[Dailydave] Wireless Disclosures

[Christos Kalkanis]

So, recently, Immunity's wifi maestro Mark Wuergler was featured in
an Ars Technica article [1] that caused quite a stir amongst the
readers.

The Ars article is a short summary of Mark's Infiltrate 2012
presentation [2] that demonstrates how seemingly common information
disclosures can lead to more powerful disclosures and consequently
security disasters. In this case, the device that facilitates these
disclosures is the iPhone.

The first disclosure, that of the SSID, is very simple. The target
device must have wifi enabled and not be connected to a wireless
network. The premise then is that as long as one is in the vicinity of the
target, he will capture the SSIDs of all recent networks that the target
has connected to.

Comments to the Ars article imply that this should never happen,
and refer to a blog post written by Robert Graham of Errata Security [3].

Some quotes from Robert's post:

"I like criticizing Apple security but they have implemented one of the most
fantastically important security features ever: they don't broadcast the SSID
they are looking for."

"Apple does something clever. Instead of broadcasting the access-points
it's interested in, it sends out a broadcast looking for ANY access-point.
It will only connect if an access-point has the correct name."

In our experience, this is not exactly the case. What Robert describes does 
happen but, after a couple of minutes, if a connection has not yet
been established, the iPhone will indeed broadcast probes for all recently
connected SSIDs. How recent is recent? In our experiments, _all_ SSIDs
stored in the device were being disclosed.

We've seen this behavior with IOS 3, 4 and 5. This is obvious in
the attached packet capture screenshot, where one can see the initial
broadcasts to ANY as described by Robert but then comes the disclosure
with all stored SSIDs being broadcasted.

With a diclosure of this kind complete, the attacker can impersonate
access points and, in some cases, the target iPhone will _automatically_
and without user intervention connect to him. For obvious reasons, the
automatic connection will take place if the disclosed SSID belongs to
an open network.

**

The second disclosure that came up in the Ars comments has to do with
the MAC addresses of previously seen DHCP servers (which are normally
running as part of the wireless access points).

Assuming the attacker is in control of a network that the target iPhone
has connected to (the first disclosure can be used to trigger this),
all the attacker needs to do is _not_ give an IP to the device.

This behavior is documented in RFC 4436 [4]:

"In this case, the host may determine whether it has re-attached to the
logical link where this address is valid for use, by sending a unicast
ARP Request packet to a router previously known for that link (or, in
the case of a link with more than one router, by sending one or more
unicast ARP Request packets to one or more of those routers)."

In the case of the iPhone, if the current network does not have
DHCP configured, then the iPhone will disclose the MAC addresses of
the last 3 DHCP servers it has seen, with possible remaining lease time
considerations. It does not matter if the SSIDs (current network, past
networks) do not match, as they are not taken into account.

Summarizing, we see how a simple disclosure can be used to propagate
an attack or trigger a more serious disclosure.


[1] - http://arstechnica.com/apple/news/2012/03/loose-lipped-iphones-top-the-list-of-smartphones-exploited-by-hacker.ars
[2] - http://prezi.com/rpx0w4krsi3y/secrets-in-your-pocket-mark-wuergler/
[3] - http://erratasec.blogspot.com/2010/05/more-air-is-full-of-packets.html
[4] - http://www.ietf.org/rfc/rfc4436.txt - Detecting Network Attachment in IPv4


-------------- next part --------------
A non-text attachment was scrubbed...
Name: disc.png
Type: image/png
Size: 87417 bytes
Desc: disclosures
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120322/f23b2715/attachment-0001.png>
-------------- next part --------------


-- 
Christos Kalkanis
Immunity Inc.
1130 Washington Avenue 8th Floor
Miami Beach, Florida 33139
P: 786.220.0600