Hacking smartphones with ease
Many of us carry almost every detail of our lives on our phones - so how secure are we from those who might want to know what we're saying and doing on the move? We know how insecure the voicemail of some famous folk turned out to be a few years back; surely today's sophisticated smartphones are much less vulnerable?
I've been conducting an experiment with a company which offers to protect the phones and e-mail accounts of high-profile individuals - not, I hasten to add, because I fit either category but to find out how vulnerable all of us with modern mobiles might be.
So I challenged Tom Beale of Vigilante Bespoke to do his worst with my iPhone 4. First, I asked him to get through the initial layer of security, the passcode on the front screen. There's a well-known method for this, which Apple keeps trying to patch, but it proved a matter of moments for Tom, who was soon looking at my contacts.
In order to see this content you need to have both Javascript enabled and Flash installed. Visit 叠叠颁听奥别产飞颈蝉别 for full instructions. If you're reading via RSS, you'll need to visit the blog to access this content.
This is obviously worrying if you lose your phone; in that case, there is a way to remove everything on it remotely. And Apple points out that its latest software update for the iPhone, released on Monday, has now fixed this problem once more.
Of greater concern was what Tom showed me about the danger of connecting to wireless networks on the move.
He and a colleague used a netbook computer to set up a wireless access point. They called it "BTOpenzone", a network my phone and many others look out for and join. I watched as they showed me a range of devices in their office in London's Soho looking at the network - including my phone.
Tom explained to me that any mobile, when not connected to wi-fi, transmits what he called probe requests looking for networks which it has used previously. "Probe requests are essentially a loud shout - is there any wi-fi access point near me with the name 'BTOpenzone'?"
My phone then connected to the access point - it was dumb enough just to check the name, rather than comparing the address with others it had previously used.
"Once the device is connected to our access point," Tom explains, "its user is able to browse the web as normal. Unbeknown to them, the web traffic is being transmitted through our computer. The program examines the traffic between users and websites, looking for data containing cookies."
Among my cookies - the small pieces of code which smooth our path to frequently-visited sites - was at least one for Facebook. Within seconds, Tom had access to my account on the social network: he didn't have my password, but the cookie allowed him to masquerade as me.
My attackers could do whatever they liked: change my status, read through my contacts and so on.
They then moved on to the final stage of the demo, using a program they'd written to send me a spoof text message. Having spotted my wife's phone number on Facebook, they sent a message which popped up on my phone appearing to come from her. In the wrong hands, of course, such a program could provide scope for all sorts of mischief.
I should stress that while we used an iPhone for this experiment, other smartphones are equally vulnerable to these kinds of attacks.
So what should we learn? Obviously, it's not a good idea to leave your valuable phone lying around, or to respond to texts from friends which seem out of character.
The main lesson must be how insecure you can be if you sit in a public place and go online using an open network. I'd heard about , a tool demonstrated recently as a warning of the dangers of open networks and unencrypted cookies. But sitting and watching as your entire life - or rather your social-networking life - is laid bare is very sobering.
Facebook sent me this statement about the security issues this demonstration appears to raise:
"Facebook takes the security of people using the platform very seriously. We advise people to be very careful about the information they access or send from an unsecured public wireless network. We're working hard to make Facebook the safest platform online, and are currently investigating how to best roll out more secure login processes, including SSL, that will enable people to use Facebook on unsecured wi-fi networks with total peace of mind."
But Facebook is just one of many services whose mobile users are vulnerable to the kind of attack we've demonstrated. So, better safe than sorry: from now on I will be switching off the wi-fi button on my phone whenever I leave the security of my home or office network.
Comment number 1.
At 23rd Nov 2010, Gordon wrote:All public wifi spots are 'insecure' I'd never do anything on one I didn't want others to see, best thing is to use a VPN as soon as you connect.
Complain about this comment (Comment number 1)
Comment number 2.
At 23rd Nov 2010, Kit Green wrote:"...surely today's sophisticated smartphones are much less vulnerable?"
This is unfortunately a typical view amongst the gadget loving fraternity. Why would they ever think this? Probably because they don't think anymore and use their devices to let others think for them.
First rule of security is to assume nothing is what it purports to be. This goes for anything from snail mail, gossip, wiki(!) etc.
The more gateways into your property the more security you need to guard them.
Complain about this comment (Comment number 2)
Comment number 3.
At 23rd Nov 2010, Doug of Durban wrote:While Twitters twit, and Tweeters tweet, and important people flash their Blackberries, there will always be crooks out to nail them. Get back to basic mobile phones, no -email, no wi-fi, just a device for talking. Simple, no security problems.
Complain about this comment (Comment number 3)
Comment number 4.
At 23rd Nov 2010, MarkG wrote:I wonder when people will wake up that the iPhone is not the be-all and end-all.
There are better, more secure and functional smartphones out there.
Complain about this comment (Comment number 4)
Comment number 5.
At 23rd Nov 2010, calmandhope wrote:Hence why I always have bluetooth and wifi turned off apart from when I'm on one of my secure networks or a trusted friends.
Complain about this comment (Comment number 5)
Comment number 6.
At 23rd Nov 2010, marmite_sandwich wrote:What kind of loony goes around public places with the wifi on their smartphone switched on? Apart from anything else the battery will be flat in a few hours. Less if they have bluetooth permanently on as well.
Complain about this comment (Comment number 6)
Comment number 7.
At 23rd Nov 2010, DontTrustTheGovernment wrote:I loved my old Nokia mobile, built to last, never a problem, all I could do on it was txt and phone and a few very basic games to pass the time. Why would you want more from a phone? As post 2 says, people are losing the knack of thinking for themselves and let their 'smart this' and 'smart that' do their thinking for them.
Complain about this comment (Comment number 7)
Comment number 8.
At 23rd Nov 2010, EMC wrote:It is beyond baffling that with 500m and growing, Facebook has not implemented secure login as yet. They seem almost casual about it! Google took very swift measure when they had an incident of involving what was alleged to have been Chinese govt agents hacking into certain 'dissidents' accounts.
Facebook should be rapped for it, if not prosecuted for negligence.
Complain about this comment (Comment number 8)
Comment number 9.
At 23rd Nov 2010, MyVoiceinYrHead wrote:I'm also aware of people falling victim to the recent phishing scam where someone rings you up pretending to be from Microsoft and asks for your user name and password.
Always do private browsing, always clear your history and cookies and change your passwords.
You wouldn't leave you credit card in a cash machine, so why stay logged in to internet banking???
Complain about this comment (Comment number 9)
Comment number 10.
At 23rd Nov 2010, Neil wrote:A useful article. I guess the lesson is not to let you phone connect to networks automatically. Unfortunately, the iPhone doesn't appear to ask your phone to "forget" networks that you've connected to (such as Openzone).
Does anyone know a way around this? Not sure I'll remember to keep switching wi-fi off every time I leave the house!
Complain about this comment (Comment number 10)
Comment number 11.
At 23rd Nov 2010, markb wrote:marmite_sandwich wrote:
What kind of loony goes around public places with the wifi on their smartphone switched on? Apart from anything else the battery will be flat in a few hours. Less if they have bluetooth permanently on as well.
Lots, apparently. a quick straw-poll at work tells me most iphone users have wifi turned on because they believe they will save money on their 3g contract. As to your last point, once again many iphone users don鈥檛 see the device as a phone anymore, its more like a PDA with a 'cool' interface. Perhaps if they took the mental leap and saw their Smartphone in the same light they see a computer they wouldn't be so free and easy where and when they us it?
Complain about this comment (Comment number 11)
Comment number 12.
At 23rd Nov 2010, NotMeHonest wrote:So, if my iPhone is set up only to connect to my own WiFi network at home, which is WPA2-secured - am I secure or aren't I?
Complain about this comment (Comment number 12)
Comment number 13.
At 23rd Nov 2010, EMC wrote:I think it is also fair to say that WiFi was never really intended to be used for public access. It only works well in a security sense in closed communities. It's been stretched too far by network operators desperate to cash in on people's perceived 'urgency to remain connected'. There are genuine reasons for people to want to connect to the Internet using a public WiFi, and updating their Facebook status isn't one of them.
I guess one possible solution is to demand secure access, possibly by law, for any online system asking for a certain level of personal information. I know that would be very difficult to police, but doing nothing about it makes things worse. Technology changes very quickly, and not everyone can keep up with security awareness. Therefore, the onus should be on content and network providers to provide reasonably secure systems.
Complain about this comment (Comment number 13)
Comment number 14.
At 23rd Nov 2010, JeremyP wrote:"Fix this problem once more" Uh? Not possible. Clearly, they hadn't fixed the problem. Odds on, they still won't have. Stupid gadgets. World worked just fine without them.
Complain about this comment (Comment number 14)
Comment number 15.
At 23rd Nov 2010, thesteve wrote:This goes much further, there is software available to listen for these "shouts" and reply with something along the lines of 'yes I'm the access point you are looking for'. Check Hak.5 episodes on the wifi pineapple.
The only way to use wifi safely is to not use apps for sites with sensitive info on. Use the browser and make sure you enter the address with https rather than http, facebook does support a secure connection although they don't force it as they should.
The expert in this article needs to brush-up a bit.
Complain about this comment (Comment number 15)
Comment number 16.
At 23rd Nov 2010, Miles wrote:Money drives everything..
Unless customers demand better security it won't get provided, and while there are plenty of customers will pay for insecure serices there is no incentive to fix them.
Customers are not going to demand greater security unless they feel at risk, and no company is going to risk putting its customers off by telling them about the risks they face.
It's an age old and classic scenario that we are going to endlessly repeat with each new 'must have' innovation.
Complain about this comment (Comment number 16)
Comment number 17.
At 23rd Nov 2010, Mutlipack_can13 wrote:Given that Iphones seem to turn everyone who has one into some Mindless moronic zombie, it was only ever a matter of time untill someone with more than one brain cell fixed on something other than the Iphone took advantage of it.
Honestly, i think if you made some people choose between the Iphone and Oxygen, they would spend their last few moments stalking their friends on Facebook, perhaps the intelligent one's would google, "How to breathe without oxygen" before they died.
Complain about this comment (Comment number 17)
Comment number 18.
At 23rd Nov 2010, Samuel Baines wrote:Apple should add some sort of feature where the phone only turns on it's wi-fi when it's at certain "safe" locations, such as work, home etc. and not just connect to any old network... Or atleast turn off the wi-fi after it's been disconnected from any network for more than 10 minutes.
Complain about this comment (Comment number 18)
Comment number 19.
At 23rd Nov 2010, peneverdant wrote:This doesn't only apply to phones, of course; what Rory has not emphasised is that laptops/netbooks are equally vulnerable.
Best rule is never to go to any site that requires you to register or log in, while roaming.
Complain about this comment (Comment number 19)
Comment number 20.
At 23rd Nov 2010, TheVOR wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 20)
Comment number 21.
At 23rd Nov 2010, James Rigby wrote:@Notmehonest - yes that's secure enough. Someone could sit outside your house and set up a wireless network with the same name as yours and trick you into logging into their network instead of your home one. But if someone's going to go to all that trouble, they're going to find other ways to defraud you anyway.
On the general point, it's not just smartphones which are vulnerable, there are millions of vulnerable PCs, laptops, netbooks and tablet devices out there. I work in computer security and I have a hard time keeping up with all the latest vulnerabilities and exploits out there - and I get paid to do it. How the average punter manages is beyond me. It's not surprising that 10-15% of PCs (conservative estimate) are compromised in one way or another.
The time is coming when banks, governments and others will need to think about some type of continuously updated MOT certificate for computing devices - If you're PC doesn't have a valid current certificate when you try to connect, then you'll be booted out.
Complain about this comment (Comment number 21)
Comment number 22.
At 23rd Nov 2010, Ash wrote:@NotMeHonest: you're ok if your phone is only set to connect to known networks that are WPA2-encrypted, although you can increase the security by using a randomly generated passphrase rather than a dictionary word. Most decent phones will warn you the first time you try to connect to an unencrypted network. The only possible problem might arise if another network has the same name and password as yours, so pick a unique SSID and passphrase.
@Rory: This post is a bit misleading IMHO. You seem to imply that the session-stealing hack is exclusive to smartphones when in actual fact all computers using wifi (or for that matter any non-switched wired network) are vulnerable. It's also unfair to pick on Facebook when Twitter, MSN and many other social networking services are just as vulnerable to the same attack. The 'emergency call' hack on the other hand is, I'm afraid, an iPhone exclusive, although other phones may have their own problems.
Complain about this comment (Comment number 22)
Comment number 23.
At 23rd Nov 2010, ohforfs wrote:(1) The chances of you losing your phone and it being found by someone with ability to do all this are astronomically low. It is more likely that this is intentioned someone steals your phone, in which case it doesn't matter what security you have on it. Consider it like losing your file-o-fax and please stop being alarmist.
(2) All phones are NOT as vulnerable as the Iphone.
(3) If browsing on an open network use HTTPS if you have top secret data on your phone or think that there might be someone lurking round a corner wanting to pinch random peoples wives phone numbers.
(4)I'm really fed up with your Apple biased reporting. Everything to do with Apple gets on dot.Rory and I think it is tantamount to advertising on the 大象传媒. The Iphone is for people who are gulable and want their data stolen.
Complain about this comment (Comment number 23)
Comment number 24.
At 23rd Nov 2010, MyVoiceinYrHead wrote:@20 'TheVOR'
To be fair, Rory is no more behind or unknowledgeable than any of the other 'Tech Journalists' out there (Of which I follow many). Atleast he goes out and does some research as opposed to just reposting press releases.
Complain about this comment (Comment number 24)
Comment number 25.
At 23rd Nov 2010, shambo wrote:@20, TheVOR
Agreed. Rory's blogs are an exercise in stating the obvious, and I only read them to affirm my intellectual superiority. In this case it doesn't take much.
The Guardian tech blog is so much better. I've read about so many important tech issues which simply haven't crossed Rory's radar. The tech pages on the 大象传媒 revolve around three things: Apple, Facebook, and Twitter.
Boring, boring , boring......
Complain about this comment (Comment number 25)
Comment number 26.
At 23rd Nov 2010, linuxrich wrote:When I saw the title of this blog post, I thought we were in for a useful piece about unlocking advanced features on your smartphone, aka hacking. Sadly, it's just another FUD article about cracking, aka black hats gaining unauthorised access. Internet connected device security, regardless of if it's wired or wireless, is just a case of common sense and gaining a little background knowledge of the device you want to secure. Unfortunately, most people seem to be unwilling to learn about the devices that they rely on so heavily and store their private data on...
Complain about this comment (Comment number 26)
Comment number 27.
At 23rd Nov 2010, barstep wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 27)
Comment number 28.
At 23rd Nov 2010, perfectplanetcouk wrote:#11 "Does anyone know a way around this? Not sure I'll remember to keep switching wi-fi off every time I leave the house!"
If you have an Android phone it's easy to do this using an app like Tasker. Using Tasker I've programmed my HTC Desire to switch wifi on and off automatically based on location - with 100 metres of my house, and within 100 metres of my work. I never have to worry about this issue.
Complain about this comment (Comment number 28)
Comment number 29.
At 23rd Nov 2010, unicyclistperiscopes wrote:I have a smartphone (not an iPhone), and connect only to secure networks.
Additionally, you can get free applications that allow you to switch WiFi on/off with a single tap on the screen. This was one of the first things I acquired for the phone. Why anyone would walk around with the WiFi on is beyond me, for battery life and security reasons. As many people have stated, treat it as you would any other computer and you should be OK.
Complain about this comment (Comment number 29)
Comment number 30.
At 23rd Nov 2010, Kit Green wrote:25. At 12:37pm on 23 Nov 2010, shambo wrote:
The Guardian tech blog is so much better. I've read about so many important tech issues which simply haven't crossed Rory's radar. The tech pages on the 大象传媒 revolve around three things: Apple, Facebook, and Twitter.
------------------------------------------------------
is always worth a look. Tech means more than gadgets there.
Complain about this comment (Comment number 30)
Comment number 31.
At 23rd Nov 2010, Martin D wrote:This is one of the more pointless articles I've read on here. I don't need a weatherman to tell me it's snowing outside. I have a window and a set of eyes for that. I have a PC for surfing the web. I have a camera for taking pictures and it goes with me everywhere. And I have a simple mobile for talking to people on the phone.
I simply have not got the time to surf the web on the move when reading the metro or smiling at people and interacting with them instead saves me time for surfing at home on the secure(ish) PC. It also helps to keep a grip on reality and my sanity.
Complain about this comment (Comment number 31)
Comment number 32.
At 23rd Nov 2010, busyatwork wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 32)
Comment number 33.
At 23rd Nov 2010, Gangledorn wrote:I've just tested this with a HTC desire with the latest Android operating system. We set up a duplicate WIFI network as described in the article, this was a duplicate of a trusted exisitng WIFI connection on the phone. The phone located the network, but it correctly identified it as a differnt network and did not connect to it.
So the sentence "should stress that while we used an iPhone for this experiment, other smartphones are equally vulnerable to these kinds of attacks." Is obviously just Apple bias again, trying to protect Apples market share by smearing ALL other smartphones with the same problem. If other smart phones have the same issues you should specifically say what they are!
Apple aren't the standard barer, even if the media think they are. Just because Apple have a problem, doesnt automatically mean other smart phones do to.
Complain about this comment (Comment number 33)
Comment number 34.
At 23rd Nov 2010, EMC wrote:A simple but effective solution to WiFi blues is not to setup your device to connect to public WiFi networks. If you've setup your device to only connect to known and secure WiFi networks, then you don't have to worry about having to remember to switch off your WiFi every time you leave your secured network. Your device will NOT connect to anything you haven't allowed it to try and connect to. There are overzealous WiFi setup applications which try to make your device connect to any network it finds, but that is usually an optional setting, albeit the default in some cases.
I only have to remember to switch off my WiFi on my Android device, because it drains the battery.
Complain about this comment (Comment number 34)
Comment number 35.
At 23rd Nov 2010, CPP UK wrote:Recent research by CPP found that most wi-fi users are unaware of the risks posed by Wi-jacking. The experiment tested public wi-fi networks in 6 UK cities. CPP recruited an ethical hacker who conducted a live experiment in London to show how easy it is to hack into a wireless network and access information from unsuspecting users. Jason Hart, ethical hacker simulated how it鈥檚 possible to get hold of login details and passwords with freely available software. CPP鈥檚 experiment highlighted the need to take care when using open wireless networks and ensure different passwords are used for different accounts. The risk of identity theft increases if this information falls into the wrong hands.
Complain about this comment (Comment number 35)
Comment number 36.
At 23rd Nov 2010, Ian wrote:Ah, finally it makes sense. I'm a Nokia user, but each to their own etc. But what has been irritating me is that the 大象传媒 reports new Apple products as news, even when there is little if any actual technical innovation. I recall the release of the newest iPhone - extensive coverage on television and online 大象传媒 News. Erm, multi tasking, front-facing cameras, high quality cameras and picture messaging had all been on other phones for well over five years before. It's baffled me why it gets reported as news when it has no technological merit. If McDonalds bring a new burger out it doesn't get a news story? Why should a new Apple product? (Unless it brings technological innovation.)
But then - ah, it makes sense - the technology correspondent is taken in by the Apple machine too! Mystery solved.
Complain about this comment (Comment number 36)
Comment number 37.
At 23rd Nov 2010, MyVoiceinYrHead wrote:McDonalds have brought out a new burger, tell me more...
Complain about this comment (Comment number 37)
Comment number 38.
At 23rd Nov 2010, shambo wrote:@24 MyVoiceinYrHead
Completely disagree, I do not call this research. Using just one type of phone isn't a valid and complete test of what you are trying to prove.
@30 Kit Green
Thank you for your recommended reading, it has been bookmarked!
@36 Mr_Ian_123
My point exactly. Rory+大象传媒 = free advertising.
Complain about this comment (Comment number 38)
Comment number 39.
At 23rd Nov 2010, markb wrote:MyVoiceinYrHead wrote:
McDonalds have brought out a new burger
Is there an App for this new burger?
Complain about this comment (Comment number 39)
Comment number 40.
At 23rd Nov 2010, MickS wrote:The 'man in the middle' attack is a well known one in the technology world. Sadly technologists tend to mock the ignorant masses rather than fix the problems.
Some of the commentary however is Pythonesque; "All my phone needs to do is make calls.", "All my phone needs to do is make calls and send texts.". "All my phone needs to do is make calls, send texts, and play a few basic games.". Chapman, Clease, Idol, et al couldn't have updated it better.
Complain about this comment (Comment number 40)
Comment number 41.
At 23rd Nov 2010, JenM2010 wrote:I think its an interesting piece - raises morequestions than it answers though. When you see how easily personal data can be extracted mind, it鈥檚 worth considering the impact that these smartphone devices have on corporate data; the fact is that employee owned devices are penetrating British businesses at pace, and you can bet that IT departments don鈥檛 know the half of it.
Whether malicious or not, in a world of mixed personal and professional use and device ownership, the blunt security instruments of the past no longer apply. Instead of trying to forcefit desktop security onto mobile, which either doesn鈥檛 work technically across devices or isn鈥檛 accepted behaviourally by users, I guess we all have to start thinking a little differently. There are vendors out there making a play for fixing this 鈥 this blog suggests/ or points to one, and MobieIron鈥檚 another that springs to mind. These guys and others like them aren鈥檛 coming at smartphone security and management from legacy PC/network perspectives, it鈥檚 refreshing in that sense鈥
Complain about this comment (Comment number 41)
Comment number 42.
At 23rd Nov 2010, Kit Green wrote:39. At 2:12pm on 23 Nov 2010, f32mark wrote:
Is there an App for this new burger?
----------------------------------------
I believe there are plenty of apps out there to satisfy the worst sufferers of OCD.
Most of them are as useful as bubblegum cards (do you have a full set).
Complain about this comment (Comment number 42)
Comment number 43.
At 23rd Nov 2010, ianatbev wrote:The article makes the false assertion that public wi-fi is bad because it can be intercepted. Isn't the whole internet beyond the public access point? What makes your Facebook request secure when it gets beyond Dr Evil's wireless access point? The access point is just one link in probably dozens to reach Facebook (or any URL), anyone of which could be part of Dr Evil's empire. If you care about not being eves-dropped then use SSL/https, otherwise assume anyone can view what your doing. Sending requests across the internet is like sending postcards - anyone involved in their delivery can read them unless you write them using a secret code. Facebook does not use SSL, that's rubbish. The banks do, that's good.
Also: "Any modern smartphone is vulnerable to the same attacks". Really? Isn't the iPhone the only device that can have its initial PIN by-passed in the way demonstrated?
Rory, repeat after me:
"It's okay to criticise Apple just a little - Steve will still love me and pet me and treat me as his very own"..
this is what objective, impartial reporting is all about. You should read about some day. Maybe there's an App for it perhaps.
Complain about this comment (Comment number 43)
Comment number 44.
At 23rd Nov 2010, strimmer73 wrote:People remain the weakest links in any security system and so long as there are people, so-called "hacking" will continue.
Complain about this comment (Comment number 44)
Comment number 45.
At 23rd Nov 2010, camyeoerfraefrance wrote:Predictably enough, the mention of Apple brings out the usual ill-informed criticism, much of it not related to the subject of the blog. And Rory even gets criticised for being an Apple apologist in a blog that exposes security weaknesses in the iPhone! But seriously, it is a matter of concern that the iPhone can still be broken into so easily. In practice, the access granted is quite limited, so I do still lock my phone with a passcode. But Apple should have fixed this long ago. (I think they did provide a fix, but it only partially fixed the problem.)
As for wifi networks "spoofing" other networks, I actually found this "feature" useful in the context of my (secured) home network. I installed a new wireless router, set up the new network with the same SSID and password as the old network, and all the PCs, laptops, phones, PS3s, Blu-ray players and Apple TVs connected seamlessly to the new network. But this is clearly not a desirable feature for unsecured networks.
I must admit I almost never switch my phone's wifi connection off, because it can be useful to be able to connect wirelessly. Of course, I'm careful what I access when I'm on an unsecured network, even if I'm sure it's the genuine BT Openzone. I even leave bluetooth on all the time now, since I recently got a car with bluetooth, and I'm really not going to switch it on and off every time I get in and out of the car. I don't seem to get noticeably shorter battery life, though I do charge it every night anyway.
Complain about this comment (Comment number 45)
Comment number 46.
At 23rd Nov 2010, Daniel Walker wrote:"It was dumb enough just to check the name, rather than comparing the address with others it had previously used."
Well, this isn't actually as dumb as it sounds. Any of the rest can be spoofed by anyone deliberately trying to fool the device, while it may well just get in the way and cause problems for legitimate connections. Going any further than the name, is the sort of Security Circus that lulls people into a false sense of safety.
The dumb is in the social design, that lies behind this; in that the user is assumed to actually know and care what services their device is connecting to, and who is running that service - when in fact, they usually don't.
Think about it: running a wireless router and a land line costs money. If the owner does not appear to be a pub, or a train station, or what-have-you, then they must have another revenue stream to keep it going. To some, theft is a revenue stream.
TANSTAAFL
Complain about this comment (Comment number 46)
Comment number 47.
At 23rd Nov 2010, The Fickle Finger wrote:I have the wifi turned off on my Blackberry. It just saves the battery from running down so fast (on a Blackberry, that's REALLY fast!) and turning it off seems to save so much power. I can still FB etc - no real difference as far as I can see.
Complain about this comment (Comment number 47)
Comment number 48.
At 23rd Nov 2010, Valdemar wrote:It's pretty funny there are so many Apple haters. I guess Android has never suffered a chronic security problem in the past ( or suffered the MITM problem (.
Oh, wait...
But I digress, being a Symbian user. It's nice to read up on these issues other smartphones have, and to learn of what the industry does to address such problems. To be perfectly frank, common sense makes this a total non-issue for anyone. Want to check Facebook? Use a browser with HTTPS and VPN, as someone else stated. OH NOES, looks like this killer problem is nipped in the bud. It's kind've like these fancy screenlock applications being entirely redundant when, in reality, you shouldn't be stupid enough to leave such a supposedly valuable device left unattended. Front trouser pocked, touch check now and then and you're fine.
Complain about this comment (Comment number 48)
Comment number 49.
At 23rd Nov 2010, camyeoerfraefrance wrote:@shambo
Thanks for the tip about the Guardian's tech blog. I just went there for the first time. Looks interesting, but a good many of the entries seem to mention Facebook, Twitter, or Apple. And just like here, the very mention of Apple seems to upset some people, with the usual ridiculous suggestions that the Guardian (or the 大象传媒, or their journalists) are somehow paid by Apple (or Twitter or Facebook) for mentioning them.
Complain about this comment (Comment number 49)
Comment number 50.
At 24th Nov 2010, Will Holmes wrote:Who on earth designed the iPhone to connect by name only? Phones should check for IP addresses and warn the user if the access point is not the original.
Currently running an HTC Wildfire (Android). I think I'll run some experiments to check if Android 2.1 suffers the same flaw. It's fairly easily remedied in future software editions, but Apple should know better. Nokia and Google too if they've made the same shortcut.
The fact of the matter is that telling people to never enter passwords and so on when you're on a public wireless access point is both unreasonable and unhelpful. Security should be automatic and always there, even if you have your wifi and bluetooth always turned on. Some people don't have common sense, and a lot of people would rather not trust their fallible and inconsistent habits. I certainly don't.
Complain about this comment (Comment number 50)
Comment number 51.
At 24th Nov 2010, FaLlEn wrote:What can i say, its common sense really. You wouldnt walk away from your car and leave it open with your wallet on dashboard would you? So why leave you Wifi on scanning for the first open network to connect to so that all of person unsecured details can be intercepted/removed from your phone?
I'm amazed at how many people still do not know about networking technologies, in this case, packet sniffing. This is increadibly easy to do in this day and age and its completely tranparent to the victim/s. When you have a fake AP setup (Access Point) all pass-through traffic can be intercepted, highjacked, reverse engineered, whatever. A few hours on google will give you a good starting block to launch from, for testing and educational purposes you understand...
And i would like to to point out that its not just as simple as capturing a recent cookie from the host system and transplanting this into a dummy host and then going to www.facebook.com. This kind of thing just promotes mass hysteria to the point where people dont feel secure or safe.
Again anonymous sms applications have been available pretty much since Mobile Phone companies realised that they could charge you for a built in service which allowed technicans to broadcast and test cell coverage or nodes. These are a dime a dozen, if you know where to look.
Best advised that i can give to everyone reading is to be more diligent with security in their lives in general. Dont hide your front door key under the mat or plant pot, dont save your passwords on devices which automatically pick up and attempt to use the first open, unsecured network available to them.
If its public its completely open and unsecure... authanticate as much as you possibly can i.e. make sure you enter a password for every site where applicable and dont save or store these locally. I would even go as far to say never do anything banking wise or transaction related related etc on these types of connections and keep it to a minimum or 'light surf'.
If its at home, private, and your are all WPA'd up, 25 fire walls and bear traps at your front door, then your have a lesser chance of being targeted and done over but please keep in mind that not everyone is 100% safe all of the time, if you get targeted by a professional hacker it wont take them long to compromise the system and do whatever they want and chances are you wouldn鈥檛 know anything about it until its too late but that doesn鈥檛 mean you should just leave the door open.
Congratulations, you have just read your first latex wrap lesson on Internet Safety 101.
Complain about this comment (Comment number 51)
Comment number 52.
At 24th Nov 2010, streetpuppy wrote:I just simply cannot understand how anybody with a single sense of technology could ever put their contacts details, or information of a personal nature on any social networking website in the first place. This article should have been about the stupidity of doing THAT, and the penalties people will be paying in the future for being so blind.
Warning - Conspiracy theories inbound.
Big brother doesn't need cameras everywhere any more, just a facebook account or access to yours. In fact the same applies to ANYBODY who wants to get access to your information. Mobile phones & devices are not the enemy YOU ARE!
If I was evil every one of my friends and their friends friends friends would have very little secrets on-line that I didn't know about. Their on-line lives would be putty in my hands (evil laugh track playing). This is not an exaggeration but a fact.
Think about it and become street smart. Don't be a victim of sensationalism, advertising, ignorance & eventual-ism.
Use technology to free you, not to free your information.
Lecture over.
Complain about this comment (Comment number 52)
Comment number 53.
At 24th Nov 2010, Hastings wrote:I dont use a smart phone (I have yet to find a use for one that isn't far more complicated and slower to use than the back of a fag packet*)
However, on my PC I use an encrypted, protected system called Keepass to store vulnerable data that I may want to cut and paste. (Note: there is no reason to keep any details electronically that you can either easily remember or will never need to use electronically)
Is there not an equivalent app for your over priced fag packet, sorry, smart phone, that will keep data secure, even if you physically lose the phone?
* I actually gave up smoking a few years ago, but I refuse to pay out 拢500 simply because I have run out of fag packet backs!
Complain about this comment (Comment number 53)
Comment number 54.
At 24th Nov 2010, Andy2 wrote:I think that the problem stems from calling them 'Smartphones' in the first place. You are effectively carrying around a Computer, not a phone. All of the above Security problems are also present when you discard your old Smartphone / Computer.. They should be renamed Mobile PC's!
Andy.
Complain about this comment (Comment number 54)
Comment number 55.
At 24th Nov 2010, Rick Slater wrote:This isn't really news is it?
As others have said, "smartphones" are just little computers. They all have their vulnerabilities no matter who makes them or what OS they run. The problem is that you have to be quite savvy about technology to protect yourself.
The most surprising thing about this is that, as a technology journalist, Rory should already know how to safely use his computers on public WiFi and shouldn't need a hacker to tell him he's vulnerable.
Being charitable, I suppose anything that heightens awareness of security threats is a good thing. Most consumers I know don't have a clue about the risks or how to mitigate them.
I think the article would have been more useful if it either included information on how to use public WiFi safely or referenced articles on the subject.
Complain about this comment (Comment number 55)
Comment number 56.
At 24th Nov 2010, camyeoerfraefrance wrote:@streetpuppy
I agree that people need to be aware of what they are doing when they use Facebook, but not everyone is as paranoid as you about their "personal data". I may not want anyone else to have access to my bank account, or be able to impersonate me, but I may be perfectly happy for others to know my name, address, phone number, email address etc. That's how I interact with people! Back in the day, anyone could walk past my house and take a photo, or send me a letter, or look me up in the phone book. And everyone I've ever written a cheque to has my account name, sort code, and account number.
Complain about this comment (Comment number 56)
Comment number 57.
At 24th Nov 2010, camyeoerfraefrance wrote:@kampernaut
To be fair to Rory, I see this as a blog for anyone with a general interest in technology, not really for specialists. So, highlighting issues that many people won't have thought about does provide a useful service.
Complain about this comment (Comment number 57)
Comment number 58.
At 24th Nov 2010, Rick Slater wrote:@57
I'm inclined to agree hence the "Being charitable, ..." sentence in my comment.
Complain about this comment (Comment number 58)
Comment number 59.
At 24th Nov 2010, DibbySpot wrote:This really requires that the base technology has solid and agressive security standard build insuch as mini dongles programeable from a pc or other device.
The manufacturers and software writers really have a great opportunity provide greater security. Perhaps the mobile wallet will offer the start to everyone taking this issue seriously.
Complain about this comment (Comment number 59)
Comment number 60.
At 24th Nov 2010, WelshBluebird1 wrote:@Will Holmes
There is absolutley no technological way that a phone could use IP addresses to make sure it is connecting to the correct WiFi access point. MAC addresses yes, but not IP addresses.
Complain about this comment (Comment number 60)
Comment number 61.
At 24th Nov 2010, Pearce wrote:Ok, the first bit of this article describes a software flaw on an IPhone, so cannot be indicative of the security on all smartphones.
The second part of the article is not about the security of the phone. At no point is the phone hacked. The article is about care being taken on using facebook on an un-friendly wifi network masquerading as a friendly one. The same thing would have happened if the reporter had been using a laptop. The phone merely was a useful portable device that allowed the reporter to reach the malicious network.
The article would have been better if it had targeted the lack of security on social network sites, as these hold a lot of personal data. If facebook was ssl secured or similar it wouldn't matter that the reporter had accessed the site via a malicious network, the attacker would not have been able to access his facebook account.
Maybe we should ask the question as to whether the social network sites are in breach of ICO rules by allowing so much important personal data to be transmitted in the clear over unsecured public networks.
It should be noted however that with the massive volumes of traffic transmitted on sites such as facebook, the cost of SSL securing the network maybe prohibitive due to the vastly greater processing load on their servers. A victim of their own success.
Complain about this comment (Comment number 61)
Comment number 62.
At 24th Nov 2010, PhilT wrote:My smartphone tells me if an insecure wireless network is available, but doesn't connect without my say so. It also has a "forget" function for the networks it has been connected to.
But it isn't an iPhone. Diversity of technology is always a good thing so we don't all end up with the same problems.
Complain about this comment (Comment number 62)
Comment number 63.
At 24th Nov 2010, My大象传媒Name wrote:This article seems to imply the iPhone stands out as an insecure device on 2 counts:
1) That the data can be accessed by someone else if you lose it;
2) The your WiFi Internet traffic can be examined by a 3rd party.
Both of these problems are true of every device:
1) No electronic device is secure if a 3rd party has physical access to it. Strong encryption of all the data might do the trick, but even that can be broken. But - in case you hadn't noticed - iPhone users can wipe their phone remotely in the event of theft. The bottom line for every phone and computer/laptop user is that they need to plan ahead for the possibility of theft.
2) The problem is not limited to the iPhone, any phone, or even any computer connected to the Internet (wired or otherwise). The fact is, all Internet traffic can be potentially intercepted. BT secretly intercepted the traffic of thousands of its customers for the purposes of profiling and targeted advertising. But worse, many sites do not use a secure connection (a secure connection encrypts all traffic, making it almost impossible to snoop). This is why Google was able to harvest login details from WiFi hotspots as its Street View vehicle travelled about. If you log in to an insecure service, it is possible for a 3rd party to intercept that traffic and steal your login name and password.
This could have been a very instructive article about general Internet and mobile security, but instead comes off as saying that using an iPhone is a security risk. Very, very disappointing 大象传媒!
Complain about this comment (Comment number 63)
Comment number 64.
At 24th Nov 2010, lwr20 wrote:@WelshBluebird1: NO. MAC addresses *still* do not guarantee that you are connecting to the AP you think you are. While MAC addresses are supposed to be unique and tied to the hardware (unlike IP addresses), they can be changed (and therefore spoofed). For example, try using the ifconfig command as root on a linux box - this makes it as easy to change your MAC as it does to change your IP.
I'm off to configure myself a VPN...
Complain about this comment (Comment number 64)
Comment number 65.
At 25th Nov 2010, FaLlEn wrote:#64 Completely agree, once you step outside the 'Windows' padded cell you can change, modify or spoof just about anything these days... Certain Linux distro's are cooked purely for penetration testing or security bypass... as you may know :)
@General I for one would love to hear an informative dot.Rory outlining a problem and a solution that is aimed at the 'General Joe' instead of having more Apple products used as a point of reference on how the rest of the world works and why everything else outwith this is a fail.
A good story for you Rory would be about the current threats for todays technological society, the many different types of net enabled devices one might find in todays modern household along with the perils and solutions that are available to keep families safe. Someone mentioned KeyPass earlier, encryption etc etc
Think i'll go AES 256-bit my disks... be back in 5 days
Complain about this comment (Comment number 65)
Comment number 66.
At 25th Nov 2010, iGlad wrote:you have a smartphone with internet access and you turn off the wi-fi? that to me isn't very smart here i'll let you have my old nokia 6100 instead
Complain about this comment (Comment number 66)
Comment number 67.
At 25th Nov 2010, MacBookPro wrote:The only lesson here is to only log into sites which use SSL on a public WiFi network. Facebook, for some stupid reason, isn't such a site - they SSL logins, but as this demonstated, the cookies aren't encrypted and work just as well a password.
Facebook does have an SSL site, I should note, but once you click any link - including internal Facebook ones - the SSL will be turned off. Pretty much useless unless you manually force SSL, which most people ain't gonna do.
BTW, turn your WiFi off and when you aren't using it and turn off "Ask to join new networks" too.
Complain about this comment (Comment number 67)
Comment number 68.
At 25th Nov 2010, benf90 wrote:@66 - you can still access data through the phone networks. Turning off wifi doesn't mean you don't get data coverage anymore.
I always have wifi turned off when I leave my house, mainly to save battery. I use an app to do it automatically for me now, which is actually the only thing I truly believe is 'smart' about my smartphone.
I haven't seen anyone else here mention it. The app is called Tasker, available for Android phones. If I'm within 50 metres of my house it turns on wifi, if I leave that 50m zone it turns wifi off. It also automatically puts my phone onto silent when I get to work and takes it off silent when I leave work.
It's not to be confused for the 'Tasker for iPhone' app which is completely different.
Complain about this comment (Comment number 68)
Comment number 69.
At 25th Nov 2010, busyatwork wrote:multipack_can13 says iphone users become mindless moronic zombies and as a user I resent such a sweeping statement; especially coming from someone who cannot spell until.
Complain about this comment (Comment number 69)
Comment number 70.
At 25th Nov 2010, Kit Green wrote:69. At 8:21pm on 25 Nov 2010, busyatwork wrote:
multipack_can13 says iphone users become mindless moronic zombies and as a user I resent such a sweeping statement; especially coming from someone who cannot spell until.
------------------------------------------------
Perhaps multipack also missed out the adjective "pedantic".
Complain about this comment (Comment number 70)
Comment number 71.
At 26th Nov 2010, Justin wrote:His smartphone was not completely hacked. firstly he gave his IPhone to the guy to get around the passcode screen, very easy to do.secondly only his traffic was hijacked. Completely different.
Completley hacking the device would be to gain access over the IP address assigned by the BTOpenzone access point.
As already addressed the article above higlights that it is all devices which connect to wifi. One thing to learn from this, use common sense when on public wifi. you wouldn't log in to you internet banking on a public computer would you??
Complain about this comment (Comment number 71)
Comment number 72.
At 26th Nov 2010, streetpuppy wrote:@camyeoerfraefrance
I feel your pain brother, no doubt you have succumbed to the charms of the facebook temptress that be the reason for my preaching. Perhaps the reality of attempting to return a freed genie into the bottle has you shivering in a cold sweat. Fear not as the damage can be limited.
Open or secure Wifi access, non encrypted or encrypted that is the question. But no, not really, the question is who do you trust with your data forever?
I love the internet (kissing my monitor), but one should learn when to love her and when to leave her, especially when it comes down to sharing not only your own information but that of your friends and families.
Methods of hacking will increase as methods of security will increase, and there is no responsible major company that doesn't take a backup out of cycle regularly for prosperity, usually with information you deleted on it.Thats if it isn't really deleted anyway and you just need the old URL.
Social networking is a fantastic product, but it is just that, a product with a saleable value, & all manner of greedy robbers planning a sting (from their bedrooms after playing Call of Duty). It is fine to play God with your own information, as long as you seek permission to do the same with other peoples, which we don't.
Amen.
Complain about this comment (Comment number 72)
Comment number 73.
At 26th Nov 2010, sagat4 wrote:Why am i not suprised Rory that you have an iphone 4. Use others that are less easy to hack - just my two cents ;)
Complain about this comment (Comment number 73)
Comment number 74.
At 26th Nov 2010, Simon Bain wrote:This says more about on line web sites and applications than it does about the security of networks.
We all know (or at least most know) that networks can be insecure. But lazy application development leads
to web site leaving little packets of information (Cookies) on your device. These can be used as has been shown to access more than just your Facebook account.
Security plays second fiddle to a web sites requirement for easy developer access, until developers and their bosses realise that they must take more regard to site security then whatever the phone manufacturers do, this type of hacking will always be possible.
In the meantime clear out your cache files and cookies on both your mobile and desktop web browsers.
Complain about this comment (Comment number 74)
Comment number 75.
At 26th Nov 2010, Daniel Walker wrote:This comment was removed because the moderators found it broke the house rules. Explain.
Complain about this comment (Comment number 75)
Comment number 76.
At 27th Nov 2010, Peter Frampton wrote:@3. Doug, you are absolutely right.
Just because I would have to replace a battery on my old Nokia, which would cost me at least 拢10, I found a better option and bought a Samsung mobile for 拢14, in which 拢10 is a topup card. The phone has no camera, no FM radio, no MP3 player, etc. Just basics. For the past 10 or more years, ever since I had a mobile I never needed anything beyond a phone.
I cannot seem to be tempted by Twitter or Facebook to have an account, on Facebook I have a fake account and actually never had to use it to contact my friends and family, while other services are available. It makes me laugh how people easily keep all their data that needs to be secure on such basically flawed systems like Facebook.
The whole concept of having your phone with your personal data connected to the internet is one huge massive concept flaw, millions of people don't realize what the risks are and how to protect themselves. And phone companies aren't helping. Phones are money cash cows, so why bother with security risks and spend money on research, proper concept and system design? Better blame the users for lack of intelligence.
If I was to comment on why those phones are so vulnerable, everything comes again the the basics. Systems have now a common flaw of design. In the past you could only access a computer if you were granted that access. But in today's world where you wish to share stuff with your friends and share your computer resources everything is fully open right from the start. Somewhere in between are your personal data.
And that's the nature of Facebook and Windows, now everything has to be patched,patched,patched,patched so many times it doesn't seem to make sense any more, does it? So much resources wasted on patching and fixing and lecturing users there is a button that turns off your connection.
Just recently I read that if you are logged in on Facebook and start searching the NHS web sites for certain information that gets stored somewhere on Facebook for other people to see. Laws should be applied to Facebook and somebody should start holding them accountable.
The advice was - logoff from Facebook before you want to do something on the NHS websites - completely utterly ridiculous. Facebook should have not done that in the first place.
It seems governments, that are supposed introduce laws to protect us are still fast asleep, like in the recent affair with Google.
In the end security firms are making money on providing services to secure your system with the basic flaw of today, which is the wrong concept. Patching, patching, patching ...
One big joke.
Complain about this comment (Comment number 76)
Comment number 77.
At 28th Nov 2010, OldIron wrote:The 大象传媒s journalist (and a few of the respondents, to be fair) haven't fully understood here:
Interestingly, I've not seen unsecured access points brought up for a while (there was a far amount of fuss 6-7 years ago about it, but I've not seem much mainstream comment about it since). As others have said, its just a man-in-the-middle attack, and the simplest way to work around it is to use end to end security (eg, VPNs) for any traffic you care about. One key thing the article omits is that you shouldn't even trust DNS services in such circumstances (even if you've setup known good servers, they are still subject to this attack).
The same attack works on any means of public access, from any device - though setting up a poisoned access point is obviously a convenient way of going about it. In theory, you could do something similar with a hotels network access (I have no inside knowledge, but wouldn't assume they have uncrackable security). I'm hoping my ISP is secure enough (ignoring HMG for the moment)
The iphone lock bug affects only that phone; to avoid it either keep the phone secure or switch to a more reputable brand.
Facebook is already notorious for poor security, its hardly surprising to see that one come up again.
Complain about this comment (Comment number 77)
Comment number 78.
At 28th Nov 2010, brightengineer wrote:I鈥檓 hardly surprised by this. The iPhone (and indeed other phones) have a habbit of connecting to 鈥渒nown to them鈥 networks. Which, if it鈥檚 a generic name (the normal names that come with routers out the box, or open networks such as that BT open zone thing) the phone will automatically connect.
I think I read a comment on there that someone had stated that only the iPhone does this (forgive me it has been 77 posts, and I have read it all) but this problem is not just with the iPhone, my Blackberry does it as well, and have now got into the habit of turning the WiFi off when I am not near a trusted network.
Facebook鈥檚 security is a joke. There is no other word for it. This is why on my facebook account there is none, not one single identifying piece of information about me on there. All it has is my First name, and the dogs name as my surname, and I am very picky about the information I give to websites. When dealing online I take the total stranger approach. After all, you don鈥檛 know Mark Zeliotburg (or whatever his name is) from Adam, so why are you telling him the most intimate details of your life? It鈥檚 madness.
You wouldn鈥檛 say to a stranger on the street 鈥淥h, hey sir, guess what I done last night. Oh and by the way, here is my name, address, date of birth, email address, credit card number and mothers maiden name. Have fun!鈥 it boggles the mind!
And that facebook application nearly scared the seven bells out of me when it asked if I wanted to import my phone contacts to facebook. What come out of my mouth cannot be repeated.
Complain about this comment (Comment number 78)
Comment number 79.
At 29th Nov 2010, taxpayer2010 wrote:This has been a problem since the early days of wifi. The only secure use of public networks is through a VPN to your workplace. All data is then encrypted. A firewall on your laptop is also advisable when using public wifi.
Complain about this comment (Comment number 79)
Comment number 80.
At 30th Nov 2010, sagat4 wrote:@Hexham_Dan most parrots i have seen are of a much higher class than yourself:)
Complain about this comment (Comment number 80)