATE presentation should soon be up on the Immunity website as well.
Not much can be done regarding the iPhone problem except for changing your use and settings … something that would be very inconvenient. Mark suggests periodically deleting wireless profiles, turning off WiFi when not in use, and limiting the amount of personal information stored on your phone. I don’t see many but the most paranoid taking it this far as the convenience these features offer often outweigh security. Hopefully, Apple will come out with a patch to address this problem at some point.
Solving the open WiFi problem is a little easier to swallow for many. Just make sure you always communicate over SSL when using open hotspots. Plugins like HTTPS Everywhere can help here. Better yet … use some basic security precautions as well as a corporate or personal VPN as I’ve previously mentioned.
How do you think Apple should solve this problem? Or do you think it would just be touted as a “feature”? Today’s post pic is from ArsTechnica.com.