CAT | Wi-Fi
Apple is getting taken to task for a couple of security issues.
First, their recently announced “Random MAC address” feature does not appear to be as effective as expected. The idea is that the iOS 8 device will use randomly generated MAC addresses to ping WiFi base stations when it is not actively connected to a WiFi network. This allows your phone to identify known networks and to use WiFi for enhanced location information without revealing your identity or allowing you to be tracked. Unfortunately the MAC only changes when the phone is sleeping, which is really rare with all the push notifications happening all the time. The effect is that the “random” MAC addresses are changed relatively infrequently. The feature is still good, but needs some work to be actually very useful.
Second, people are noticing their passwords showing up in Apples iOS 8 predictive keyboard. The keyboard is designed to recognize phrases you type frequently so it can propose them to you as you type, thus speeding message entry. The problem is that passwords often follow user names, and may be typed frequently. Research is suggesting that the problem is from websites that fail to mark their password fields. Apple is smart enough to ignore text in known password fields, but if it does not know that it is a password, then the learning happens. It is not clear that this is Apple’s fault, but it is still a problem for users. Auto-fill using the latest version of 1Password should protect against this.
News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.
This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.
Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked.
More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.
The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.
This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.
Of course, Apple is also working hard to track us all with iBeacons at the same time….
Back in 2010 I blogged about Google’s legal troubles over capturing sensitive open Wi-Fi data with their Street View cars.
In a nutshell, Google was accused of violating the federal Wiretap Act when it intercepted the data on open Wi-Fi networks it passed. The purpose was to capture just the MAC addresses of the base stations to improve their enhanced location services. It appears that recording small amounts of data was accidental. Certainly if they were trying to collect data, they could easily have grabbed much more.
Google lost that case and is now appealing to the Supreme Court, hoping to overturn the decision.
Obviously it was inappropriate for a company like Google to drive around sniffing people’s Wi-Fi traffic, but they are not really the threat. What we all need to be worried about is hackers war driving our neighborhoods, either using our networks to hide their illegal activities, or capturing our personal information for their own purposes.
Whatever the legal outcome of whether it is “OK” to sniff someone’s open Wi-Fi traffic, the reality is that people do, and doing so is trivial. Anyone with a laptop can download free software and be sucking down all the Internet activity in their local coffee shop in just minutes. I think laws like this give a false sense of security. It is like saying that, as you walk down the sidewalk, you can not look in through your neighbor’s big picture window at night when they leave the curtains open.
Thinking that people are “not allowed” to sniff your open Wi-Fi just gives a false sense of security. What we need to do is make sure that ALL Wi-Fi is securely encrypted. Even public Wi-Fi should be encrypted, even if the password is “password” and is posted prominently on the wall. Using encryption changes the situation from looking though a window as you walk by to drilling a peep hole through the wall.
None of should be in denial about this. Open Wi-Fi is insecure. It will be sniffed.
If you find yourself in a situation where you have to use an open Wi-Fi hotspot, for whatever reason, make sure you immediately establish a VPN to protect yourself. I might be biased, but I use Anonymizer Universal for this purpose.
Welcome to the 12th episode of The Privacy Blog Podcast brought to you by Anonymizer.
In September’s episode, I will talk about a court ruling against Google’s Wi-Fi snooping and the vulnerabilities in the new iPhone 5s fingerprint scanner. Then, I’ll provide some tips for securing the new iPhone/iOS 7 and discuss the results of a recent Pew privacy study.
Hope you enjoy – feel free to add questions and feedback in the comments section.
Welcome to Episode 11 of The Privacy Blog Podcast, brought to you by Anonymizer.
In this episode, I’ll discuss the shutdown of secure email services by Lavabit and Silent Circle. In addition, we’ll dive into the problem with hoarding Bitcoins and how you can protect yourself while using the increasingly popular online currency. Lastly, I’ll chat about whether teens actually care about online privacy and an ad agency’s shocking decision to use high-tech trash cans to measure Wi-Fi signals in London.
Please leave any questions or feedback in the comments section. Thanks for listening.
Welcome to our November 2012 podcast. In this episode, I’ll be talking about the tactics websites use to charge one customer more than a customer in a different city, state, or country. After that, I’ll discuss the dangers of using the Internet while on the road – as many of you are likely to do this holiday season.
Don’t miss our video showing how your Facebook account can be compromised on an unsecured connection. Follow this link to Anonymizer’s site and select ‘Video 2’.
Download the transcript here.
CNET’s Declan McCullagh reports on Microsoft restricting access to their Wi-Fi geolocation database shortly after this CNET article describing how to track devices using such databases. I have written about these databases before here, here, and here. Specifically Microsoft is preventing users from querying for the location of a single Wi-Fi device by specifying just one MAC addresses. Prior to the change it was possible to track an individual phone or laptop by querying for the location of that device’s MAC address.
CNET describes a test where they were able to track a device as it moved around Columbus Ohio. This would indicate that the underlying database is updated in near real time, and that it is collecting on mobile devices as well as on the fixed Wi-Fi base stations it is supposed to catalog for enhanced location services.
Tracking mobile devices can only harm the accuracy of enhanced GPS location services because they move around and could potentially give misleading information. It would be easy to eliminate such devices from the database because the type of device is discoverable from the MAC address they are collecting.
While there is no reason to track mobile devices for enhanced GPS, there are all kinds of less savory reasons to gather and track this kind of information. I note that Microsoft’s solution is to prevent access to this individualized tracking information about mobile devices rather than to stop collecting it…..
This is really just an automation of something we demonstrated in the Anonymizer Labs section of our website a while back.
Reuters reports that the Google admits that its Street View vehicles captured much more WiFi data than previously reported. It appears that they managed to capture entire emails and passwords among other information.
People are vilifying Google about this, but I am not going to get on that bandwagon. The reality is that they did this accidentally, but the architecture of WiFi allows any bad guy to do the same thing intentionally. Google did not “hack” in to these WiFi communications, they simply configured their WiFi cards to accept all packets flying by them through the air in the clear. Anyone sitting in a Starbucks, driving around town with a laptop in the passenger seat, or in a thousand other ways could intentionally capture and maintain much more information and with it do significant damage.
The take away from this is that you need to take precautions when using open public WiFi. Full VPN technologies like Anonymizer Universal ensure that when (not if) someone sniffs your traffic they will not be able to get any of your personal information.
One of the reasons interception of insecure passwords is so scary is the tendency for people to use the same passwords for many accounts. While you might not care if someone hacks in to your social network or news account, if you use the same password attackers might use it to log in to your bank or email.
We discovered a major security hole in Facebook almost by accident. The exploit is so trivial I can’t justify calling it hacking. Any time you are on an open WiFi and accessing Facebook, anyone else on the same network can easily grab your credential and access Facebook as you with full access to your account.