Do you always turn WiFi off on your smartphone before leaving the house or work?
You might think there’s no harm in having your WiFi turned on but not connected to a network, but that’s not necessarily the case.
A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be ‘passive’ – listening for networks which are broadcasting themselves – or ‘active’ – sending out probe request packets in search of a network to connect to.
Most devices use both passive and active discovery in an attempt to connect to known/preferred networks. So it’s very likely that your smartphone is broadcasting the names (SSIDs) of your favourite networks for anyone to see.
This alone might be enough for someone to glean information about you: where you work, where you live or your favourite coffee shop for instance.
Even worse, an attacker could set up a rogue WiFi with the same SSID as the one you are trying to connect to with the aim of forcing your phone to connect and transfer data through it.
So while someone knowing that your phone is trying to connect to ‘BTHomeHub-XYZ’ isn’t immediately condemning, it may allow for them to launch a ‘man-in-the-middle’ attack against you, intercepting data sent between you and a friend, giving the impression you’re talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
An ‘evil twin’ attack could even accomplish this without needing any knowledge of your WiFi password – very damaging for all of those who use mobile banking for instance!
I decided to test to see just how much of this potentially compromising data is flying through the airwaves.
At a recent university open day in Warwick, UK, I ran a security demo in which I collected this data from people walking past and displayed it for all to see.
In five hours, 246 wireless devices came into range. 49% of these devices were actively probing for their preferred networks to connect to, resulting in 365 network names being broadcasted.
25% of these appeared to be customised, non-standard network names and 7% of the names revealed location information, including three where the network name was actually the first line of an address. The most popular non-customised SSIDs were all variants of ‘BTHomeHub’, which accounted for 7%.
What makes this even more worrying was how easily I was able to capture this sensitive information. A tiny wireless router I purchased from eBay for $23.95 and some freely available software I found on Google was all I needed. I didn’t even need to understand anything about the 802.1 protocols that govern WiFi to carry out this attack!
Coupled with a portable power source (the router draws around 100mA at 5V over micro USB), this device could be stuck under a park bench or hidden in a plant pot in a shopping centre. What’s more, this same device is capable of creating a targeted rogue access point and tricking your phone into connecting to it.
So how do we stop our phones spilling our secrets behind our backs?
The unfortunate news is there doesn’t appear to be an easy way to disable active wireless scanning on smartphones like Androids and iPhones.
However, you can at least tell your phone to ‘forget’ networks you no longer use to minimise the amount of data leakage.
It’s also worth configuring your phone to automatically turn on/off wireless in certain places using a location-aware smartphone app.
This said, maybe having your favourite wireless network name broadcasted for anyone to see is useful? At least, in my experiment, the person broadcasting the SSID of ‘IT SUPPORT CALL 0192x xxxxxx’ (number redacted) clearly thought so!Follow @NakedSecurity