Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:32 PM
Robert Graham
Robert Graham

WiFi = Mobile Phone

Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.

Traditionally, we've thought of WiFi as the way we connect to the Internet from our notebook computers. This is rapidly changing, with definite implications for security pros.In the next year, more mobile phones will ship with WiFi than notebook computers. This is going to change how we look at WiFi, and for security people, it's going to change how they secure corporate WiFi networks.

This issue crept up on me. I've been developing my own WiFi assessment tool, and whereas most tools focus on access points (in order to crack WEP), I put stuff into my tool to track client devices. I was working on the code at an airport while waiting for a flight. Rather than seeing the occasional notebook computer, I was astonished to see hundreds of mobile phones around me. A new device would appear at least once a minute.

Here is a sample output from the program from only a couple minutes of monitoring, showing the hardware IDs (with final two bytes obfuscated), followed by the manufacturer name and SSIDs the devices were trying to connect to:

[00:23:12:bb:xx:xx] Apple "" [00:24:7d:25:xx:xx] Nokia "" [00:1c:b3:04:xx:xx] Apple "" [00:1e:52:88:xx:xx] Apple "" [00:24:7c:65:xx:xx] Nokia "" [00:1c:cc:33:xx:xx] BlackBerry "NETGEAR" [00:24:9f:ba:xx:xx] BlackBerry "tmobile", "@Home" [00:23:df:65:xx:xx] Apple "" [00:23:7a:95:xx:xx] BlackBerry "tmobile", "@Home" [00:25:00:75:xx:xx] Apple "ostra" [04:1e:64:1f:xx:xx] Apple "" [00:1c:cc:8d:xx:xx] BlackBerry "ibahn", "It's A Grind" [00:21:06:b0:xx:xx] BlackBerry "ATL-WIFI" [00:24:9f:d3:xx:xx] BlackBerry "tmobile", "@Home", "Primeline", "theBatCave" [00:26:b0:94:xx:xx] Apple ""

While Apple and BlackBerry dominate the list, that's not necessarily because they have the most WiFi-enabled phones. Instead, it's due to the fact that these phone encourage the user to turn on WiFi and leave it on.

In BlackBerry's case, it's because T-Mobile offers something called "unlicensed mobile accesss" (UMA), which means "making calls over WiFi." While at home near your access point, you can make calls over WiFi. The phone makes a VPN tunnel over your home network back to T-Mobile and uses standard VoIP protocols like SIP to make and receive phone calls. If you make a call at home and drive away, then the phone will automatically hand off the connection to the nearest cell tower, allowing a seamless phone call. Most important, while making calls at home, you aren't charged for any minutes. It will also work whenever you are near a T-Mobile hotspot. That is why in the above list so many BlackBerrys are searching for "tmobile" and "@Home" access points.

Apple encourages WiFi for other reasons. It has a ton of apps that rely on Internet connections, such as Twitter. The worst, of course, is iTunes (I missed an episode of SouthPark while on the road recently, so of course I simply downloaded it to the iPhone and watched it). According to reports, AT&T's network is already overloaded by iPhones, so everything Apple can do to encourage people to switch to WiFi will help.

There are a lot of other phones with WiFi, but it's typically turned off by default because there's no compelling reason to leave it on: They don't have good Web browsers, they don't have good applications, and they have features like T-Mobile's UMA. Thus, while I see the occasional Nokia, Palm, HTC, Samsung, or Windows Mobile device, they are pretty rare. This is going to change in the next year: Everybody is trying to catch up to Apple's runaway success.

This will change how companies deploy their own WiFi networks. During a recent corporate WiFi assessment, we were at a big campus that was blanketed by a typical Cisco WiFi corporate deployment. The company gave Dell laptops to all their employees, configured to hook up to the corporate network. The campus was full of cafes, little nooks, and conference rooms where people could get out of their cubicle and go work somewhere else.

Yet even in this laptop-rich environment, mobile phones accounted for half the devices trying to connect to WiFi. This poses a problem. For example, the notebooks all had the Cisco supplicant for connecting to the WPA2 corporate network. You can't get specific supplicants for the mobile phones, which poses a problem if companies want custom features in their supplicants. They had an unencrypted "guest" network, but apps on the iPhone can quickly screw that up. For example, an employee will often choose the same password for his Twitter account, then use a Twitter iPhone app that sends the password in the clear to anybody running a WiFi sniffer.

Another interesting problem is vulnerabilities. We reported a typical WiFi vuln in Windows Mobile to Microsoft three years ago (sending a long SSID in a Beacon packet). This was never patched. That's because Microsoft does not sell cell phones: It provides the Windows Mobile phones to device manufacturers (in this case, HTC). The device manufacturers aren't responsible either; they just provide the phones to the carriers (AT&T in this example). While Microsoft worked with us and HTC to make sure the problem was fixed in the code, AT&T had no interest in the vuln and refused to provide the patch to their customers. In contrast, Apple ships security fixes to the iPhone every couple months. Of course, everyone knows the Windows Mobile business model is fatally flawed -- the inability of Windows Mobile bugs to be fixed is just one example.

Apple has the worst problem: All of those apps written by third parties are horrible, with all the old vulnerabilities. In our penetration tests, the first thing we do is look for an iPhone app written by the customer. After simple reverse-engineering, we find we can break into the iPhone, the server it's talking to, or both. Exploitable smartphone? There's an app for that.

I don't know the exact numbers of WiFi-equipped mobile phones versus laptops, but a good number to start with is Apple's recent quarterly report. It shipped 7.4 million iPhones last quarter, compared to about 120 million laptops from all vendors shipped worldwide. And Apple has roughly 30 percent market share among smartphones. So that's maybe 20 million WiFi phones last quarter. However, the numbers are growing fast: I predict that by this time next year, WiFi phones will be exceeding laptops in shipments.

Robert Graham is CEO of Errata Security. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...