back to article Aha, I see you switched on your mobile Wi-Fi. YOU FOOL!

Security expert Raul Siles has warned that years after it was first identified, the Preferred Networks List (PNL) Wi-Fi bug remains unaddressed on many an iPhone, Android phone, and Windows or BlackBerry handset. The problem itself is simple enough, reports HelpNet Security. When searching for networks, a poor Wi-Fi …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Or another spin:

    years after it was first identified nobody has managed to use this apparent vulnerability, so it's likely this guy nobody has ever heard of is just a lame attention seeker.

    1. Anonymous Coward
      Anonymous Coward

      Re: Or another spin:

      If I'd exploited this vulnerability I wouldn't be shouting about it from the rooftops thereby ensuring idiots with their heads buried in the sand would make comments like yours.

    2. Parax

      Re: Or another spin:

      since its a very local vuln, I don't think it'll ever make headline news, but this does not mean it is not being abused in a very low number of cases... the question is how significantly...

    3. Thorin
      FAIL

      Re: Or another spin:

      Who says this vulnerability isn't exploited?

      Read these for a start:

      http://www.troyhunt.com/2013/05/pineapple-surprise-mixing-trusting.html

      http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html

      http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

      That's just one example of someone proving this is an issue. Go to some IT Security conferences, or sit in a coffee shop near a company that actually does IT Security assessments, or one near a technical high school.university broadcast that you're looking for all sorts of open networks....watch them appear....check your routing....owned!

  2. Drem
    Devil

    Troy Hunt's Pineapple

    I think that Troy hunt has a rather better set of posts on this, demoing it in action with a pineapple...

    http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

    http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html

    and

    http://www.troyhunt.com/2013/05/pineapple-surprise-mixing-trusting.html

    The Pineapple in question is one of these:

    http://wifipineapple.com/

    Given its been available since 2008, I'd be surprised if this has never been used for more nefarious purposes.

  3. Badvok

    Am I right in thinking this only affects Open networks and not those that employ any kind of security?

    i.e. Hacker sees phone looking for SSID 'TheCloud' and so creates an SSID of 'TheCloud' to which the phone then connects. However, if the phone was expecting the network to use security would it actually still connect if there wasn't any?

    1. DaLo
      FAIL

      Open Networks

      Yes, you are correct and that is why this isn't such a big deal.

      Richard Chrigwin's idea that "Given the growing popularity of BYOD in the business environment, there's the added danger of a fake preferred network being used to capture corporate logins" is ridiculous.

      If you have an open WiFi access point on your corporate network (even one that has a password let alone client certificates would be okay) then you aren't interested in secure networks as the data could be sniffed anyway. Also if you allow corporate logins that are not encrypted then I'm not sure what system you are using but, once again, you have bigger problems than this exploit.

      The only added issue really is man-in-the-middle type attacks that this could do that a standard open network couldn't. However it still wouldn't be able to intercept banking or other security details without SSL errors. It could fake a website (such as a bank) and you might not notice that the address bar hasn't gone green (or using SSL) but once again the list of circumstances is quite limiting - you would probably be just as likely to fall for a 419 scam.

      1. Tom Wood

        Re: Open Networks

        The middleman can proxy all connections to SSL websites and present them to the user over http:

        http://hakinthebox.blogspot.com.au/2012/06/you-just-cant-trust-wireless-covertly.html

        If the user isn't looking for the padlock (they possibly aren't on facebook et al, more likely are on bank websites though) you've got their login details.

        1. DaLo

          Re: Open Networks

          Yes, that's what I said in the last paragraph.

          1. Tom Wood

            Re: Open Networks

            @DaLo - yes, but it need not be "a fake website" (which suggests that some effort went in to constructing a copy of the real thing like a phishing attack does). The MITM can just present *any and all* HTTP websites to the end user over HTTP - the user sees the real website (just over HTTP not HTTPS) and the middleman can capture all traffic.

            1. Anonymous Coward
              Anonymous Coward

              Re: Open Networks

              A couple more SSIDs to try this with would be:

              02 Wifi

              or

              BTWiFi-with-FON

              If you've ever used these, you're SOL

              1. Anonymous Coward
                Anonymous Coward

                Re: Open Networks

                Also I like the example on Troy Hunts's website:

                Turns out that my wife had wandered into range with her MacBook Air and it had automatically associated to the SSID “Apple Demo” which I can only assume is the access point the Apple store connected her to when walking her through the shiny new machine she recently bought. So there you go – right out of the box a brand new machine is already falling victim to the Pineapple without even trying.

                http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

            2. Dave Bell

              Re: Open Networks

              There's an App on my tablet which knows where the APs for TheCloud are, Though the map can be a bit erratic. I know where both the local locations are and they don't match the markers on the app's map. I wonder if a man-in-the-middle attack could fake a location update? That sort of detail makes it harder for an attacker, but it isn't much extra protection. And, with the mapping errors (the bus stops are correctly placed), there's a chance to fool a stranger to the area.

    2. NightFox
      Black Helicopters

      Surely even without PNL disclosure, i.e. if it wasn't possible to identify which SSID a device is looking for, setting up an open AP called TheCloud in any town centre would still have a pretty high success rate for this kind of attack? Not as successful as a custom attack that PNL access might make possible, but effective none the less.

    3. big_D Silver badge
      Thumb Up

      @Badvok

      yep, that was my first reaction. As I've never attached to a network without a password - I don't think I've seen one without a password in the last decade - I was wondering how the "spoofed" network would also be able to authenticate.

    4. This post has been deleted by its author

    5. Thorin
      Unhappy

      NOT only Open Networks

      That this only impacts open networks is a big fallacy that is being propagated.

      There is nothing that prevents a malicious individual from setting up a WiFi Access Point that accepts whatever WEP/WPA password you throw at it...same goes for hacking OpenRadius to accept any credential.

      1. Tom Wood

        Re: NOT only Open Networks

        There is nothing that prevents a malicious individual from setting up a WiFi Access Point that accepts whatever WEP/WPA password you throw at it...same goes for hacking OpenRadius to accept any credential.

        @Thorin - really? That's a disturbing thing to learn. I'd kind of assumed that the authentication part of WPA2-PSK might use some signing mechanism that allowed the AP to prove to the STA that it knows the key, as well as for the STA to prove to the AP that it knows the key, without actually transmitting the key over the air. Is that not how it works?

        ...off to swot up on the specs...

        1. Tom Wood

          Re: NOT only Open Networks

          Yeah, as far as I can tell, WPA2 uses a four way handshake which ensures that the AP needs to authenticate itself to the STA as well as the other way round. So a middleman couldn't just set up an AP that accepted "any" password (for WPA2-PSK at least).

          Maybe what Thorin says is true for WPA (not WPA2) though (and WEP is broken anyway).

        2. Badvok

          Re: NOT only Open Networks

          WPA and WPA2 do provide mutual authentication, this is one of the big advantages they have over WEP.

          1. Thorin
            Meh

            Re: NOT only Open Networks

            I'd have to dig. I'm 98% sure it's true of WEP. And I know I've heard of people hacking OpenRadius or FreeRadius to accept any cred provided in a WPA-Enterprise setup.

            1. thebertster

              Re: NOT only Open Networks

              WPA/WPA2-Enterprise is vulnerable to this kind of attack if the client is not properly configured. Assuming you are using a sensible EAP type (e.g. EAP-TLS, PEAP-EAP-TLS, PEAP-EAP-MSCHAPv2) you will have some form of mutual authentication. A bogus RADIUS server can very easily accept any connection, however the client should only connect to the network once it has confirmed that the SSL certificate that the RADIUS server has provided is signed by the expected certificate authority. In an Enterprise, this would normally by an Enterprise CA, but it could be signed by a public trusted CA so the client can and should also validate that the common name in the RADIUS server's certificate matches what it expects.

              The problem is that a lot of people who are unclear on how SSL/TLS works (or are lazy) go and disable this validation in the connection settings for the SSID because it's easier than all that tedious faffing about with CA certificates and heck, we just want to get the device connected, right? It's scary how many "idiot's guides to WPA Enterprise" actually tell you to turn that check off!

              For laptops that are members of an AD domain, the administrator can force the correct settings via Group Policy (and prevent the user from modifying them). For mobile devices, it is not so easy to enforce.

              Combine this with the PNL implementation issues or hiding the SSID (yes, people still do this!) and your client will sit there sending probes out advertising "please can I connect to this SSID, please, pretty please" - practically a hacker's charter.

              To what extent is this actually going on in the real world...very difficult to quantify.

  4. Lee D Silver badge

    Sorry, but everything I see regarding this attack is basically saying "If you have trusted an unencrypted network in your device, and ask it to connect to them automatically, then it will join networks with that name automatically without entering authentication details".

    Well... Yes. I should damn well hope it did, or one or other of the options "trust this network" or "automatically connect to trusted networks" is bloody lying to me. That still doesn't mean it's not an incredibly stupid thing to do, but it's not a design flaw.

    How does this fare against encrypted networks? How does this let you capture details on any network which PREVENTS ACCESS to random unknown device? How does this mean you can get access to authentication details for encrypted networks that you join and trust? It seems to be a lot of hand-waving and misdirection.

    "Ah ha, we see you're trying to join OPEN_PUBLIC_WIFI - let's make a network called OPEN_PUBLIC_WIFI and you'll join it!".

    Yes. You will. Of course. Unless you're checking BSSID's (which can still presumably be faked etc.). That's why we have encryption and authentication. Because in any half-decent authentication system, a client that DOES have the details isn't giving them away to ANYONE. They are mutually authenticating against the other side of the connection so no amount of fake "ENCRYPTED_WIFI" networks would be able to successfully authenticate it and thus wouldn't provide network access to such a device without a DAMN lot of warnings (but, more likely, just floods of connection errors and no access at all, and the client constantly retrying to find their secured network).

    And, I'm sorry, but any wireless device, on any wireless network is giving out the ESSID of the network it's joined. Go deploy Kismet and find out for yourself. It's much easier to just sniff out of the air, so advertising that a device is "looking for" a certain ESSID isn't really that much of a problem (much more of a privacy problem than a security problem, in fact) and won't get you any further than you would have even if they were connected in front of you to that exact network.

    Wireless, like the Internet, is an unsecured network where anyone can sniff, modify, fake or inject aribtrary traffic. If your wireless deployment hasn't already taken account of this, for everything from joining to DDOS'ing to authenticating clients, then I suggest you throw it in the bin. If your wireless clients do anything other than what they are told ("remember that this is a trusted network with password X and BSSID XXXX") and it connects to networks that have the same ESSID but not the same authentication details or even same encryption characteristics as the known, trusted network had last time you saw it WITHOUT AT LEAST A WARNING - that client is rubbish and stupid. But that does NOT appear to be the case here.

    What you're saying is that if I connect to wireless networks without encryption... WOOP WOOP WOOP WOOP WOOP STUPID IDIOT ALERT. You don't need to go any further in that sentence at all, whatsoever, in any way. What you then do after that point, especially adding those networks to a "trusted network" list is beyond anybody helping you out or recovering the situation.

    Hence why I don't touch open public Wifi, by the way. What a stupid idea. Even a pub that deploys a cheap router and scrawls the WPA key on a beer mat when you make a purchase is being more secure.

    Wifi is open. Always assume it's open. Always expect everything you do on it to be overheard. Mark it as "untrusted" in your firewall on your clients, etc. If you want to secure it, only use it "unsecured" as the transport channel for a VPN connection. Problem solved.

    1. Tom Wood

      Encrypted but not secure networks

      Even a pub that deploys a cheap router and scrawls the WPA key on a beer mat when you make a purchase is being more secure.

      I guess there is still ample opportunity for a MITM attack with such a network. If you create your own network that mirrors the (publicly available) credentials of the pub's, devices might choose to connect to your network automatically. The credentials will be correct and you can sniff people's traffic.

      Maybe if you're sat in the pub, theres a fair chance people's phones will connect to the pub's network not your own, but it probably depends on which AP has the strongest signal. But if the credentials are saved, there's nothing stopping you setting up a network just down the road from the pub (in the chippy or whatever) pretending to be the pub's network and having people connect to it that way.

    2. Jamie Jones Silver badge
      Thumb Up

      @Lee D

      Thank-you for your post... Upvoted.

      I was beginning to think I'd missed something.

      But basically, "tl; dr : Use non-encrypted, public wi-fi, and expect your data to be sniffed by whoever is nearby". Hardly news!

  5. Ryan 7

    Windows Mobile, eh?

    Researcher couldn't afford a Lumia?

    1. Anonymous Coward
      Anonymous Coward

      Re: Windows Mobile, eh?

      Either that, or it's fixed on WP?

      1. Eddy Ito

        Re: Windows Mobile, eh?

        The work Lumia (WP8) I've got has an advanced wifi setting check box that reads; "Send information about Wi-Fi connections to help discover nearby Wi-Fi" which appears to be not checked by default.

  6. Anonymous Coward
    Facepalm

    WiFi can be dangerous no matter what.

    It's reasons like this why I'm always turning off WiFi the very moment I need to do something more serious with my phone like checking bank records or writing an important (not private perse) e-mail. I have a dataplan, so I can use the Net basically unlimited with my phone subscription, but depending on the kind of WiFi connection it's usually a little faster.

    Of course according to my surroundings I'm simply being a little paranoid.

    But the thing is: If your phone (or other mobile device) is using a (public) WiFi connection then how sure can you be that no one is eves dropping or doing worse? Yet most people I know don't even care to keep this into consideration.

  7. fixit_f
    Stop

    "allowing attacks to breach ultra-secure locations."

    What I'd describe as an "ultra-secure" location will generally use 2 factor authentication such as Secure-ID, on top of your network logon credentials. If you're only capturing the 2 factor authentication once then it's only of use until the ID changes, limiting the value of any keylogged/captured credentials you do get hold of. So in real life to most genuinely secure networks this is fairly a limited threat, isn't it? If not, why not (genuinely, educate me) ?

    1. max allan

      Ultra-secure?

      Any ultra-secure location I've been in would have shot you as soon as you walked through the door with wifi turned on. Or even a phone or laptop about your person.

      Wifi of any kind I'd describe as only averagely secure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ultra-secure?

        You wer lucky.

        Where I've worked they shot us with our own eyeballs which we had to deposit so we didn't see too much then had to dig them out of our hearts with our barehands as we weren't allowed sharp objects then leave them behind for the next day. Kids today? Don't know they're born. Try to tell them and they won't believe you.

        1. asdf
          Trollface

          Re: Ultra-secure?

          Ah so you worked at Area 51 too then eh? Funny how everyone thinks its super secret due to the Roswell aliens when the explanation is the much more mundane megaton nuclear warheads. Smart of the government to keep up the mystique though. Keeps the dirty peacenik hippies from protesting.

          Edit: bah blew whole joke (admittedly lame) not posting anon

  8. Chairo

    Given the battery life of most smartphones

    I suppose most people turn off WIFI anyway if they don't use it. Just like GPS, bluetooth and similar battery hogs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Given the battery life of most smartphones

      Doesn't seem to make any real difference on my SGS3 whether I leavel WiFi on or off. Same with GPS, it only activates when something requests position.

      1. Andrew Jones 2

        Re: Given the battery life of most smartphones

        I've always thought it was an odd thing for people to claim - even since the HTC Desire days I have always left WiFi and GPS enabled and it's never really caused any noticeable battery drain. The new Fused Location provider that is compatible right back to Froyo should further mean that Location based apps use even less battery than before!

  9. Andrew Jones 2

    Presumably I am still OK connecting to public WiFi and then firing up my VPN client to tunnel my encrypted traffic back to my home network? (That's the main reason I set it up)

    1. Charles 9

      What about for just casual "check the news while you wait" kind of browsing? Especially for newer phones that don't have Flash installed on them? Sure, there's the drive-by, but wouldn't a drive-by penetrate a tunnel?

      1. Andrew Jones 2

        I'm probably better off just sticking with 3G..... it's unlimited anyway. It's just WiFi is friendlier on the battery.

  10. This post has been deleted by its author

  11. Henry Wertz 1 Gold badge

    wifi probes

    Indeed, with NetworkManager, or typical OSX or Windows card control, the card scans for networks first, then when it sees the one it wants connects to it. But, if a card is set to an SSID and does not find it in it's scans, it broadcasts probe requests broadcasting the SSID it is looking for. In Android, if you "add a wifi network" then it probes for it, if you see it on your list and connect it does the "scan for networks, connect when it sees it" behavior. It's just as Badvok says, the attacker would then just impersonate that SSID.

  12. Anonymous Coward
    Anonymous Coward

    Chav locator.

    My neighbour (for some strange reason probably related to some "sick hax" on youtube) set up an open wireless access point on his phone, initially as there didn't look to be any traffic moving I didn't see the need to alert him. He must be carrrying it around in his pocket as the signal level goes up and down as he moves around, I put one of those WIFI detection softwares on a tablet that bleeped signal level and I could calculate the distance to the nearest baseball cap and white trainers. After figuring the wireless in his trousers might affect his fertitlity again I decided best not to make a fuss.

    1. asdf
      Joke

      Re: Chav locator.

      > nearest baseball cap

      So Burberry hats are out now? Chav tastes are so fickle.

  13. Thorin
    Go

    More From Troy

    http://www.troyhunt.com/2013/05/talking-with-scott-hanselman-on.html

This topic is closed for new posts.

Other stories you might like