Recently reader asked me to write a post about the implications of Cellular, Wi-Fi, Bluetooth, and Near Field Communication (NFC) radios in smartphones, and the privacy and security implications of each. I will, and it will be in several parts. Today I am going to cover smartphone Wi-Fi security and privacy. I’m sure you’re heard that you should leave your smartphone Wi-Fi turned off when it’s not in use – but why?
Smartphone Wi-Fi Interface Privacy
Wi-Fi is perhaps one of the most dangerous interfaces on your device. There are three reasons for this. First, Wi-Fi broadcasts information about you. Not only are these data points “real time” – they are also historical. Next, the communications you perform over Wi-Fi may (or may not be) secure, and are easily tampered with. Finally, the biggest contributor to this danger is Wi-Fi’s ubiquity and convenience. Wi-Fi is used constantly, and constantly left on. I will first address the privacy risks of leaving Wi-Fi on.
Your Wi-Fi can be used to track your location. It can also be used to track your historic locations. Here’s how: when you phone is unconnected to Wi-Fi, it is constantly “looking” for networks it “knows”. This “looking” is done through probe requests, small radio transmissions that attempt to establish contact with a known network. These contain several things, chief among them your phone’s MAC (Media Access Controller) address. The MAC address is a unique device ID that can be used to track you by keeping tabs of all the Wi-Fi networks that “see” your phone’s probe requests. One company was recently caught running this kind of exploitation as a revenue stream! Passive Wi-Fi receivers can be setup to observe probe requests, filter them by MAC, and chart users around a store, shopping mall, or an entire city.
The other tasty morsel of information found in your probe requests is your SSID (Service Set Identifier). The SSID is your network’s name – the one that your router broadcasts. The problem here is that your SSID reveals where you’ve been. If you routinely connect to Wi-Fi networks and neglect to remove them from your phone’s stored list of “known” networks, chances are you have scores of networks in your phone. These can show where you shop, dine, work, and live. Most of these networks can probably be cross-referenced with a geolocation through services like Wigle.net. The number and nature of Wi-Fi networks paint a detailed picture of your digital and physical lives. They can also help an attacker easily defeat MAC randomization.
MAC randomization is a technique employed by iOS and Windows 10 devices. When your phone is sending probe requests, a pseudorandom MAC (rather than your true MAC) is placed in the request. This is in an attempt to anonymize your probe requests. MAC randomization has been defeated through a number of techniques (a Google search for “MAC randomization” reveals far more failures than successes)(this white paper [.pdf] discusses defeating MAC randomization in detail). However, a big set of Wi-Fi SSIDs revealed in your probe requests can quickly undermine an semblance of privacy granted through MAC randomization.
What can you do about it? Privacy countermeasures are relatively painless. First, the strongest line of defense: keep your Wi-Fi turned off when it is not in use. If your phone isn’t looking for Wi-Fi, probes aren’t being sent. And if probes aren’t being sent you are completely silent. If you have an Android device you can use Kismet Smart Wi-Fi Manager to automate this, or you can do it through the Quick Settings menu. If you are an iOS user you will have to remember to do it yourself through Settings, or the Control Center.
Next, you can limit the number of Wi-Fi networks that are stored on your device. This will help to limit the information that probe requests reveal about you. To limit these on Android devices, open Settings, then to go to Wi-Fi. A list of all remembered networks will be displayed. Long-press the one you wish to get rid of, then tap “Forget”. On iOS there is no way to forget networks that you are not presently connected to. To do so you must forget all networks by resetting your network connections as described in Your Ultimate Security Guide: iOS 10.
BONUS: Keeping Wi-Fi turned off results in a dramatic improvement in battery life. Because your device is not actively probing for networks while unconnected, power is preserved. Use this reasoning on your security-resistant friends and family in the future!
Smartphone Wi-Fi Interface Security
First, it is no secret that your communications may be insecure (unencrypted) over Wi-Fi. This presents several opportunities for your traffic to be intercepted and exploited. First, by connecting insecurely to a router (let’s assume a free network at an airport) you give the router’s owner full, unrestricted access to your traffic. For instance, he or she can see what you are browsing on the electronic Bay – or worse, almost all of your favorite NSFW sites. Every search, every page opened, every video watched… This information is accessible to rogue employees who have access to the router’s logs. Also, you may inadvertently connect to a rogue access point, a form of man-in-the-middle attack.
An “evil twin” access point would have the same name as a legitimate one. An attacker monitoring your probes could see that you your phone has previously connected to public_wifi_1207, and quickly create a network of the same name. Your phone would then connect to that network because it is “known”. Imagine the following scenario: you are sitting at LAX. You pull out your phone to find it is already connected to Wi-Fi. Do you assume that an attacker is at work? Or do you think, “oh, I must’ve connected here once before”? I’m guessing for most people, the answer is the latter. When they begin to surf the internet, their traffic is directed right into the hands of the hacker.
What can you do about it? The countermeasures for this attack are no different than they are for desktop computers. The first line of defense against any of these attacks is TLS (HTTPS). TLS stands for Transport Layer Security, and is what is commonly referred to as “SSL”. When you visit Amazon.com or your bank’s website, and a green padlock is displayed in your URL bar, you have a TLS connection. Encyrption with TLS is automatic, and your traffic to and from the site is AES encrypted and cryptographically opaque.
However, it is possible for an attacker to serve you phony TLS certificates. Your browser will think your connection is secure and technically it is – but only to the attacker’s router. When working on untrusted networks you should verify that the TLS certificate is valid. I wrote in detail about how to do this recently. Verifying certificates on your phone is made much easier through an app. I use SSL Detective on my iPhone. Unfortunately SSL Detective does not exist for Android.
can should use a Virtual Private Network (VPN). A VPN will protect your traffic by creating a secure “tunnel” to a remote server. This means that everything between your device and the distant server are encrypted. I like (and personally use) Private Internet Access (PIA).
PIA has extremely user-friendly apps for iOS and Android devices, as well as Windows, Mac, and Linux computers. A subscription is good for five devices, so if you get one for your phone it should cover your other devices, too. A PIA subscription costs just $40/year. If you don’t like PIA, there are pleny of other good options out there. A VPN prevents a man-in-the-middle from seeing your financial transactions, emails, browsing, and perhaps interactions of a more…personal nature.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.