On the day I got my iPhone I submitted a bug report to Apple. It wasn’t truly a bug, but I didn’t know of a better way to express my disappointment involving the absence of a software development kit for the iPhone. It just seemed like too unique of a device to not be able to create applications for it. Perhaps a bug report was a bit of a low blow, but I never expected I'd hear anything back. However, the day after Apple announced they were going to release an iPhone dev kit in February of '08, I got an email in response to my "bug." Now, this email was identical to what Apple posted in the "Hot News" portion of their Web site and while I'd seen it before on many of the Apple news sites, this time I actually read it. One big section stood out in particular:
“It will take until February to release an SDK because we’re trying to do two diametrically...
Let's say that an employee in your company gets a new laptop. He's excited about the laptop's WiFi capabilities, but the company he works for doesn't have wireless capabilities. What's he do?
One option is to bring in his own wireless router. He goes down to the local computer store, picks up a router for $39.95, and brings it to work. He plugs it in, boots up his laptop, connects to the network called "default," and is happy to use his laptop from anywhere in the building.
Another possibility is that he opens up the "wireless connections" panel of the laptop and sees a list of possible networks to join. He may not realize that the access points are on networks belonging to other individuals or companies. In the unlikely scenario of a targeted attack, he may even see an official-looking access point named after his company. In either case, he connects to somebody else's wireless work, finds that he can access the Internet, and...
O.K. - firstly - long time no blog. Secondly, apologies for that - a mixture of vacation, work, and work travel has recently seen me distracted a little from my blogging duties (my plate spinning is improving, however). Anyway, with the apologies out of the way, onto the subject of this blog. Recently I was invited by Microsoft to speak at BlueHat on Windows CE/Mobile security, even being given a guest spot on their blog and doing a podcast for them. Pedram from TippingPoint has provided a good summary of the talks that saves me from...
Further to the research already done on unlicensed mobile access (UMA) by our security researchers, I've been looking at a couple of alternatives to UMA services. As you’ll recall, most UMA threats surround increased exposure to the operator’s core network, as they are basically an extension of the core network and its protocols.
The services that I’ve been looking at are very similar but are not true UMA in this regard; rather, they may be best described as Mobile VoIP. A new crop of providers are appearing in this space, fuelled by WiFi-capable smart phone handsets. And, when they do appear, they don’t have any of the operator baggage to worry about, so are free to adopt the next generation standards rather than modify existing ones.
So, where’s the security point to this post? Well, when I say “looked at” these services, I didn’t mean admiring the user interface. I set up a couple of handsets...
Wireless Equivalency Protocol (WEP) has been one of the hottest topics in Irish news over the last few days. One of the leading providers of DSL in Ireland has supplied users with wireless routers protected using WEP. What made this newsworthy is that it has emerged that the WEP keys used to encrypt the network traffic and to control access to a private network were generated using the (Service Set Identifier) SSID. The algorithm used to generate the encryption keys has been analyzed and a tool is freely available which allows anyone within range of the router to trespass on a wireless network that has been secured using the default settings.
The DSL provider and media reports are advising customers that if they change their WEP keys, they will be safe from any trespassers or malicious attackers trying to get onto their network. While it is true changing the default WEP settings will mitigate this particular attack it will not make your wireless network secure.
