Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

WiFi Direct Standard contains security flaw

Fortify : 21 October, 2009  (Technical Article)
Fortify is calling for changes to the proposed new standard concerning WD-enabled WiFi Devices to prevent a potentially serious vulnerability
Fortify Software, the application security vulnerability specialist, has warned that the proposed WiFi Direct standard - which will allow WD-enabled WiFi devices to link with each other on an ad-hoc basis - poses a potentially serious security threat to companies with WiFi networks.

Richard Kirk, Fortify's European director, said that, whilst most companies have now installed defences against attacks and unauthorized accesses to their wireless networks, these defences normally centre on the wireless access point.

'The WiFi Direct standard - which is due to be ratified next year - means that almost any WiFi device will be capable of supporting a peer-to-peer connection, so bypassing the wireless access point and most of the company's networking security,' he said.

'Put simply, unless a portable device - such as an iPhone or smartphone - has got robust security on board, as well as applications that are secure against hacking, then an unauthorised person could establish a peer-to-peer connection directly and launch an internal attack on the company's network,' he added.

According to Kirk, whilst the bulk of netbooks and laptops have adequate security in place to combat this form of back door hacking, mobile devices rarely have robust enough code to stop network nasties such as SQL Injections and the like. Companies are now putting more applications on their mobile devices, however these applications will often have security vulnerabilities that can be exploited by criminals Unless a) the developers are trained in secure coding practices and b) the code has been reviewed by competent, technology-equipped security practitioners.

And, he explained, with WiFi-enabled devices such as the iPhone having a vast library of `home-brew' software (apps) available - which Apple has not approved - there is a strong chance of a back door into a company's network being exploited via a jailbroken iPhone.

Jailbreaking, says Kirk, is the term for an unlocked iPhone that is then able to run one of the many tens of thousands of non-Apple approved applications available on the Internet.

'The problem with these applications is that, as they are often `home-brew' in nature, they have had no code audits carried out on them and are about as a secure as a paper bag in a hurricane,' he said.

'And if hackers can establish a peer-to-peer connection with a smartphone inside a company, they then have a foothold with which to gain unauthorised access to the company network from the other side of the firewall and security software,' he added.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo