What is your phone saying behind your back?

Filed Under: Data loss, Featured, Mobile, Privacy, Vulnerability

Smartphone drawing, courtesy of  ShutterstockDo you always turn WiFi off on your smartphone before leaving the house or work?

You might think there's no harm in having your WiFi turned on but not connected to a network, but that's not necessarily the case.

A wireless device goes through a discovery process in which it attempts to connect to an available wireless network. This may either be ‘passive’ - listening for networks which are broadcasting themselves - or ‘active’ - sending out probe request packets in search of a network to connect to.

Most devices use both passive and active discovery in an attempt to connect to known/preferred networks. So it's very likely that your smartphone is broadcasting the names (SSIDs) of your favourite networks for anyone to see.

This alone might be enough for someone to glean information about you: where you work, where you live or your favourite coffee shop for instance.

Even worse, an attacker could set up a rogue WiFi with the same SSID as the one you are trying to connect to with the aim of forcing your phone to connect and transfer data through it.

Angel and devil, courtesy of  ShutterstockSo while someone knowing that your phone is trying to connect to ‘BTHomeHub-XYZ’ isn’t immediately condemning, it may allow for them to launch a ‘man-in-the-middle’ attack against you, intercepting data sent between you and a friend, giving the impression you’re talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

An ‘evil twin’ attack could even accomplish this without needing any knowledge of your WiFi password - very damaging for all of those who use mobile banking for instance!

I decided to test to see just how much of this potentially compromising data is flying through the airwaves.

At a recent university open day in Warwick, UK, I ran a security demo in which I collected this data from people walking past and displayed it for all to see.

In five hours, 246 wireless devices came into range. 49% of these devices were actively probing for their preferred networks to connect to, resulting in 365 network names being broadcasted.

25% of these appeared to be customised, non-standard network names and 7% of the names revealed location information, including three where the network name was actually the first line of an address. The most popular non-customised SSIDs were all variants of ‘BTHomeHub’, which accounted for 7%.

Pie chart

What makes this even more worrying was how easily I was able to capture this sensitive information. A tiny wireless router I purchased from eBay for $23.95 and some freely available software I found on Google was all I needed. I didn’t even need to understand anything about the 802.1 protocols that govern WiFi to carry out this attack!

Coupled with a portable power source (the router draws around 100mA at 5V over micro USB), this device could be stuck under a park bench or hidden in a plant pot in a shopping centre. What's more, this same device is capable of creating a targeted rogue access point and tricking your phone into connecting to it.

Word cloudSo how do we stop our phones spilling our secrets behind our backs?

The unfortunate news is there doesn’t appear to be an easy way to disable active wireless scanning on smartphones like Androids and iPhones.

However, you can at least tell your phone to ‘forget’ networks you no longer use to minimise the amount of data leakage.

It's also worth configuring your phone to automatically turn on/off wireless in certain places using a location-aware smartphone app.

This said, maybe having your favourite wireless network name broadcasted for anyone to see is useful? At least, in my experiment, the person broadcasting the SSID of ‘IT SUPPORT CALL 0192x xxxxxx’ (number redacted) clearly thought so!

Evil twins and smartphone drawing, courtesy of Shutterstock.

, , ,

You might like

25 Responses to What is your phone saying behind your back?

  1. outsidethemarginals · 1101 days ago

    Presumably this also applies to laptops - or is the wifi on laptops more discrete?

  2. Kasun · 1101 days ago

    Applications Like Foursquare always ask to Tun on Wifi...

  3. Anonymous · 1101 days ago

    So, am I to be concerned about my iPad? Would that be the same as smart phone? Using it in a public location? And would turning off the wifi and only connecting via cellular data when in public be better? One last question, having your wifi turned on out in public, walking around with your iPad asleep in your backpack, is that safe? Or is it still at risk? (oops that was 2 questions!)

    Thank you. Making your posts understood by the technically challenged is great.

    • Michael · 1100 days ago

      If your ipad is OFF then it cant scan so would be safe, if the screen is just locked it will more than likely still be scanning for wifi networks

      • Anonymous · 1100 days ago

        Thanks Michael,

        Wow, who knew? When the iPad is asleep, put away in by bag while I am out walking or driving around it is STILL scanning? I thought asleep was like being off, only came back on quicker.

    • Pimpboy · 1099 days ago

      Connect via VPN. This is possible with iOS

  4. carnation · 1101 days ago

    if wifi remains off then there is no harm?

  5. Johnny · 1101 days ago

    How about some recommendations for location-aware smartphone apps that can help with this problem?

  6. Gary · 1100 days ago

    I can see how this might work in an unsecured network (eg a 'free' wifi spot) - NEVER do anything like banking on a free network.
    My question is how can this 'man-in-the-middle' work if my wifi connection is secured, ie, requires a password?

  7. Lynnoire · 1100 days ago

    Isn't man in middle attack only possible if your trusted ssid is open : ie no authentication? if you have the ssid as trusted with password then a broadcasting ssid is detected without password but same name does this enable a hi-jack opportunity ?? Anyone have the answer

  8. nonsensewordsat · 1100 days ago

    If a smartphone attempts to connect to a spoofed network protected by WPA2, can the password be harvested by the router spoofing the site?

  9. Mads · 1100 days ago

    Gary, the reason it works is that if your in a, say Starbucks, minding your own business, your phone will, if not connected to a wifi, broadcast the names if it's prefered SSID.

    With this information I can set up a Malicious Wireless Access point with the same SSID, and your phone might connect to it, even though my AP doesn't use the same password as your own.

    With your phone now on my network, I can do all kinds of mischief.

    • Doug · 1099 days ago

      I had assumed that devices wouldn't simply connect because of the same SSID, but if they do, that is indeed problematic. Shouldn't they be able to use the router's MAC to restrict the connection, though?

  10. Chris · 1100 days ago

    If someone retrieves the name of a trusted network of mine and sets up that SSID on a rogue router, would my device automatically connect to it if the trusted network required a password originally?

  11. Bob Taylor · 1100 days ago

    "If wifi remains off then there is no harm?"

    This would be correct.

    "So, am I to be concerned about my iPad?"

    It depends on how personal the information on the device would be. With tablets the only way to secure them in a similar situation would likely be to turn them off. These devices are not worth much in most cases without network connectivity unless used wityh Bluetooth connections for something like a car ODB-II dongle or similar device and I'm not sure of their ability to even use similar devices in the way phones are. If in doubt just shut the unit off.

    I use AT&T public Wifi at McDonalds from time to time. I am an AT&T subscriber with an android phone. Should I be worried about this?

  12. Troy · 1100 days ago

    @outsidethemarginals yes it does, it applies to any wireless 802.11abgn devices

    As Gary said it is only of major concern (in relation to man-in-the-middle attack) when using open or WEP secured wireless networks. A network secured properly using WPA/2 AES/TKIP requires the Pre Shared Key (or dot1X authorisation) on the Access point for a client to connect.

    This mostly comes about when using hidden SSID's

    On one hand when you hide a SSID the access point doesn't advertise the SSID but the clients do will when trying to find the access point, but, when you enable the broadcast of the SSID the access point will advertise the SSID and the clients won't as they will see it and connect (and so will any other client that has "connect to non-preferred networks" enabled, they may not succeed but they will try)

    The other thing to note here is that for majority of location based services (Google maps, Apple Maps, etc), this is done utilising the wireless as it’s less power demanding then the GPS, so any location aware wireless tool will need to use the GPS full time

  13. Jim · 1100 days ago

    How 'bout some location-aware apps for Android ?

    It's very annoying that my Galaxy S III is always trying to jump on every network like a horny dog jumping on your leg. When I turn off Wi-Fi, it later turns back on by itself.

    • Jenn · 1099 days ago

      good to know, Jim. I am wanting to buy a GSIII, There's gotta be a way, or at least a task killer that can tame the fella. Does constant wi-fi action noticeably drain the battery?

      • Jim · 1099 days ago

        I've talked to Sprint about it and it doesn't seem that you can "kill it." Maybe a third party app can do it. I'm waiting for Jelly Bean. Maybe that will solve it.

        On my iPad or my wife's iPhone 4S, if you turn it off it stays off. Maybe it's the carrier - Sprint wants you on wi-fi, rather than draining the network.

        It does not seem to drain the battery. I charge mine every night out of habit. It goes all day, no problems. I'm an average user. Not too heavy on data or media.

        Other than that, the GS III rocks.

  14. Mark · 1099 days ago

    Just use this as your SSID: "Police Surveillance Van 12"

  15. Jim · 1099 days ago

    Mark -that is a damn good idea.

  16. Have you ever tries to get an iPhone to forget a network that is no longer in range? Possible? There could be all sorts of ssid probes but there appears no way of forgetting networks that are no longer available.

    Why don't they make a list of both active and inactive networks so you can forget them regardless of it being in range?

  17. @CybercrimeForum · 1095 days ago

    You will save battery by turning off wifi when you go out too. Win-Win. !!

  18. Enthusiast · 895 days ago

    Hi Julian,
    thanks so much for sharing insightful information. If you do not mind sharing, what is the freeware software that you used in this exercise?
    Best regards,

  19. Anonymous · 464 days ago

    Hi Julian, which tool did you use to capture the phone SSIS attempts?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Julian Bhardwaj is currently a student at the University of Warwick studying for an undergraduate degree in Discrete Mathematics. As a self confessed crypto-geek, he has a passion for all things security related.