Endpoint Protection Mobile

 View Only

WiFi Attacks – Are Your Protected from MitM Attacks? 

Jun 13, 2013 03:00 AM

 “I never use Wi-Fi networks, so man in the middle attacks via Wi-Fi are not my problem” told us an executive of a large organization during a demonstration of SEP Mobile’s innovative mobile security solution.

But is this really the case? Even if you are a cautious user who never connects to public Wi-Fi networks – does it mean you are safe?

Surprisingly, it doesn’t.

Our research shows that mobile carriers actually silently set Wi-Fi network configurations on our mobile devices. As a result, our devices are vulnerable to a wide range of attacks – even without actively connecting to Wi-Fi networks.

Generally speaking, attackers often face two main obstacles when attempting to perform a man in the middle (MitM) attack:

1.     The attacker needs to be physically close to the victim

2.     The victim needs to first connect to the rogue Wi-Fi network

In our post “Malicious Profiles – The Sleeping Giant of iOS Security” we’ve already shown how to eliminate the proximity requirement by presenting the first persistent iOS malware that is fully remote. This time, we will show how the attacker no longer depends on the victim to perform any action in order to execute the attack.

It seems as the problem is already being exploited nowadays. We have recently identified an indication of a real-world attack, though we are unsure whether the attackers fully understood its ramifications.

During the Third International Cyber Security Conference organized by Yuval Ne’eman Workshop and the Israeli National Cyber Bureau, Yair Amit, Skycure CTO (now SEP Mobile), and myself will perform a live demo on the audience, capturing actual success rate statistics of such attack.

Full information

Man in the middle attacks are no news. Yet, with the rapid growth of mobile devices market penetration (tablet shipments alone surpassed desktop PCs in Q4’12) and the variety of Wi-Fi networks they are connected to, the risk of MitM attacks is higher and their consequences are harsher.

Imagine you had to manually reconnect each day to your home, work, or favorite coffee shop networks? That would be cumbersome. Operating systems have a great feature, allowing automatic connection to networks they previously connected to. However, this feature has security consequences: attackers can simply guess (e.g., “Apple Store”, “Boingo Hotspot”) or retrieve the SSID of previously used networks, and cause victims’ devices to automatically connect to their rogue network, without the victims’ approval. Once the victims are connected to the rogue network, the attackers can utilize common MitM tools (e.g., Droidsheep, SSLStrip, etc.) to attack their victims.

This approach, however, won’t suffice when attempting to attack our extra-cautious executive who has never connected to public Wi-Fis.

Or will it?

Assaf Hefetz from our team investigated an iOS feature that allows mobile carriers to configure settings on the device through a special bundle. As this carrier settings bundle supports iOS configuration profiles (mobileconfig files), there is a wide range of settings that can be applied via this capability. The carrier settings were mainly created to apply APN settings. We saw that many leading carriers actually include Wi-Fi settings as part of their carrier setting bundle. Consequently, Wi-Fi networks are set on the iOS devices automatically without any user intervention. Attackers can simply look at these bundles, create access points with the SSIDs listed in them, and get nearby victims to automatically connect to their malicious networks.

 

An example of the content of Wi-Fi configuration associated with a known carrier

 

iOS devices hold predefined mobile carrier settings under /System/Library/Carrier Bundles. We examined this directory and discovered many bundles that actually contain definition of Wi-Fi settings. Below is a sample list of carriers and the associated SSID(s) of networks they pre-configure on the device. While some of bundles include SSID passwords in plain text, we have decided not to publish them.


 

The above is not a full list, and in addition to the predefined bundles, carriers often update the user’s bundle remotely. These updates can include additional Wi-Fi settings, which may be different for each device, and placed at /User/Library/Carrier Bundles.

The takeaway is clear. Setting up such Wi-Fi networks would initiate an automatic attack on nearby customers of the carrier, even if they are using an out-of-the-box iOS device that never connected to any Wi-Fi network.

Putting the attack to test

 

 

We wanted to put the attack to a test without actually attacking anyone or compromising their privacy. We decided to create several Wi-Fi hotspots and simply count the number of devices that got connect to them. In order to do so, we used a simple D-Link router, installed dd-wrt firmware on it, and created several virtual Wi-Fi interfaces. We’ve set the SSIDs according to the networks listed in the carrier bundles list, as well as based on common Wi-Fi SSIDs. We are going to perform a first live demonstration in the Third International Cyber Security Conference, and will be sure to report back on our results.

Is this threat being exploited?

About a month ago, one of our pilot users went to a small coffee shop in Brooklyn. He was connected to a Wi-Fi network, and we were alerted that an attack was taking place on that network. Without Symantec Endpoint Protection Mobile in place, an attack would have been initiated on his device. It appears as he was automatically connected to a Wi-Fi network with an SSID associated with a major US carrier. We decided to correlate the geolocation of the malicious Wi-Fi with the hotspots the carrier has set-up. In order to do so, we utilized the carrier’s Wi-Fi locator web-service. Looking at the map, we saw that the closest Wi-Fi network set-up by this carrier was about seven blocks away, which means it should not be available at the coffee shop perimeter. It appears that attackers created a network with that SSID to lure people to connect to it; however, we are not sure whether the attackers were aware of the fact the network is being pre-configured on iOS devices, thus automating their attack on such devices.

 

Remediation

Consumers

As there is no iOS mechanism for accessing and changing Wi-Fi settings that are pre-configured by cellular carriers, one has to use indirect measures to mitigate the threat. One approach would be to completely disable Wi-Fi in your iOS device. However, if you do want to use Wi-Fi once in a while, this approach becomes cumbersome and not completely protective, as you’ll be susceptible to the threat when the Wi-Fi interface is enabled. A more practical approach would be to install a Wi-Fi protection app via public solutions such as Onavo Protect or Hotspot Shield, which will provide protection against some of the threats listed here.

Organizations and Wi-Fi network carriers

Symantec Endpoint Protection Mobile is an innovative solution that allows organizations to ensure their employees are safe from a variety of threats, including the problem described in this publication. Therefore, our beta program participants can rest assured they are simply protected.

·        If you are part of an organization that is worried about mobile security, we would love you to join our beta program, and enjoy seamless security on both your corporate and employee’s owned devices. While our product is still under development, our patent pending technology has already been proven to be valuable to several customers.

·        If you represent a large Wi-Fi networks provider or a carrier, you can easily integrate our solution into your infrastructure, thus allowing your customers to enjoy the benefits of SEP Mobile’s protection suite, while continue using their devices seamlessly. Please contact us for further discussion.

 

 

 

 

Statistics
0 Favorited
0 Views
4 Files
0 Shares
8 Downloads
Attachment(s)
png file
skycure3.png   34 KB   1 version
Uploaded - Apr 10, 2020
JPG file
skycure4.JPG   111 KB   1 version
Uploaded - Apr 10, 2020
jpg file
skycure5.jpg   16 KB   1 version
Uploaded - Apr 10, 2020
png file
skycure7.png   97 KB   1 version
Uploaded - Apr 10, 2020

Tags and Keywords

Related Entries and Links

No Related Resource entered.