- Security BSides

No Packets where injured in the making of this talk.
All research results and analysis was done from the
safety of my lab with my own equipment and my own
packets and most importantly my own permission.
No packets were obtained by War Walking, War
Dining or Stroll Trolling from unauthorized networks
without permission.
Knowledge is a tool that can help or hinder society.
Please wield it responsibly.
Caution: Just because we can apply a moral and
ethical filter doesn’t mean everyone else will. Get
informed then make decisions!
Change Smart Phone Perceptions
 Wi-Fi computer with phone capabilities vs. Phone with “ apps”.
Utilize No Cost High Availability Framework
 Discuss and use free non-commercial tools from Google Play and
the Internet.
Introduce Terms and Techniques that help facilitate
discussions and awareness of mobile threats.
War Walking
War Dining
Wi-Fi Phaking
Stroll Trolling
Discuss and demonstrate remediation and mitigation
 Enterprise and personal best practices discussed.
A Smart Device - Android /Iphone
Popular Rooting Programs
A jail broke Apple I-phone will also do the trick
Wi-Fi tablets are also an effective attack vector
Some phones may not be “root-able”…yet.
Android 2.2 – Unrevoked
Android 2.3 – Revolutionary
Android 2.4 – Eris and More to Come
Iphone – Jailbreak.me
Remember your roots!
Rooting your device is accomplished by exploiting
a vulnerability and dropping a payload that allows the capability
to escalate privileges when requested.
 Pros
▪ Increased Functionality and Control
 Pen-test / Packet Acquisition tool
 Wi-Fi Tethering
 Enhanced File Management
 Screen Capture
▪ Free or Almost Free
▪ No/Little cost for apps and programs
▪ Freedom
▪ Install other Operating Systems and Custom ROMS
 (Ex. BackTrack Linux)
 Cons
▪ Support
▪ You may void your warranty and support
▪ Cost
▪ You may brick the device
Data Gathering and Analysis
Packer Sniffer – Mobile Device
Used to record packets on a network
Wi-Fi Hotspot – Mobile Device
• Mobile internet capable gateway
Data Aggregation Tool – Home Analysis
Used to find information in a capture file
▪ Time reported in early 2012, 46% of
Americans own a smart phone.
▪ Most modern data plans have data limits.
▪ Open network are highly available in
▪ Smart phones send packets like computers.
Shark for Root
Free from Google Play a.k.a. Marketplace
Used to passively sniff packets using a smart device.
Gives network and security professionals the ability to
analyze data to and from a target device.
Gives criminals the ability to gather and exploit
sensitive data of the uninformed for profit.
Pirni for IPhone
 Free on the internet – See references for link
Step 1) Turn on the Wi-Fi Functionality.
Step 2) Tell your phone to inform you of open connections.
Difficult To Detect
No backpacks or antennas
No sitting in a parked car for hours
No aircraft circling
No hot air balloon hovering
Passive sniffing so no network
anomalies or IDS detection
The act of lingering or
loitering in a geographical
area for the purpose of
gathering packets without
prior authorized over a
public wireless network
using a smart phone or
▪Walking a dog or playing with a kid at a
▪Hanging out at a mall
▪Reading on a park bench
▪Watching a movie – War Watching
▪ Eating a meal – War Dining
The unauthorized act of
gathering packets over a
public wireless network with
a smart phone or tablet while
congregating in a Wi-Fi
enabled establishment with
the intent to eat or drink.
In Walks Arpspoof!
▪ ArpSpoof is freely available on the Internet but was
pulled from Google Play earlier this year.
▪ It creates a MITM session by wait for it….spoofing
▪ It passes packets first to the device and then to the
public Wi-Fi hotspot.
▪ Packets become readable because they pass through
the phone first and then the Shark for Root capture
before being passed to the public Wi-Fi access point.
Want to take a Peek with Piik?
▪ Piik can be purchased from Google
Play for $1.99
▪ Allows images of captured and
displayed from your smart phone
▪ Easy way to confirm data is being
captured after Arpspoof is initialized.
 Packet captures (.pcap’s) need analysis
 NetWitness® Investigator 9.6 is the awardwinning interactive threat analysis software
 Free – non commercial
 Effortlessly discovers and categorizes sensitive data
Download and install Netwitness on Win Machine
Start, register, and activate the free software
Email App – Leaked AD Permissions in clear text.
 Pcap analysis found that mail synch was allowed with http and https.
 Network credential where synching many times a minute in clear text!
 Misconfiguration was identified and corrected by this analysis.
Many Apps will login in using http without users knowledge
 Angry Birds Season is phoning home
A Recipe for Trouble
1 Part – Bad Guy/Girl with Rooted/Jailbroke Phone
1 Part – Wi-Fi Tethering App
1 Part – Social Engineering
“Wi-Fi Phaking”
The act of configuring a smart phone
as a Wi-Fi hotspot using a socially
engineered naming convention like
“Free Internet” with the sole purpose
of luring devices and individuals to
join the network with the intent of
capturing and exploiting
personal/confidential data.
The act of lingering or loitering in a
specific geographical location
usually densely populated using a
“Phaked” Wi-Fi connection with the
intent of enticing unsuspecting
individuals and devices into joining
that network with the intent of
capturing and exploiting clear text
data leaked from the device.
• Name Mobile Wi-Fi Hotspot “Lions Free
Wi-Fi” at the Detroit game.
• Name Mobile Wi-Fi Hotspot “Free
Internet” at the Mall or crowded area.
• Name Mobile Wi-Fi Hotspot “GM Free
Internet” when in the Renaissance Center.
So now that we know what can
be done, how do we fix it?
Three categories of corrective action:
1) (Good) Personal - Free
2) (Better) Personal - Low Cost
3) (Best) Enterprise Level – Higher Cost
1) Policy/Behavioral Change:
Turn off Wi-Fi when in public areas if not
This stops your device from auto-connecting
to open available Hot Spots.
2) Use https vs http whenever possible if
you are going to use a open Wi-Fi.
However, not the best solution because
data is still leaked.
Ex. DNS and Apps are still clear text
3) Paradigm shift - Treat a open connection
as a public terminal.
Do not perform sensitive searches and
perform private confidential tasks like
banking while joined to an open Wi-Fi
connection unless absolutely necessary.
Assume all actions are being watched and
Use your mobile Wi-Fi hotspot with
WPA2 and > 10 character password
for you tablet or laptop to join instead
of the joining an available public
hotspot when in public.**
**This may quickly exhaust your data plan.
Use and inexpensive VPN service with your
mobile devices which encrypts data from a
public Wi-Fi hotspots.
VPN services as low as $3 dollars a month.
Ex. IBVPN – Around $37 a year.
Cheaper than purchasing extra data from your
mobile provider.
Encrypts all data to and from the public
hotspot once active once active including
DNS and App data.
Easy to configure the Encrypted Tunnel
Renders War Walking, War Dining, and Stroll
Trolling ineffective once VPN is active.
Free VPN management applications available in
the App Store and Google Play. (Ex. 5VPN)
Same account can be shared by any of your
mobile devices including laptops, tablets, and
Some Mobile Device Attack Vectors
Malware - Infections
MITM - War Walking, War Dining
Remote Access to Resources
MITM - War Walking, War Dining, Stroll
Theft/Forgery – Stolen/Lost phone
Categorization and Management of Smart Devices
Smart phones are mini computers with phone
Should be place firmly in the Remote Access
Domain and be treated like work issue laptops
and tablets.
This means SSL, Certificates and Corporate
VPN solutions should be administered for all
interactions with corporate resources.
If possible segregate the Mobile Wi-Fi
Network from the rest of the corporate
Funnels all data back inside corporate
walls which means that it can be analyzed
for data leakage and compliance.
Allows ACLs, Group Policy and Proxies to
be applied on some level to enrich security
and compliance on these devices.
Remember: We have a computer in our pocket that can make
phone calls instead of a phone with applications installed.
Public Wi-Fi points can be dangerous if one does not understand
what is at stake. Armed with just a little knowledge and
technology one can practice safe surfing when using these public
Ask everyone you know if they have heard the following terms
and explain to them what they mean. This helps the less
technologically savvy friends and family to understand the
threats associated with using Public Wi-Fi access points:
War Walking
War Dining
Wi-Fi Phaking
Stroll Trolling
Thank You!
[email protected]
Twitter Handle: RabidSecurity
If you tried to join the Phaked access point during this
conference…what data would your device leaked in clear text.
How much and what sensitive data does your device leak?
Are you taking precautions to safeguard your data?
Do you run a VPN solution on Public Wi-Fi?
Revolutionary: S-OFF & Recovery Tool. (2012). Retrieved Feb
10,2012 from http://revolutionary.io- rooting software for android usually
for Android 2.3 phones
Unrevoked – set your phone free. (2012). Retrieved Feb 10,2012 from
http://unrevoked.com/ - rooting software for android usually for Android
2.2 phones
Shark for Root. (2012) Retrieved Feb 11, 2012 from
http://market.android.com/details?id=lv.n3o.shark&hl=en – Used to
passively sniff and record packets from an android device
Pirni for IPhone. (2012) Retrieved March 5, 2012 from
http://apt.thebigboss.org/repofiles/cydia/debs2.0/pirni_1.1.1.deb – Used to
passively sniff and record packets from a Jail broke IPhone
Time Business - Nearly 50% of Americans Own Smartphones;
Android, iPhone Dominate (3-1-2012). Retrieved on March 5, 2012
from http://business.time.com/2012/03/01/nearly-50-of-americans-ownsmartphones-android-iphone-dominate/
Netwitness Investigator (2012)- Retrieved March 13, 2012 from
Invisible Browsing VPN(2012)- Retrieved March 27, 2012 from
Android Robot Blender Model - Retrieved January, 1 2012 from

similar documents