Dailydave mailing list archives
Wireless Disclosures
From: Christos Kalkanis <chris () immunityinc com>
Date: Thu, 22 Mar 2012 17:10:23 -0400
So, recently, Immunity's wifi maestro Mark Wuergler was featured in an Ars Technica article [1] that caused quite a stir amongst the readers. The Ars article is a short summary of Mark's Infiltrate 2012 presentation [2] that demonstrates how seemingly common information disclosures can lead to more powerful disclosures and consequently security disasters. In this case, the device that facilitates these disclosures is the iPhone. The first disclosure, that of the SSID, is very simple. The target device must have wifi enabled and not be connected to a wireless network. The premise then is that as long as one is in the vicinity of the target, he will capture the SSIDs of all recent networks that the target has connected to. Comments to the Ars article imply that this should never happen, and refer to a blog post written by Robert Graham of Errata Security [3]. Some quotes from Robert's post: "I like criticizing Apple security but they have implemented one of the most fantastically important security features ever: they don't broadcast the SSID they are looking for." "Apple does something clever. Instead of broadcasting the access-points it's interested in, it sends out a broadcast looking for ANY access-point. It will only connect if an access-point has the correct name." In our experience, this is not exactly the case. What Robert describes does happen but, after a couple of minutes, if a connection has not yet been established, the iPhone will indeed broadcast probes for all recently connected SSIDs. How recent is recent? In our experiments, _all_ SSIDs stored in the device were being disclosed. We've seen this behavior with IOS 3, 4 and 5. This is obvious in the attached packet capture screenshot, where one can see the initial broadcasts to ANY as described by Robert but then comes the disclosure with all stored SSIDs being broadcasted. With a diclosure of this kind complete, the attacker can impersonate access points and, in some cases, the target iPhone will _automatically_ and without user intervention connect to him. For obvious reasons, the automatic connection will take place if the disclosed SSID belongs to an open network. ** The second disclosure that came up in the Ars comments has to do with the MAC addresses of previously seen DHCP servers (which are normally running as part of the wireless access points). Assuming the attacker is in control of a network that the target iPhone has connected to (the first disclosure can be used to trigger this), all the attacker needs to do is _not_ give an IP to the device. This behavior is documented in RFC 4436 [4]: "In this case, the host may determine whether it has re-attached to the logical link where this address is valid for use, by sending a unicast ARP Request packet to a router previously known for that link (or, in the case of a link with more than one router, by sending one or more unicast ARP Request packets to one or more of those routers)." In the case of the iPhone, if the current network does not have DHCP configured, then the iPhone will disclose the MAC addresses of the last 3 DHCP servers it has seen, with possible remaining lease time considerations. It does not matter if the SSIDs (current network, past networks) do not match, as they are not taken into account. Summarizing, we see how a simple disclosure can be used to propagate an attack or trigger a more serious disclosure. [1] - http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars [2] - http://prezi.com/rpx0w4krsi3y/secrets-in-your-pocket-mark-wuergler/ [3] - http://erratasec.blogspot.com/2010/05/more-air-is-full-of-packets.html [4] - http://www.ietf.org/rfc/rfc4436.txt - Detecting Network Attachment in IPv4
-- Christos Kalkanis Immunity Inc. 1130 Washington Avenue 8th Floor Miami Beach, Florida 33139 P: 786.220.0600
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Wireless Disclosures Christos Kalkanis (Mar 22)
- Re: Wireless Disclosures Robert Graham (Mar 23)
- Re: Wireless Disclosures Mark Wuergler (Mar 23)