Security researchers at Skycure have discovered another weakness in smartphone security, and this could impact you despite whatever security measures you’ve taken personally. Most smartphone operating systems, iOS and Android included, offer the ability to “remember” the SSID’s and passwords of Wifi networks you have accessed with your smartphone, and have the ability to automatically connect to that network the next time you are in range. Skycure has alleged that at least one major carrier, if not all of them, are also pre-programming certain SSID’s into phones straight from the factory, ostensibly to provide customers with a convenient connection with carrier-hosted or sponsored Wifi hotspots. For example, AT&T iPhones allegedly are shipping with the “attwifi” SSID preprogrammed into the phone, and will supposedly automatically join that wifi network, presumably in use by AT&T’s retail storefronts, if it comes across it.
Here’s why this is bad: hackers could spoof any SSID that you’ve set your smartphone to remember and autoconnect, and they’ve got a straight shot at your phone. Normally, this wouldn’t be a problem, as this requires guessing what SSIDs are stored on your phone, and then getting close enough to that phone with the spoofed Wifi network. But with the above, it would be trivial to sit in a crowded mall or any high-traffic walkway, scanning for AT&T iPhones, knowing that some, if not all, will autoconnect to a fake “attwifi” SSID without the owner ever being aware that they just got hacked.
What this means for you:
This exploit seems to be fairly new, and though Skycure claims to have seen this happening in the wild, it’s not widespread, yet. The best course of action is to disable the “autoconnect” setting for any wifi network you have used with your mobile device, whether it be smartphone, tablet or laptop. It will mean a few seconds of inconvenience anytime you are out and about and trying to get internet access, but it may mean the difference between keeping your cellphone secure or getting it hacked.
UPDATE: By default, Android phones will store SSIDs and passwords for any wifi network you add to your phone, and will automatically connect to that network whenever it is range. There is NO way to disable the autoconnect functionality built into the native Android settings. However, you can use an app to control automatic connections. I am currently testing this app, which is “free” but ad-supported. I’ve not tested it long enough to give a recommendation, but it does allow you to toggle the autoconnect functionality on or off per hotspot. On iOS devices, the only way to natively disable the “auto-join” feature is to actually connect to one of the pre-defined hotspots, eg. visit a local AT&T store, and then turn “Auto-join” off for that particular network.