Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

RSA 2014: CTO demos mobile Wi-Fi hack to capture sensitive app data

At RSA Conference 2014, a CTO demonstrated a number of relatively easy ways that mobile devices can be pwned by attackers.

Of note, Jeff Forristal, CTO of San Francisco-based Bluebox Security, showcased one Wi-Fi attack method that could trick smartphones into connecting to spoofed service set identifiers (SSIDs), used to uniquely identify wireless networks.

Forristal presented the findings on Wednesday during a session, called “Predatory Hacking of Mobile Devices: Real Demos.” Throughout his talk, he emphasized the ease with which smartphones could auto-connect to fake networks leveraged to steal users' sensitive data.

To carry out the hack, Forristal said a Wi-Fi radio (used to broadcast "available," but spurious SSIDs) would be needed. In addition, a software access point, another radio, would be used to trick devices into taking the bait and connecting, he said.

With a third cellular radio, Forristal was able to verify the connection by giving mobile devices the information they requested. He noted that all of the tools needed for the hack were completely legal, and easily purchased.

A Wi-Fi pineapple, for instance, which can be purchased for around $100, was one of the devices that Forristal mentioned.

“This thing was purpose built for Wi-Fi shenanigans,” he told the crowd.

By exploiting security issues in Android or iOS devices (a WebView JavaScript callback issue in Android, and an iOS secure sockets layer verification error) and using the available tools, an attacker could launch man-in-the-middle attacks to glean clear text data exposed by mobile apps, Forristal said.

Information such as device IDs, GPS location data and international mobile station equipment identity (IMEI) numbers, were exposed by the popular weather app AccuWeather that was targeted in the demo.

Last July, Bluebox exposed a major vulnerability in Android devices which could allow an attacker to hijack any legitimate app without modifying its digital signature. And at this year's RSA Conference, Forristal demonstrated how a number of risky activities, combined with known flaws in devices, could further open devices to attacks resulting in data theft.

Haphazardly using Wi-Fi or Bluetooth connections, or downloading malicious or “leaky” apps, are a prime example of how mobile devices could be exposed, he explained.

“Every single one of those activities carries risks and opens up attack surfaces,” Forristal said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.