New WiFi standard could pose major security threat warns Fortify

Fortify Software has warned that the proposed WiFi Direct standard - which will allow WD-enabled WiFi devices to link with each other on an ad-hoc basis - poses a potentially serious security threat to companies with WiFi networks.

Richard Kirk, Fortify's European director, said that, whilst most companies have now installed defences against attacks and unauthorized accesses to their wireless networks, these defences normally centre on
the wireless access point.

"The WiFi Direct standard - which is due to be ratified next year - means that almost any WiFi device will be capable of supporting a peer-to-peer connection, so bypassing the wireless access point and most of the company's networking security," he said.

"Put simply, unless a portable device - such as an iPhone or smartphone - has got robust security on board, as well as applications that are secure against hacking, then an unauthorised person could establish a peer-to-peer connection directly and launch an internal attack on the company's network," he added.

According to Kirk, whilst the bulk of netbooks and laptops have adequate security in place to combat this form of back door hacking, mobile devices rarely have robust enough code to stop ‘network nasties’ such as SQL injections and the like. Companies are now putting more applications on their mobile devices, however these applications will often have security vulnerabilities that can be exploited by criminals unless a) the developers are trained in secure coding practices and b) the code has been reviewed by competent, technology-equipped security practitioners.

And, he explained, with WiFi-enabled devices such as the iPhone having a vast library of `home-brew' software (apps) available - which Apple has not approved - there is a strong chance of a back door into a
company's network being exploited via a ‘jailbroken’ iPhone.

Jailbreaking, says Kirk, is the term for an unlocked iPhone that is then able to run one of the many tens of thousands of non-Apple approved applications available on the Internet.

"The problem with these applications is that, as they are often `home-brew' in nature, they have had no code audits carried out on them and are about as a secure as a paper bag in a hurricane," he said.

"And if hackers can establish a peer-to-peer connection with a smartphone inside a company, they then have a foothold with which to gain unauthorised access to the company network from the other side of the firewall and security software," he added.

Richard Kirk’s comment follows the Wi-Fi Alliance announcement press release which is published below verbatim:

Wi-Fi Alliance® announces groundbreaking specification to support direct Wi-Fi connections between devices

Upcoming Wi-Fi CERTIFIED™ Wi-Fi Direct program will make it easy to connect devices directly to one another in a new kind of Wi-Fi network

Wi-Fi devices will soon be able to connect in a new way that makes it more simple and convenient than ever to do things like print, share and display. The Wi-Fi Alliance is nearing completion of a new specification to enable Wi-Fi devices to connect to one another without joining a traditional home, office, or hotspot network. The Wi-Fi Alliance expects to begin certification for this new specification in mid-2010, and products which achieve the certification will be designated Wi-Fi CERTIFIED Wi-Fi Direct.

The specification, previously code-named "Wi-Fi peer-to-peer," can be implemented in any Wi-Fi device, from mobile phones, cameras, printers, and notebook computers, to human interface devices such as keyboards and headphones. Significantly, devices that have been certified to the new specification will also be able to create connections with hundreds of millions of Wi-Fi CERTIFIED legacy devices already in use. Devices will be able to make a one-to-one connection, or a group of several devices can connect simultaneously.

"Wi-Fi Direct represents a leap forward for our industry. Wi-Fi users worldwide will benefit from a single-technology solution to transfer content and share applications quickly and easily among devices, even when a Wi-Fi access point isn't available," said Wi-Fi Alliance executive director Edgar Figueroa. "The impact is that Wi-Fi will become even more pervasive and useful for consumers and across the enterprise."

The specification targets both consumer electronics and enterprise applications, provides management features for enterprise environments, and includes WPA2® security. Devices that support the specification will be able to discover one another and advertise available services. Wi-Fi CERTIFIED Wi-Fi Direct devices will support typical Wi-Fi ranges and the same data rates as can be achieved with an infrastructure connection, so devices can connect from across a home or office and conduct bandwidth-hungry tasks with ease.

"With Wi-Fi technology already shipping in millions of consumer electronics devices and handsets every year, this is a terrific innovation for the industry," said Victoria Fodale, senior analyst and market intelligence manager at In-Stat. "Empowering devices to move content and share applications without having to join a network brings even more convenience and utility to Wi-Fi-enabled devices."

The Wi-Fi Alliance plans to publish its peer-to-peer specification upon completion, and will begin certifying devices for the Wi-Fi Direct designation in 2010. Only Wi-Fi Alliance member companies will be able to certify devices to the new specification.

http://www.wi-fi.org/

•Date: 23rd Oct 2009• Region: World •Type: Article •Topic: ISM news
Rate this article or make a comment - click here