Zimperium's Anti for Android

PIN apps: Hacking on the hoof

'Grey hat' apps are a new phenomenon in software that enable street hackers to delve into your smartphone and access your data, and more besides.

Wireless analysis applications are plentiful across Windows, Mac and Linux operating systems. Netstumbler, PRTG Network Monitor, and Wireshark – all do the same sort of job. However, lugging around a laptop is not as easy as toting a slimline smartphone. Now the open nature of Google's Android, coupled with the immense portability of smartphones, has created a new genre of wireless apps that do everything the laptop applications do, but on a wider scale.

Since the end of 2011, after the release of version 4.x and 5.x of the feature-rich Apple portable operating system known as iOS, a number of wireless analysis apps have started appearing on the iPhone and iPad platforms. Conspiracy theorists have attributed the arrival of interrogative Wi-Fi network apps for the Apple portable operating system platform to the passing of former CEO Steve Jobs; but it seems that the powerful upgrade of iOS 5.x in October 2011 has given programmers the ability to dive deep into the iPhone and iPad's innermost workings to launch a species of so-called Prosumer Interrogative Network (PIN) apps.

Three of these new apps – SharkforRoot (Android), SubNetInsight (iOS) and Fing (Android and iOS) – also differ from their desktop peers in covering several network analysis bases on an all-in-one basis. To use a Western movie analogy, these apps can be used for 'white hat' hacking and network analysis, as well as 'black hat' hacking and cyber criminality – a development that marks a new cause for concern among the mobile security sector.

Rooting out the limitations

This new generation of smartphone apps often requires a 'rooting' of the device to allow software privileged control (known as 'root access') within the Android environment on the Google Android platform. The idea behind rooting is that it overcomes the limitations that cellular carriers and hardware manufacturers impose on some portable devices, allowing hackers to alter or replace system applications and settings, as well as running specialised apps that require administrator-level permissions. On the Android platform, however, rooting can also support the complete removal and replacement of the device's operating system; no mean feat.

These 'swing both ways' Wi-Fi analysis apps give a smartphone user the ability to secrete a handset in their pocket or purse, walk right into the target premises, and – while they appear to be making or taking call – actually be penetration-testing the network from inside the network perimeter.

From a white- or black-hat hacking perspective, this is a major step forwards. It means that while a local IT security manager might be suspicious of a site visitor using a high-powered laptop in the firm's coffee lounge to run what appears to be network analysis software, for example, no one is going to bat an eyelid if a visitor stands in the foyer 'checking their email' on a smartphone.

The problem is that most organisations have spent a fortune defending against external attack, normally defined as IP-based transmissions from outside the company network and firewall. The idea that someone could attack your network wirelessly is totally new to many IT security professionals. Until recently, most apps required users to log into the wireless network – and if the IT security manager routinely allows access the firm's network, one could argue that they get what they deserve.

There is a grey area when it comes to public access wireless networks such as those in coffee shops, railway stations, fast-food restaurants, airports, public libraries, and which often form part of a national network (indeed, there are calls for them to assume a more integral role in this regard). With these Wi-Fi networks, the router is normally configured to allow all users to authenticate to the IP network and then access a controlled Web session that typically limits Internet access until they log in via the service's Web portal.

Prior to logging in via the controlled Web portal, this means that users cannot access the full Internet. They can often, however, use an app such as SubNetInsight to snoop around on the router's peered IP sessions and, where appropriate, open up an HTTP session into the device concerned.

It is usually possible, for example, to open up an HTTP session into an IP-connected printer, from where – if you were so inclined – you could insert a printer firmware update containing malicious code, allowing Internet users gateway access to the corporate network.

If this sounds far-fetched, it is worth noting that security researcher Ang Cui demonstrated this very hacker methodology at the Black Hat briefings in Las Vegas at the end of 2011 (take a look on YouTube: http://bit.ly/z43M5a).

Scanning for Wi-Fi networks

While it is possible to use interrogative apps like Fing and SubNetInsight to explore devices hooked up to a public access Wi-Fi network – this reporter was able to interrogate a fellow shopper's Android handset and access a shop's printer while out shopping at an out-of-town UK shopping centre at the end of last year, for example – you do need to find the wireless access points that are available in the first place. For this you can use supplementary apps such as Network Discovery for Android, which has the advantage of not requiring the smartphone or tablet computer to be rooted.

There is also the free Android network toolkit known as Anti, from Israeli company Zimperium (an iOS version is now in development). As you would perhaps expect from an Israeli-sourced app, Anti supports automated tools to carry out penetration testing tasks on insecure wireless networks, running scans to discover open networks, locating devices on those networks, and then determining vulnerabilities on the peered devices.

Moreover, once the vulnerabilities have been identified, the app runs exploits from the Metasploit and ExploitDB applications to gain partial or complete access to the device, since they can use the software's brute force password cracking facility – complete with downloadable dictionaries – to gain access.

If this sounds too powerful for a humble smartphone processor, it is important to understand that many apps are actually pay-per-use gateway applications allowing smartphone users to leverage Internet-based resources to carry out the serious processing work. This is where Zimperium's cloud-based systems come into play, with Anti giving users seamless access to its servers to complete the cracking process, in return for a fee of $10 for 20 exploit analyses, or $50 for 200 analyses.

If your Android device is rooted, then you can run an app called DroidSheep, which is named after the FireSheep plug-in for the Firefox browser that allows hijacking of social networking sessions on services such as Facebook and Twitter. DroidSheep takes the interesting approach of analysing encrypted IP network traffic and looking for patterns that identify encrypted (SSL, or secure sockets layer) sessions on sites such as Facebook, Twitter and Wordpress.

Turning the smartphone into a Wi-Fi honeypot

One hacking technique that moves Wi-Fi network cracking to a whole new level is the use of a rooted Android device to operate an ad hoc Wi-Fi hot spot. It is also possible to use any Android device – running Android 2.2 or later – to do this, but the software flexibility is more limited. Assuming you have inserted a 3G data SIM into the handset, you can then use an app such as SharkforRoot that logs all the IP data flowing across the Wi-Fi connection to the smartphone's SD card.

Analysis of the data stored on the SD card will then yield all manner of user credentials, although it should be remembered by E&T readers in the UK that creating a wireless honeypot – as such systems are known in IT security circles – is almost certainly an offence under sections of the Computer Misuse Act (CMA) 1990.

But is the use of an app – such as SubNetInight on an Apple iPhone or Fing (available on iOS and Android) – to analyse the IP traffic of a public access Wi-Fi hotspot on, for example, The Cloud network - an offence? After all, you are only loading software that is available on commercial app stores – SubNetInsight, for example, was developed as a network analysis utility by BlueSwine Inc, a Japanese software vendor – and then running the software on an out-of-the-box basis; but on the new app frontier, it may not be that straightforward.

Legal pedants may argue that, since the software is supplied by Apple's iTunes store, and you are passively using it on a public access Wi-Fi base station in your local shopping mall, then you are doing nothing legally untoward.

According to Professor Peter Sommer, a leading IT security expert and expert witness in IT-related court cases – and whose experience dates back to the 1980s – this is a moot point; and, while it is arguable from a defence standpoint that the use of an interrogative Wi-Fi app is not an offence under the Computer Misuse Act, it is still something of a grey area, especially with regard to apps and allied cloud- (or Internet-) based services.

"The reality is that the 1990 Act was designed before these services were developed - the Act was written when most computer users were sat at a terminal," Sommer says, adding that "the success or failure of a prosecution is down to what the court will infer were your intentions when using the app and/or cloud-based allied service and interpretations of the word 'use' in relation to unauthorised access. That might amount to a Section 1 offence."

Is it a hacking tool?

Professor Sommer, who is a visiting reader at the Open University and former visiting professor at the London School of Economics'and Political Science, goes on to say that part of the CMA makes reference to hacking tools. However, he observes, is a Wi-Fi discovery app on a smartphone or tablet computer a hacking tool as defined under section 3 A: 'Making, supplying or obtaining articles for use in offence under section 1 or 3'?

From a legal perspective, the case is arguable either way, although this journalist – after reporting on computer and IT security matters for some 27 years – predicts that a legal test case is likely to be seen in the near future, especially given the fact that there are now millions of smartphones in active usage in the UK. 

Further information

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them