I’ve made it a habit to disable my phone’s WiFi radio whenever I leave my apartment. And after reading a report published yesterday on Ars Technica, I’m glad that I do. A sample test they ran with some WiFi-enabled phones and readily-available packet-sniffing tools clearly show that our WiFi radios are broadcasting sensitive information about the networks we connect to, making them vulnerable to attack.
In other words, that free WiFi you get at your local coffee shop might end up getting your phone hacked, even when you’re not there.
Wireshark
The tool Ars used to analyze wireless LAN packets is called Wireshark, a free and open source program available for Linux, OS X, and Windows computers. Similar tools—ones that can log wireless traffic, at least—are available for Android. You don’t have to be connected to any specific network to see the activity of devices around you; because of the way WiFi on your device works the radio is constantly announcing its availability. In Ars’ case, even though their test was limited to a few volunteered phones there was no shortage of packets to sniff:
In the course of the test, because we didn’t have a Faraday cage erected around us, we also picked up a few other signals—cell phones in adjoining buildings, passing cars, and even the handheld computer of an express delivery driver.
Wireshark enables its user to not only sniff packets but filter out everything but “probe” requests—that is, a device seeking a WiFi connection. Pairing this with publicly-available databases of geo-located wireless networks can give an attacker a pretty good idea of places that you and your device frequent.
Sample Intelligence
Here’s what Ars was able to gather from just one device in their test:
- The user’s workplace network name
- Their home network name
- The SSID of their swim club
- The SSIDs for the guest networks of two stores they shopped at
- The SSID of a guest network for an auto dealer
- SSIDs for hotel and airport networks
- The SSID of a location visited on a recent overseas business trip
Attack Vector
The really scary part is what an attacker can do with this information. While your home and work WiFi networks may be secured with WPA encryption, chances are that the guest WiFi at that auto dealer (for example) is not. Someone with a rogue access point like a WiFi Pineapple can spoof that unsecured network for a classic man-in-the-middle attack.
And because your device is looking for that network anyway, you don’t have to be anywhere near that network for the attack to take place.
Once an attacker is present on your network they can harvest your account passwords, read your email and other data on your device. It doesn’t matter if your favourite apps and/or websites use SSL; that can be compromised too.
What You Can Do
There are at least two apps for Android that will reign in your WiFi radio: Smarter WiFi Manager by Kismet (paid) and Wi-Fi Matic (free). For iPhone users, a fix for probe-sniffing is apparently built into iOS 8, but doesn’t work very well. Honestly, the best solution is to leave your WiFi off except in places where you’re actually going to be using it—hopefully not an unencrypted public network!
