News

New WiFi Direct standard could pose major security threat

20 November 2009

Your browser does not support inline frames or is currently configured not to display inline frames. Software security specialist Fortify Software has warned that the proposed WiFi Direct standard, which will allow WiFi devices to link with each other on an ad-hoc basis, poses a potentially serious security threat to companies with WiFi networks.

Fortify's European director Richard Kirk said that, whilst most companies have now installed defences against attacks and unauthorized accesses to their wireless networks, these defences normally centre on the wireless access point.

"The WiFi Direct standard — which is due to be ratified next year — means that almost any WiFi device will be capable of supporting a peer-to-peer connection, so bypassing the wireless access point and
most of the company's networking security," he said.

"Put simply, unless a portable device — such as an iPhone or smartphone — has got robust security on board, as well as applications that are secure against hacking, then an unauthorised person could
establish a peer-to-peer connection directly and launch an internal attack on the company's network," he added.

According to Kirk, whilst the bulk of netbooks and laptops have adequate security in place to combat this form of back door hacking, mobile devices rarely have robust enough code to stop network nasties such as SQL Injections and the like.

Companies are now putting more applications on their mobile devices. However, these applications will often have security vulnerabilities that can be exploited by criminals unless:

the developers are trained in secure coding practices; and
the code has been reviewed by competent, technology-equipped security practitioners.

And, he explained, with WiFi-enabled devices such as the iPhone having a vast library of `home-brew' software (apps) available — which Apple has not approved — there is a strong chance of a back door into a
company's network being exploited via a 'jailbroken' iPhone.

Jailbreaking, says Kirk, is the term for an unlocked iPhone that is then able to run one of the many tens of thousands of non-Apple approved applications available on the Internet.

"The problem with these applications is that, as they are often 'home-brew'in nature, they have had no code audits carried out on them and are about as a secure as a paper bag in a hurricane," he said.

"And if hackers can establish a peer-to-peer connection with a smartphone inside a company, they then have a foothold with which to gain unauthorised access to the company network from the other side of
the firewall and security software," he added.

Your browser does not support inline frames or is currently configured not to display inline frames.

Please allow scripts in your browser so that Google ads will show — the ads are safe and give information on useful IT products.

Your browser does not support inline frames or is currently configured not to display inline frames.

To top^