Re: Be careful with your iPhone.

John Kim wrote:
> 2. Use of untrusted wireless access point: how many of us used a
> wireless connection at a cafe or someone else's random open access
> point? When I first heard the story about the iPhone vulnerability, I
> was mostly curious how its WiFi was being used to exploit the it. All
> they need is to create a simple web proxy between the access point and
> the internet to add the desired JavaScript to every page retrieved
> through it. Now, even if you only visit known trusted sites, it's being
> routed through unknown untrusted link.

It's worse than that.

I'm actually reasonably comfortable sitting down in a cafe and using
their wireless. There isn't a lot of incentive for an established
business to invent some elaborate proxy system to attempt to steal your
credit card number; they get plenty of credit card numbers handed to
them over the counter every day. A business that steals them won't last
very long.

A threat that I think is more likely and more pernicious is a nefarious
access point publishing the SSIDs of a trusted network. For example, it
would be possible for a hacker to sit in a cafe in West Berkeley
somewhere, get internet access through the cafe's WAP, and publish his
laptop as providing wireless with a SSID of "AirBears". People with
laptops who are set up to connect to AirBears would automatically
connect to his laptop, and the proxy attack mentioned above would be
feasible. This could be implemented with little investment by someone
with an incentive to steal your information, and it could be quite
difficult to track down.

-- 
Tom Holub (tom_at_LS.Berkeley.EDU, 510-642-9069)
Director of Computing, College of Letters & Science
249 Campbell Hall
<http://LS.berkeley.edu/lscr/>

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu/

Messages you send to this mailing list are public and world-viewable,
and the list's archives can be browsed and searched on the Internet.
This means these messages can be viewed by (among others) your bosses,
prospective employers, and people who have known you in the past.