Wi-Fi Street Smarts, iPhone Edition

If you use your iPhone to connect to open or public wireless networks, it’s a good idea to tell the device to forget the network’s name after you’re done using it, as failing to do so could make it easier for snoops to eavesdrop on your iPhone data usage.

For example, if you use your iPhone to connect to an open wireless network called “linksys,” — which happens to be the default, out-of-the-box name assigned to all Linksys home Wi-Fi routers — your iPhone will in the future automatically connect to any Wi-Fi network by that same name.

The potential security and privacy threat here is that an attacker could abuse this behavior to sniff the network for passwords and other sensitive information transmitted from nearby iPhones even when the owners of those phones have no intention of connecting to a wireless network, simply by giving his rogue access point a common name.

That means that if you’ve ever taken advantage of the free Wi-Fi that AT&T offers to iPhone users at most Starbucks, Barnes & Noble and other locations nationwide, your iPhone will automatically connect to any network named “attwifi,” the name AT&T uses for its public hotspots. Indeed, an attacker who set up a rogue wireless access point named “attwifi” or “linksys” in a crowded place likely would be able to force a fair number of iPhones in the vicinity to automatically connect to his access point. This could create a privacy problem for those who are using the iPhone’s 3g data connection to send e-mail or other information, as the iPhone normally will switch from 3G to a preferred wireless network whenever a trusted one is available.

This attack scenario is more a reminder about basic wireless security safety than anything else.  If you must use Wi-Fi to communicate sensitive information make doubly sure that the Web address of the site you are sending data to begins with an “https://”, or else any data you share with that site could be intercepted and read by anyone else on that same network. Also, if your Web browser complains about a certificate or encryption error while you are trying to log on to a site or transmit sensitive data, it’s probably safest to cancel that transaction, as it may be a sign that someone on the network is attempting to intercept the transmission.

And by the way, this advice is the same whether you’re browsing a public Wi-fi network over an iPhone, a Mac, or a Windows PC (these devices also may auto-connect to familiar open wireless networks).

As I was writing this, I came across an older but related post by Rich Mogull at the Securosis blog, which offers a few more Wi-Fi security tips for iPhone users. Specifically:

-Turn on “Ask to join networks”.
-If you have an unencrypted home wireless network, use an obscure name with some random numbers in it. This reduces the odds you’ll ever hit another one with the same name unless someone specifically targets you.

To force your iPhone to forget a wireless network after you’re done using it, click “Settings,” “Wi-Fi Networks,” select the wireless network’s name, and then “Forget this Network.” The “Ask to join networks,” option also is on the “Wi-Fi Networks” screen.

Оставьте комментарий