Smartphone Wi-Fi Security

Smartphone Wi-Fi

Recently reader asked me to write a post about the implications of Cellular, Wi-Fi, Bluetooth, and Near Field Communication (NFC) radios in smartphones, and the privacy and security implications of each. I will, and it will be in several parts. Today I am going to cover smartphone Wi-Fi security and privacy. I’m sure you’re heard that you should leave your smartphone Wi-Fi turned off when it’s not in use – but why?

Smartphone Wi-Fi Interface Privacy

Wi-Fi is perhaps one of the most dangerous interfaces on your device. There are three reasons for this. First, Wi-Fi broadcasts information about you. Not only are these data points “real time” – they are also historical. Next, the communications you perform over Wi-Fi may (or may not be) secure, and are easily tampered with. Finally, the biggest contributor to this danger is Wi-Fi’s ubiquity and convenience. Wi-Fi is used constantly, and constantly left on. I will first address the privacy risks of leaving Wi-Fi on.

Your Wi-Fi can be used to track your location. It can also be used to track your historic locations. Here’s how: when you phone is unconnected to Wi-Fi, it is constantly “looking” for networks it “knows”. This “looking” is done through probe requests, small radio transmissions that attempt to establish contact with a known network. These contain several things, chief among them your phone’s MAC (Media Access Controller) address. The MAC address is a unique device ID that can be used to track you by keeping tabs of all the Wi-Fi networks that “see” your phone’s probe requests. One company was recently caught running this kind of exploitation as a revenue stream!  Passive Wi-Fi receivers can be setup to observe probe requests, filter them by MAC, and chart users around a store, shopping mall, or an entire city.

The other tasty morsel of information found in your probe requests is your SSID (Service Set Identifier). The SSID is your network’s name – the one that your router broadcasts. The problem here is that your SSID reveals where you’ve been. If you routinely connect to Wi-Fi networks and neglect to remove them from your phone’s stored list of “known” networks, chances are you have scores of networks in your phone. These can show where you shop, dine, work, and live. Most of these networks can probably be cross-referenced with a geolocation through services like Wigle.net. The number and nature of Wi-Fi networks paint a detailed picture of your digital and physical lives. They can also help an attacker easily defeat MAC randomization.

MAC randomization is a technique employed by iOS and Windows 10 devices. When your phone is sending probe requests, a pseudorandom MAC (rather than your true MAC) is placed in the request. This is in an attempt to anonymize your probe requests. MAC randomization has been defeated through a number of techniques (a Google search for “MAC randomization” reveals far more failures than successes)(this white paper [.pdf] discusses defeating MAC randomization in detail). However, a big set of Wi-Fi SSIDs revealed in your probe requests can quickly undermine an semblance of privacy granted through MAC randomization.

What can you do about it? Privacy countermeasures are relatively painless. First, the strongest line of defense: keep your Wi-Fi turned off when it is not in use. If your phone isn’t looking for Wi-Fi, probes aren’t being sent. And if probes aren’t being sent you are completely silent. If you have an Android device you can use Kismet Smart Wi-Fi Manager to automate this, or you can do it through the Quick Settings menu. If you are an iOS user you will have to remember to do it yourself through Settings, or the Control Center.

Smartphone Wi-Fi SecurityNext, you can limit the number of Wi-Fi networks that are stored on your device. This will help to limit the information that probe requests reveal about you. To limit these on Android devices, open Settings, then to go to Wi-Fi. A list of all remembered networks will be displayed. Long-press the one you wish to get rid of, then tap “Forget”. On iOS there is no way to forget networks that you are not presently connected to. To do so you must forget all networks by resetting your network connections as described in Your Ultimate Security Guide: iOS 10.

BONUS: Keeping Wi-Fi turned off results in a dramatic improvement in battery life. Because your device is not actively probing for networks while unconnected, power is preserved. Use this reasoning on your security-resistant friends and family in the future!

Smartphone Wi-Fi Interface Security

First, it is no secret that your communications may be insecure (unencrypted) over Wi-Fi. This presents several opportunities for your traffic to be intercepted and exploited. First, by connecting insecurely to a router (let’s assume a free network at an airport) you give the router’s owner full, unrestricted access to your traffic. For instance, he or she can see what you are browsing on the electronic Bay – or worse, almost all of your favorite NSFW sites.  Every search, every page opened, every video watched… This information is accessible to rogue employees who have access to the router’s logs. Also, you may inadvertently connect to a rogue access point, a form of man-in-the-middle attack.

An “evil twin” access point would have the same name as a legitimate one. An attacker monitoring your probes could see that you your phone has previously connected to public_wifi_1207, and quickly create a network of the same name. Your phone would then connect to that network because it is “known”. Imagine the following scenario: you are sitting at LAX. You pull out your phone to find it is already connected to Wi-Fi. Do you assume that an attacker is at work? Or do you think, “oh, I must’ve connected here once before”?  I’m guessing for most people, the answer is the latter. When they begin to surf the internet, their traffic is directed right into the hands of the hacker.

What can you do about it? The countermeasures for this attack are no different than they are for desktop computers. The first line of defense against any of these attacks is TLS (HTTPS). TLS stands for Transport Layer Security, and is what is commonly referred to as “SSL”. When you visit Amazon.com or your bank’s website, and a green padlock is displayed in your URL bar, you have a TLS connection. Encyrption with TLS is automatic, and your traffic to and from the site is AES encrypted and cryptographically opaque.

However, it is possible for an attacker to serve you phony TLS certificates. Your browser will think your connection is secure and technically it is – but only to the attacker’s router. When working on untrusted networks you should verify that the TLS certificate is valid. I wrote in detail about how to do this recently. Verifying certificates on your phone is made much easier through an app. I use SSL Detective on my iPhone. Unfortunately SSL Detective does not exist for Android.

Next, you can should use a Virtual Private Network (VPN). A VPN will protect your traffic by creating a secure “tunnel” to a remote server. This means that everything between your device and the distant server are encrypted. I like (and personally use) Private Internet Access (PIA).

Smartphone Wi-Fi Security

PIA has extremely user-friendly apps for iOS and Android devices, as well as Windows, Mac, and Linux computers. A subscription is good for five devices, so if you get one for your phone it should cover your other devices, too.  A PIA subscription costs just $40/year. If you don’t like PIA, there are pleny of other good options out there. A VPN prevents a man-in-the-middle from seeing your financial transactions, emails, browsing, and perhaps interactions of a more…personal nature.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

5 thoughts on “Smartphone Wi-Fi Security”

  1. A couple questions you may know about…

    1. In the advanced settings of PIA, there is an “internet kill switch” which you have checked in the photo above. I understand what it does, however when I enable it a warning is displayed that says that using it may interfere with or reconfigure normal network settings, etc. I have not enabled it yet. Have you had any problems and can you recommend using this setting? On Mac and iPhone.

    2. I currently have PIA set up via their software on both my computer and phone and use it at all times while connected to the internet. I have been very happy with their service for quite some time now. Have you researched flash routers? Any feedback or recommendations on this set up would be appreciated as if it would be worthwhile. https://www.flashrouters.com/vpn-types/privateinternetaccess

    1. 1. This setting can be a little tricky. I always run it because it totally, as the name suggests, kills internet connectivity if the VPN connection drops. The problems people are likely to run into are situations like logging into hotel internet. Packets from the computer are blocked until you sign in on the hotel’s website. Because the VPN can’t connect, it won’t let you on the internet to sign in – your standard Catch-22. In situations like this you can either a. open PIA’s settings, disable the kill switch, or b. exit the VPN program (my preferred technique). You can then sign into the hotel’s Wi-Fi, re-open PIA/re-enable the kill switch and you should be good to go.
      I run this setting on Windows, Mac, and Linux boxes, as well as Android phones. However the kill switch is not a selectable option on iPhone/iPad/iPod. If the program is installed and enabled, be default it will attempt to maintain its connection. Be advised also that on iOS devices some (not very many, but some) things are NEVER sent through a VPN. These include iMessage and push notifications.
      2. My first thought on the routers: those are crazy expensive! You can flash a router yourself with DD-WRT, Tomato, or Pfsense and install your own OpenVPN certificate (including PIA’s OpenVPN certificates – https://helpdesk.privateinternetaccess.com/hc/en-us/articles/219457267-Can-I-use-the-Private-Internet-Access-service-with-my-router- ). Of course there is a tradeoff – DIY’ing it is cheaper financially but requires a much bigger layout of time and patience.
      Flashed routers aren’t a bad way to go. They protect a lot more of your traffic from things like smart TVs that may by unconfigurable for VPN setup, and family members that won’t use a VPN. However, they may also create some problems. If Netflix or _____.com doesn’t like your VPN… Sometimes you need an open connection. Food for thought.
      Hope that helps!
      Justin

Leave a Reply

Your email address will not be published.