Man-in-the-middle attacks demoed on 4 smartphones

Man-in-the-middle attacks demoed on 4 smartphones

Summary: Security researchers test four smartphones (Nokia N95, Windows HTC tilt, Android G1 and Apple iPhone 3G S) and demonstrate man-in-the-middle attacks conducted through compromised Wi-Fi spots.


Security researchers from SMobile Systems have released a paper detailing successful man-in-the-middle attacks against several smartphones.

The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere.

Here's the scenario they used, and possible mitigation approaches:

"The attacker visits the same cafe that offers a free Wi-Fi hotspot and decides to employ basic host, network identification and enumeration tools from the laptop to enumerate all the active devices connected to the Wi?Fi hotspot. From the results, the attacker notices a MAC address referring to a Nokia smartphone. The attacker know that there is little to no detection capabilities present on an overwhelming majority of smartphone’s in use today, so the owner would likely never find out about a successful man-in-the-middle- attack (MITM).

The well-informed attacker creates a successful MITM attack. In the meantime, the smartphone owner accesses the online bank website and enters the login credentials required to gain access to the banking information. In this scenario, all of the communication between the smartphone and the online bank site is routed through the attacker’s machine and the attacker can see the login details in plain text, as well as can capture all the sites accessed by the victim."

The awareness-raising test aims to educate users on approaching convenient and free, public Wi-Fi networks with caution, emphasizing on how their mobile service provider's 3G connection, or the one offered by a trusted Wi-Fi network should always be considered as their first choice.

Anyway, just how insecure or susceptible to compromise are the majority of Wi-Fi networks found on high-trafficked locations such as airports or international cities? The answer is sadly, self-evident with data backing it up available publicly.

Last year, AirTight Networks conducted a major wireless network security study by visiting 14 airports (11 in the U.S and 3 in the Asia-Pacific) and found out that a huge percentage of the 478 Wi-Fi Access Points analyzed are either open, or using outdated encryption protocols. Even more interesting was the fact that users were falling victims to "viral" Wi-Fi networks using descriptive and lucrative names seeking to establish legitimacy.

The prevalence of such "handy", but easy to compromise Wi-Fi networks internationally, is virtually the same. For instance, similar wardriving tests conducted in Paris; Santiago, Chile; China; Monterrey — Mexico, Sao Paulo – Brazil, Caracas (Venezuela), Warsaw, and London offer similar insights into the "security" of such public networks.

Possible mitigation practices? According to Marlinspike, the author of the tool:

"Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping. This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves."

How often do you face the trade-off of using a public, and possible insecure Wi-Fi hotspot, for the sake of convenience instead of sticking to your 3G data plan, even when traveling abroad?

Have you ever avoided using your mobile device and instead used your laptop at an airport, due to your host-based firewall's better ARP filtering features -- if any -- enabling the detecting of changed MAC address for a (trusted) gateway network adapter in order to detect possible MItM attempts?

How EV SSL-aware is your E-banking provider, especially if you're E-banking over a mobile device? Or do you simply "VPN-and-forget" over a public Wi-Fi network?


Topics: Networking, Mobility, Security, Smartphones, Wi-Fi

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So basically

    If you don't notice that HTTPS has been disabled
    on the login page of your bank and proceed to
    enter your credentials anyways, you become
    vulnerable to a MITM attack.

    What's the problem, exactly? It only takes a split
    second to look at the address bar.
  • Laptops are much the same

    There isn't much difference in protection of most laptops then there is in smartphones. I have witnessed mac address modification based Man-In-The-Middle attack on a wireless lan which contained only laptops/desktops. The attack lasted for a good 12 days, and nobody on the network actually noticed anything, including the operator of the network.

    It's more an issue of user awareness and securing then just mobile phones.

    Spirovski Bozidar
  • Don't buy a phone that needs WiFi

    Just another reason why not to buy a phone that needs WiFi to communicate, because its carrier doesn't have widespread 3G.

  • RE: Man-in-the-middle attacks demoed on 4 smartphones

    Actually AirTight did our survey in two parts and visited 26 airports worldwide. No matter where we went we found the same bad practices among travellers, the same amount of viral infections and the same amount of core systems using poor or no encryption. YOu can find the results here.

    You need to keep that WiFi turned off on your phone the same way you would keep your radio on your laptop turned off unless you are actually using it. Generally, I do not use WiFi for anything important but even surfing the Web can be a problem if you have sensitive data on your desktop.
  • RE: Man-in-the-middle attacks demoed on 4 smartphones

    I do not buy anything over my smartphone and do not check my banking online. I just feel safer on a notebook. Waiting a few hours or days to buy something does not bother me.

    Is the notebook totally safe? No. But it is a lot safer (with proper spyware and anti-virus and personal precautions) than a smart-phone.
    • This isn't about hacking the device and giving people viruses.

      It's about a problem with WiFi communications, and
      affects any device that uses them.
      • Wider issue even ?

        (1) Isn't this a problem with any multipoint network, including Comcast (granted, the risk increases with the number of points on a "hub")?

        (2) If I get it well, the risk is currently limited to people who type "<pre></pre>" in the URL field rather than "<pre></pre>", as <b>http:</b> will be tried first, be intercepted, etc.

        (3) But can't the next-generation attacker just get a cheap certificate (why give a real address anyway) and simulate the https: traffic? As long as the cert is from a known chain of trust, the end-user would have to check the certificate without being prompted ... And the potential payback from such an operation appears to be worth the investment.

        If so, this is rather bad.
        • I think most browsers give different indications for SSL and EV-SLL.

          And I really doubt an attacker will have any luck
          spoofing the EV-SSL certificate of a major
          financing website.
  • RE: Man-in-the-middle attacks demoed on 4 smartphones

    Well done! Thank you very much for professional templates and community edition
    <a href="">sesli sohbet</a> <a href="">sesli chat</a>