A key finding is that some of the most used mobile device platforms in use today have a specific process for connecting to previously used WiFi access points (or SSIDs). They save them in something called a “Preferred Network List” or PNL. When you turn on the WiFi option on your device, or if it is left on it may go through the PNL and attempt to contact, by name, the previous connected access points. This makes it very easy for users to utilize WiFi in the same locations over and over, say at home or at the office.
But bad folks could also see the device connection attempts and try to impersonate them if they setup their own access point with the same name. These fictitious access points could trick a user’s device into connecting to the attacker’s network that then captures and manipulate its traffic to launch additional more advanced attacks. For example corporate server names, application logins or corporate data itself..
Raúl Siles presented an in-depth presentation in March at RootedCON2013 of these topics, tools, and mobile platform specifics. The slides are available here: http://www.slideshare.net/rootedcon/ral-siles-wifi-why-ios-android-and-others-fail-inexplicably-rooted-con-2013
Not all of the mobile device platforms are exposed to this vulnerability. Windows Phone is exempt and BlackBerry 7 has a setting to disable SSID broadcasting.
Quick overview on recommendations: – Deploy configuration profiles with corporate WiFi settings, where highest validation enforced. – Do not use hidden SSIDs. – Private certificates better than public.
We shall see if the rumored upcoming iOS 7 or Android 4.2 releases may resolve issues like this and still retain good user usability for stronger security.