The Ten Most Critical Wireless and Mobile Security Vulnerabilities
Inspired by the SANS Top 20, this list is a consensus of industry experts on wireless and mobile vulnerabilities that require immediate remediation. It is offered as a public service by the Mobile Antivirus Researcher’s Association. We welcome your feedback; this is a “living” document that will be updated frequently.
MARA membership is diverse. The spectrum of MARA members ranges from individuals such as authors, researchers and university professors, all the way to antivirus vendors, military experts, and publicly-traded, multi-billion dollar security corporations.
Membership in MARA is free. Candidates must have a proven history of scholarly publications in the field of mobile security or antivirus fields. Prospective members must also provide character references and sign a strict code of ethics against computer crime. If you your interests fall within the mobile security and antivirus fields, we need your help.
Wireless
1. Default WiFi routers
By default, wireless routers are shipped in an un-secured state. The result of this is that an attacker can easily connect to and configure the router to meet his or her own needs. The risks include changing the DNS server settings to a static IP that is owned by the attacker; or, uploading a hacked firmware version to the router that could put the attacker in full control of the data. Sniffing programs, wireless scanning drones, attack scripts, and more can be easily installed on the router, all of which would go undetected.
In addition to the active attacks against unconfigured routers, these devices can be used as a gateway for attackers to launch viruses/attacks/spam sessions. Since most routers have very limited logging, the attacker could have a nearly-perfect anonymous connection. Any attempt to trace the attack back to its origination will dead end at the wireless router.
2. Rogue Access Points
Wireless access points are easy to install. As a result, many individuals within companies have taken it upon themselves to set up an authorized access point, without informing the network administrator. Typically, these access points are not protected, which means they can be used by an attacker just as they can by a valid user.
Rogue access points can also be used to lure valid users away from their corporate network. If an attacker can setup an access point with a stronger signal than the valid one, the target’s computer automatically connects to the attackers AP. This is by design, and abuse is difficult to prevent since many systems will adjust connection details (type of encryption, channel, etc) without any interaction from the user.
3. Wireless Zero Configuration
When a computer connects to an access point, it generally stores the details of that connection locally. The next time the computer is turned on, the wireless network card immediately looks for the connection and re-establishes the connection – without user intervention.
This is accomplished by sending out a probe request into the airwaves with the SSID of the requested access point contained in the packet. The AP sees this packet and sends back a probe response, thus kicking off the connection routine. However, since the SSID value is sent as plain text, anyone with a sniffer can see it. They can use this information and configure an AP with the requested SSID, which will then detect the requested SSID and respond as expected. Programs like Karma automate this process and can quickly establish a connection with a wireless user, thus taking over their web connection, email, and more.
This function can be turned off by disabling it in the Services list of Windows XP. Other operating systems can be controlled by manually setting up the connection each and every time the wireless card is enabled.
4. Bluetooth exploits
BlueSnarfing: OBEX protocol exploit that allows hackers to secretly access the mobile phone’s calander, pictures, phone contact list, etc. without the owner knowing.
BlueBugging: Allows hackers to send SMS messages from a remote vulnerable phone spoofing the sender. This is not the same as BlueSnarfing, and it effects only some phones.
BlueJacking: By renaming the name of the phone, the hacker can trick victims into accepting bluetooth connections. Normally, the name of the phone will be what make and model the device is. If the hacker changes it to “click here for free cash” the victim will often mistakenly click the pop up, thus allowing the hacker to connect to the device. BluJacking can be used by hackers to infect phones, to show obscene movies, etc.
BlueTooth DoS attacks: As with most things, bluetooth is also vulnerable to certain types of denial of service attacks. Hackers can send invalid Bluetooth requests to a mobile device or phone and this will take up the whole channel. This hinders legitimate devices from making contact via Bluetooth with the attacked device.
5. WEP Weaknesses
WEP encryption is still one of the most common security implementations, and passwords can easily be cracked using Airsnort. It takes less then an hour to crack a busy access point’s password; the more packets captured, the faster it is to crack.
Handheld Mobile Devices (Smartphones and PDAs)
6. Clear Text Encryption Passwords
Mobile devices are portable. They get lost, stolen, and can quickly and easily be accessed when left lying around. Unfortunately, there are many third-party “encryption” programs that do not properly secure sensitive information such as username/password info, financials, etc. We have found that some of the most popular mobile encryption programs even store the password in plain text in the registry.
7. Malicious Code
“Airborne” mobile viruses have been increasing in complexity at a surprising pace. In the space of just one year, malware for mobile devices evolved to a complexity that took 20 years on desktop PCs. For example, we have already seen blended Trojan and virus threats that can spread through Smartphones using multiple wireless protocols. This could be problematic, as current mobile devices cannot support sophisticated antivirus software on current platforms.
Much of this “blended threat” malware activity has been seen on the Symbian Smartphone platform. For example, “Skulls” was one of the first trojans to infect Symbian Series 60 smart phones. When launched, the application claims to be an “Extended Theme Manager by Tee-222.” However, it then disables all other applications on the phone and replaces their icons with a skull and crossbones. Worse, it was more recently merged with Caribe to form the first “crossover” malware for smartphones.
Skulls and Caribe also merged to form Metal Gear, a trojan that masqerades as the game with the same name. Metal Gear uses Skulls to deactivate the devices antivirus. Thus, it was the first anti-AV malware for Symbian phones. The malware also drops SEXXXY.sis to the device, an installer that adds code to disable the handset menu button. The Trojan then uses Caribe to transmit itself to new devices
Another example of blending is the Gavno.a Trojan, which is spread via a file called patch.sis (it masquerades as phone patch). Gavno uses a malformed file to crash an internal Symbian process, thus disabling the phone. The effect is to disable all handset buttons and to completely prevent the user from making calls. It may also cause a continual rebooting loop. It is only 2kb in size, and it has already seen variants merged with Caribe to spread to other phones.
Other examples of viral evolution include the following:
- Dampig trojan: Notable in that it corrupts the system uninstallation settings, making it more difficult to remove
- Mabir virus: Similar to Cabir, but instead of Bluetooth it uses SMS to spread
- Commwarrior: also tries to disable the onboard antivirus software
- Frontal virus: causes a total system crash of the phone until it is removed
A newer development, and one that may be the most troubling, is the new breed of “cross-platform” mobile infectors. For example, the first mobile phone virus capable of infecting a PC was the Cardtrp worm. Cardtrp infects handsets running the Symbian 60 operating system and spreads via Bluetooth and MMS. If the phone has a memory card, it will drop the Win32 PC virus known as Wukill onto the card.
Conversely, the most recent type of malware does the opposite: it now cross-infects mobile devices from a PC. The first example of such malware, and the subject of this article, is a Trojan dubbed “crossover”, which spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.
When executed from Win32, the Trojan checks what version the current OS is; if it is not Windows CE or Windows Mobile, the virus makes a copy of itself and puts a startup command in the registry key of local-machine-current-version-run. The trojan then quietly waits for an activesync connection to be detected; it can wait indefinitely. When an Active Sync connection is detected, the trojan automatically copies itself to the handheld device and remotely executes the trojan. The handheld device is now infected. The Trojan will then begin to delete documents on the handheld.
Unlike the Dust virus, Crossover does not require a complex exploit in the host operating system in order to succeed. Nevertheless, it is a significant step forward in mobile malware evolution. It also raises the question: using the OpenNETCF library and the Microsoft CF library, will it be this easy for virus writers to continue to port the 100,000+ examples of PC malware to Smartphones and PDAs?
8. Autorun
Windows Mobile devices contain a little-known autorun feature that can provide an attacker with a quick and easy method of infection. When a media card is inserted into the PDA, Windows Mobile will copy over the autorun.exe (if it exists), create a copy in the /Windows directory, and execute it. WM5 does question the user if the application can be launched, but previous version of WM and Pocket PC do not. The file remains on the PDA until the media card is removed. A user can prevent this by creating a read-only dummy executable called autorun.exe and put it in the /Windows folder.
Voice Over IP
9. Multiple VoIP attacks
Voice over IP (VoIP) is available on many of the portable handheld devices on the market via natively installed software or third party add-ons. The flexibility and low costs of VoIP makes it an extremely attractive feature. A user can often locate an open wireless network and use VoIP instead of their cell phone service, which may not even provide coverage in the local area. However, there are numerous problems with VoIP that can create an unstable and insecure environment for users.
VoIP is mostly sent in an unencrypted format. As a result, anyone can see the connection information and capture/record the conversation. Programs like VoMiT and Cain & Abel can easily capture and record conversations. Other programs like sipbomber can kick a user offline. In addition, SiVus (a VoIP scanner) can quickly locate VoIP enabled systems (phones or servers), and scan them for vulnerabilities that can cause overflows or DoS attacks.
Miscellaneous
10. Lost and stolen devices
This is perhaps the greatest threat for inadvertent disclosure of enterprise data. To help mitigate this, all mobile databases (including patient medical records, financial institution customer lists, etc.) should be encrypted. Layered security such as encrypted file systems, etc. are also important. Remote data wipe is controversial, as it has the potential of being exploited by mass-deleting network worms. A good, written security policy and user education are also important. Mobile devices should all have a login copyright banner, along with return information (optionally advertising a reward for returning lost devices).
Disclaimer
Please send feedback and comments to us at www.mobileav.org. Copyright (c) 2006 MARA.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use on an AS IS condition. There are no warranties with regard to this information. Neither the individual authors nor MARA accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.