Recently, I have been getting a little bit of tremulous. I can remember the excitement when my mother had first discovered the Mobile Banking App on her smartphone. It was a great relief that she did not have to go to the bank anymore. She used to get stuck in the serpentine queue to withdraw money. That was a headache. Now, she transfers money, buys anything or make payments in the grocery store in the blink of an eye.
It is super cool and super hot at the same time. And, things started to get alarming. Am I a Goliath frog belonging to the Jurassic age? Am I blind as a bat, not able to see the headway in mobile technology? Or as an ethical hacker, I have become fidgety and uneasy just because the researchers find security flaws in mobile applications almost every other day.
My mother does not understand host-to-host network communication. She does not care about how data travel over a network, she hardly cares about the old OSI model which has seven layers of data communication. She cares a fig about the sniffer tools easily available for obtaining important information sent from a target system.
However, we, professional penetration testers really care a damn and have probably become concerned about these little technical facts.
Two types of sniffing are there – passive and active. Passive sniffer listens to and captures traffic. It is especially useful in a network connected by hubs (WIFI). Active sniffing launches Address Resolution Protocol (ARP) spoofing; traffic flooding attack against a switch in order to capture traffic. Passive sniffing is hard to detect. The active one is detectable.
In cases of hubs or wireless media (WIFI), all hosts on the network can see all traffic; it makes the life of sniffer much easier. A passive sniffer can capture traffic going to and from all hosts connected via the wireless media.
Almost every smartphone, somehow or other uses WIFI. My mother uses it too and probably your mothers. They simply hate the idea of using a desktop or laptop connected to Internet through LAN and cable. They seem horrible to them.
However, LAN connections are always more secure than WIFI.
Why? The switch works in a different way. It sends data according to the MAC address (the hardware or physical address of the computer). It is much organized and it maintains a MAC table of all systems and port numbers to which it is connected. For this reason, the switch is always safer than hubs or WIFI. However, it is not totally foolproof. Using span port or port mirroring may enable all data to be duplicated to another port. Protocols are always susceptible to sniffer if they are not encrypted. Unfortunately, most of the smartphone users do not use proper encryption or use broken encryption. Using a sniffer you can easily capture protocols such as HTTP, POP3, Simple Network Management Protocol (SNMP), and FTP. Username and passwords can also be extracted from sniffing.
Once I had tried to explain these little facts to my mother and she stood up, anger rising, and I stopped quickly. I sensed she could throw the book she was reading. But, believe me, this threat is looming up out of the dark. Researchers agree on one point — about one-third smartphone users have problems with insecure communication or WIFI. In many mobile Applications, data storage is not secure; authorisation controls are not secure too.
Then what happen? In normal cases, any system will read and respond to the traffic sent directly to the MAC address. However, changing the Network Interface Card (NIC) to promiscuous mode changes the game altogether.
Many hacking tools change the system-dependent NIC to promiscuous mode. In promiscuous mode, NIC reads all traffic and sends it to the sniffer. Many hacking tools also incorporate specially designed promiscuous mode driver that facilitates the sniffing process.
Dissecting technical details
When data travels over the network, the header information is added to the beginning of the data. There are two types of header data — an IP header contains source and destination IP addresses and the MAC header contains the source and destination MAC addresses. IP addresses are necessary for routing traffic to the correct IP network. MAC addresses assure one thing — the data is sent to the correct destination network. Delivery to the correct host is also ensured in such cases.
In a normal situation, a host gets the data intended for it. It will never receive data intended for another host. However, the sniffer can receive data not intended for it. And here Address Resolution Protocol (ARP) plays a major role while data travel over the network.
How does ARP work?
To reach one host, another host needs the MAC address; although IP address is the first necessity. ARP translates the IP address to the MAC address to help the host to get to the proper address. If the host has a past conversation record with another host, it first searches its ARP cache to find out the MAC address. If it has not done that, it asks for the IP address first through the ARP broadcast.
What attacker does is apparently simple. It sends a fake or spoofed ARP message to the Ethernet LAN. These frames contain false MAC addresses that are enough to confuse the network devices like switches. It allows the packets to be sniffed. Alternatively, it can be sent to the unreachable addresses that you know as denial of service (DoS) attack. We call it ARP spoofing or poisoning.
Search common vulnerabilities of mobile applications over the Internet. You will find tons of reports. When mobile Applications use third-party Application Programming Interface (API) to communicate over the network, it is always scarier. You have no controls over those APIs. You never know what types of vulnerabilities they are adding to your smartphone. So the risk is high.
I have convinced my mother to keep a minimum amount of balance in her savings account. What can I do? She finds mobile banking very easy. It’s actually easy and surprisingly scary at the same time!
letters@tehelka.com