What do you get when you cross thousands of iPhones users, hundreds of Wi-Fi nodes across dozens of networks, and no network security? Lots of snarfed passwords from what could be as few as a handful of ne’er-do-wells who know what to look for.
If you’re an iPhone user headed towards the Macworld Conference and Expo, I’ll see you there, but I hope I won’t see your passwords floating through the air. The iPhone – and Mac OS X and all other major operating systems designed for personal computers and mobile phones – doesn’t secure data sent over Wi-Fi by default. Rather, the operating system and hardware makers assume that you will layer your own security on top.
Most users aren’t aware they need to add security on top of their in-transit data, and I’ve tried to be Johnny Wi-Fi Security Seed – if I’m not stretching the king of Applejack’s reputation too far – in spreading the word on simple ways you can ensure your passwords and data aren’t sucked in while walking around. You can read an in-depth article I wrote several months ago for Macworld about the iPhone and its security limitations or scan the following tips. (A few obscure VPN flaws mentioned in the article have been fixed in subsequent iPhone updates since the article was written last summer.)
Fundamentally, every network connection you make over an iPhone or a laptop via Wi-Fi when roaming away from home is insecure unless the particular program you’re using or network connection has been designed to include encryption or overlaid with some secure elements. (At home, you might enable WPA Personal encryption on your network, which reliably protects the data from snoopers who don’t have the network password.)
Protect Email Passwords and Contents — The iPhone tries to be good. When you set up a new email account using the prefabricated partner email host options in iPhone’s Mail preferences, or when you add an email account manually, Apple’s procedure is to use an encrypted connection unless one isn’t available. (Yahoo Mail’s push service for the iPhone secures its passwords but sends the contents of your messages in the clear.)
Email passwords are often sent in the clear by default, which means that without adding encryption on top, someone could access your password. Mail programs and mail servers, like Web servers, use SSL/TLS to tunnel data without allowing a snooper a position to intercept what’s being sent. Almost all mail software, including Apple’s iPhone Mail and Mac OS X Mail, include support for SSL/TLS connections.
Most but not all Internet service providers offer SSL/TLS for sending (SMTP) and receiving (POP3/IMAP) email. It may be worth forwarding email to Gmail or another service that offers encrypted POP, IMAP, and SMTP while traveling if your ISP’s own mail servers don’t support encryption. (Here’s a detailed article on how secured email works and why to use it.)
You can protect just your email password by using APOP (Authenticated POP) with ISPs that support that protocol. Using APOP, each time you retrieve messages your mail client creates a unique hash of your password that the server, knowing your password as well, can confirm. The iPhone doesn’t offer APOP support, but many mail programs include it as a legacy option.
If your ISP requires your password for sending outgoing email – as most do – that password is frequently sent in the clear if SSL/TLS isn’t used.
Keep Insecure Web Surfing Private — When you’re browsing Web sites that don’t use encryption to protect your sessions, a sniffer on the same network can monitor all your activity. Banking sites nearly always use SSL/TLS to entire sessions, while ecommerce sites may limit SSL/TLS to your account login and the checkout phase.
It used to be fine to be sanguine and say, well, I have no secrets; if my password is protected during login to a site – as many firms like Yahoo and Google offer – what do I care if the session is in the clear? That was an attitude one could take before sidejacking was defined.
Sidejacking is a way of grabbing the account token sent by sites like Google that enable your browser to maintain a continuous session as you request pages. That token, stored as a cookie that your browser sends on each transaction, can be grabbed through in-the-clear Web surfing, as is typical for sites that don’t involve financial details, medical information, or other private transactions. The token may last minutes, days, or years, depending on the security model chosen by the site’s developers.
An account token doesn’t let someone decode your password, but it can allow them access to your current session, which they can hijack on the side. This lets them send email as if it came from your account, receive and read your messages, and, on security-poor Web sites, ask the site to send your password to their email address with little effort. (For more details, read my article “Sidejack Attack Jimmies Open Gmail, Other Services,” 2007-08-27.)
You can secure Web sessions and prevent sidejacking on a Mac with the Secure-Tunnel service (available in Gold or Platinum offerings, $7.95 or $9.95 per month, respectively), which acts as an encrypted proxy for Web requests.
But if you’re using an iPhone, this won’t work. The iPhone unreasonably requires that Web and other network proxies be set individually for each Wi-Fi network, rather than for the Wi-Fi adapter and the EDGE adapter, as is the case in Mac OS X, and how most operating systems handle proxy services.
So for your laptop browsing, Secure-Tunnel is an option, but iPhone users must consider a VPN if they want this form of protection. That carries its own limitation on the iPhone, too, as described next.
VPN for Hire — A VPN (virtual private network) connection encrypts all the data entering and leaving your computer or iPhone to a remote point. For those of you who work for companies that run VPN servers, that remote point is inside the corporate network. But several firms sell VPN service, terminating the remote point at their server inside a data center somewhere: the end point isn’t secure, but typically you’re just trying to protect your data over the Wi-Fi link and the local network. These VPN service providers offer that.
Mac-friendly services include publicVPN’s eponymous service and WiTopia’s personalVPN. After you sign up for publicVPN’s $5.95 per month or $59.95 per year service, you receive a simple set of instructions explaining how to set up the L2TP-over-IPsec VPN client built into the iPhone (called just L2TP) and Mac OS X 10.3 and later to connect to publicVPN’s servers.
WiTopia offers a $39.99/year SSL-based VPN service, and provides a complete package for installing the open-source TunnelBlick connection client with the necessary digital certificates custom created for you. Unfortunately, the iPhone doesn’t currently support SSL VPNs or the installation of third-party software, and TunnelBlick can cause freezes in Leopard. (I was able to solve these freezes only by uninstalling TunnelBlick. It works fine in Tiger. The TunnelBlick developer is working on fixing the Leopard problems.)
WiTopia does an end run around both the iPhone limitation and the current Leopard crashes through their free addition a few months ago of a second VPN account as part of your service. WiTopia offers the widely supported PPTP (Point to Point Tunneling Protocol), which can be used by the iPhone and in Leopard. PPTP is an older VPN protocol that has weaknesses when poor passwords are chosen; WiTopia chooses a strong password for you to bypass this. (Other limitations have led to most companies bypassing PPTP in favor of IPsec and SSL-based VPNs.)
On the iPhone, select Settings > General > Network > VPN, and enter information provided by WiTopia for PPTP or publicVPN for L2TP-over-IPsec. After entering the information, a VPN button appears beneath the Wi-Fi switch in the main Settings screen to make it easier to turn the VPN on and off; more on that in a moment.
In Panther and Tiger, you use Internet Connect to configure a VPN; in Leopard, VPN service is an option in the Network preference pane displayed like another network adapter. (If you don’t see a VPN service in the adapter list, click the + [plus sign] at lower left, select VPN from the Interface menu, and choose L2TP over IPsec or PPTP from the VPN Type menu as appropriate.)
But here’s the rub with the iPhone. While a VPN is the best overall solution, Apple hasn’t made it easy to keep a VPN active while you roam, which could lead to you browsing with the VPN off unintentionally. Because the iPhone is so good at roaming between EDGE and any available Wi-Fi network you’ve chosen to join before, your VPN connection is liable to break during any of these network switchovers. Some corporate software is designed to work on mobile devices and maintain a continuous connection back to the enterprise network regardless of your connection media – Ethernet, Wi-Fi, cellular, or other. But Apple and AT&T haven’t provided this kind of flexibility yet. With the addition of third-party software for the iPhone in February 2008, developers might be able to extend this flexibility to the device.
In the meantime, you need to pay attention to your VPN connection before each browsing session if you’re concerned about the issues I raise in this article. A security expert I consulted suggests that the EDGE network is generally secure – some heavy resources need to be brought to bear to break its encryption and then only for a single device – but Wi-Fi is wide open.
Macworld Optimism — With the release of the iPhone development kit due in February, and a preview of it likely part of the Macworld Expo keynote, I can only hope that some of the rough edges that expose data and passwords of the unwary at the show can be fixed through third-party software that will make networked data transfer that much easier to keep private at events like Macworld – and at your neighborhood hot spot.