This issue crept up on me. I've been developing my own WiFi assessment tool, and whereas most tools focus on access points (in order to crack WEP), I put stuff into my tool to track client devices. I was working on the code at an airport while waiting for a flight. Rather than seeing the occasional notebook computer, I was astonished to see hundreds of mobile phones around me. A new device would appear at least once a minute.
Here is a sample output from the program from only a couple minutes of monitoring, showing the hardware IDs (with final two bytes obfuscated), followed by the manufacturer name and SSIDs the devices were trying to connect to:
[00:23:12:bb:xx:xx] Apple "" [00:24:7d:25:xx:xx] Nokia "" [00:1c:b3:04:xx:xx] Apple "" [00:1e:52:88:xx:xx] Apple "" [00:24:7c:65:xx:xx] Nokia "" [00:1c:cc:33:xx:xx] BlackBerry "NETGEAR" [00:24:9f:ba:xx:xx] BlackBerry "tmobile", "@Home" [00:23:df:65:xx:xx] Apple "" [00:23:7a:95:xx:xx] BlackBerry "tmobile", "@Home" [00:25:00:75:xx:xx] Apple "ostra" [04:1e:64:1f:xx:xx] Apple "" [00:1c:cc:8d:xx:xx] BlackBerry "ibahn", "It's A Grind" [00:21:06:b0:xx:xx] BlackBerry "ATL-WIFI" [00:24:9f:d3:xx:xx] BlackBerry "tmobile", "@Home", "Primeline", "theBatCave" [00:26:b0:94:xx:xx] Apple ""
While Apple and BlackBerry dominate the list, that's not necessarily because they have the most WiFi-enabled phones. Instead, it's due to the fact that these phone encourage the user to turn on WiFi and leave it on.
In BlackBerry's case, it's because T-Mobile offers something called "unlicensed mobile accesss" (UMA), which means "making calls over WiFi." While at home near your access point, you can make calls over WiFi. The phone makes a VPN tunnel over your home network back to T-Mobile and uses standard VoIP protocols like SIP to make and receive phone calls. If you make a call at home and drive away, then the phone will automatically hand off the connection to the nearest cell tower, allowing a seamless phone call. Most important, while making calls at home, you aren't charged for any minutes. It will also work whenever you are near a T-Mobile hotspot. That is why in the above list so many BlackBerrys are searching for "tmobile" and "@Home" access points.
Apple encourages WiFi for other reasons. It has a ton of apps that rely on Internet connections, such as Twitter. The worst, of course, is iTunes (I missed an episode of SouthPark while on the road recently, so of course I simply downloaded it to the iPhone and watched it). According to reports, AT&T's network is already overloaded by iPhones, so everything Apple can do to encourage people to switch to WiFi will help.
There are a lot of other phones with WiFi, but it's typically turned off by default because there's no compelling reason to leave it on: They don't have good Web browsers, they don't have good applications, and they have features like T-Mobile's UMA. Thus, while I see the occasional Nokia, Palm, HTC, Samsung, or Windows Mobile device, they are pretty rare. This is going to change in the next year: Everybody is trying to catch up to Apple's runaway success.
This will change how companies deploy their own WiFi networks. During a recent corporate WiFi assessment, we were at a big campus that was blanketed by a typical Cisco WiFi corporate deployment. The company gave Dell laptops to all their employees, configured to hook up to the corporate network. The campus was full of cafes, little nooks, and conference rooms where people could get out of their cubicle and go work somewhere else.
Yet even in this laptop-rich environment, mobile phones accounted for half the devices trying to connect to WiFi. This poses a problem. For example, the notebooks all had the Cisco supplicant for connecting to the WPA2 corporate network. You can't get specific supplicants for the mobile phones, which poses a problem if companies want custom features in their supplicants. They had an unencrypted "guest" network, but apps on the iPhone can quickly screw that up. For example, an employee will often choose the same password for his Twitter account, then use a Twitter iPhone app that sends the password in the clear to anybody running a WiFi sniffer.
Another interesting problem is vulnerabilities. We reported a typical WiFi vuln in Windows Mobile to Microsoft three years ago (sending a long SSID in a Beacon packet). This was never patched. That's because Microsoft does not sell cell phones: It provides the Windows Mobile phones to device manufacturers (in this case, HTC). The device manufacturers aren't responsible either; they just provide the phones to the carriers (AT&T in this example). While Microsoft worked with us and HTC to make sure the problem was fixed in the code, AT&T had no interest in the vuln and refused to provide the patch to their customers. In contrast, Apple ships security fixes to the iPhone every couple months. Of course, everyone knows the Windows Mobile business model is fatally flawed -- the inability of Windows Mobile bugs to be fixed is just one example.
Apple has the worst problem: All of those apps written by third parties are horrible, with all the old vulnerabilities. In our penetration tests, the first thing we do is look for an iPhone app written by the customer. After simple reverse-engineering, we find we can break into the iPhone, the server it's talking to, or both. Exploitable smartphone? There's an app for that.
I don't know the exact numbers of WiFi-equipped mobile phones versus laptops, but a good number to start with is Apple's recent quarterly report. It shipped 7.4 million iPhones last quarter, compared to about 120 million laptops from all vendors shipped worldwide. And Apple has roughly 30 percent market share among smartphones. So that's maybe 20 million WiFi phones last quarter. However, the numbers are growing fast: I predict that by this time next year, WiFi phones will be exceeding laptops in shipments.
Robert Graham is CEO of Errata Security. Special to Dark Reading