Fortify Software, the application security vulnerability specialist, has warned that the proposed WiFi Direct standard - which will allow WD-enabled WiFi devices to link with each other on an ad-hoc basis - poses a
potentially serious security threat to companies with WiFi networks.
Richard Kirk, Fortify’s European director, said that, whilst most companies have now installed defences against attacks and unauthorized accesses to their wireless networks, these defences normally centre on
the wireless access point.
“The WiFi Direct standard - which is due to be ratified next year - means that almost any WiFi device will be capable of supporting a peer-to-peer connection, so bypassing the wireless access point and
most of the company’s networking security,” he said.
“Put simply, unless a portable device - such as an iPhone or smartphone - has got robust security on board, as well as applications that are secure against hacking, then an unauthorised person could
establish a peer-to-peer connection directly and launch an internal attack on the company’s network,” he added.
According to Kirk, whilst the bulk of netbooks and laptops have adequate security in place to combat this form of back door hacking, mobile devices rarely have robust enough code to stop network nasties such as SQL Injections and the like. Companies are now putting more applications on their mobile devices, however these applications will often have security vulnerabilities that can be exploited by criminals UNLESS a) the developers are trained in secure coding practices and b) the code has been reviewed by competent, technology-equipped security practitioners.
And, he explained, with WiFi-enabled devices such as the iPhone having a vast library of `home-brew’ software (apps) available - which Apple has not approved - there is a strong chance of a back door into a
company’s network being exploited via a jailbroken iPhone.
Jailbreaking, says Kirk, is the term for an unlocked iPhone that is then able to run one of the many tens of thousands of non-Apple approved applications available on the Internet.
“The problem with these applications is that, as they are often `home-brew’ in nature, they have had no code audits carried out on them and are about as a secure as a paper bag in a hurricane,” he said.
“And if hackers can establish a peer-to-peer connection with a smartphone inside a company, they then have a foothold with which to gain unauthorised access to the company network from the other side of
the firewall and security software,” he added.
