A lot has been done to secure major Web services and Internet applications, particularly on the PC. But one of the lessons learned from our collaboration with NPR and Pwnie Express was that for every data leak that has been plugged by the major websites, another springs up on mobile. And mobile devices are the ones that face the greatest risk of surveillance and attack—not so much from the National Security Agency, but from companies and criminals looking to track and target individuals on a smaller scale.

Public Wi-Fi has become an integral part of how mobile devices’ apps work. Apple and Google have both configured their mobile services to leverage Wi-Fi networks to improve their location services, and mobile and broadband companies offer public (and unencrypted) Wi-Fi networks to either offload users from their cellular data networks or extend the reach of their wired network services. Comcast, for example, has been expanding its Xfinity broadband networks by turning access points at homes and businesses into public Wi-Fi hotspots for subscriber access.

That’s great for customers’ convenience, but it also opens up a potential vector of attack for anyone who wants to get in the middle of broadband users’ Internet conversations. We demonstrated one potential Wi-Fi threat during our testing—using a rogue wireless access point broadcasting the network ID (SSID) “attwifi” prompted AT&T iPhones and Android devices with default settings to automatically connect to them.

Beware the evil access point

Once attackers have connected to a device posing as an access point for a public network like AT&T’s, they use their own Internet connections to allow their targets to do what they would normally do. But in the process, they can collect all the data that streams through that connection. And that device doesn’t have to be a specially built piece of evil hardware or even a notebook computer with an additional wireless interface—it can be a smartphone or tablet tucked into someone’s pocket, as Pwnie Express’ PwnPhone demonstrates. Someone with a modicum of skill could “root” a mobile device and turn it into his or her own mobile attack platform.

An attacker doesn’t need to pose as “attwifi” to fool smartphones into connecting. One exploit, demonstrated by the EvilAP tool loaded onto the PwnPlug we used in testing, watches for Wi-Fi probe requests sent by devices as they search for networks.

The probe requests include the SSID names of recently connected Wi-Fi networks. Someone configuring his or her device as a malicious Wi-FI access point could set it to automatically respond back as one of those networks; if the smartphone making the probe is set to automatically connect to known networks, it will pair up with the malicious access point without the user knowing. That could open the smartphone to “man-in-the-middle” attacks that could break the encrypted protection to Web services and application servers in the cloud or “spoof” responses from those services.

Just listening

Even without fooling your mobile device into connecting directly, an attacker—or an employer, or a retailer—can listen into what you do over a Wi-Fi connection. Or they may just give you free Wi-Fi in exchange for legally scraping your data.

Target, for example, offers Wi-Fi service with terms of service that allow the company to collect certain data from your device while you’re connected:

We automatically collect information about your use of the Wireless Service (“Service”), including: Utilization data – e.g. # of users of Service by Store

Session data – e.g. length of session

Type of device – e.g. iPhone, Blackberry

Browser data – e.g. browser version, IP address

Store data – e.g. address of store where device used

Use of Target services – e.g. mobile coupons redeemed

Device ID number

Web sites and pages visited – e.g. target.com, google.com Ways we use the information we collect include: Internal Operations – e.g., enhancing the effectiveness of the Service, analyzing how the Service is used, and improving our stores and mobile experience

Legal Compliance – e.g., assist law enforcement and respond to legal/regulatory inquiries

Marketing – e.g., banner ads, mobile coupons

Depending on how a public Wi-Fi network is configured, anyone connected to it could collect the same sort of data based on your Internet traffic. That includes catching identifying data such as cookies that, if passed in the clear, could be used to try to hijack your browser sessions with websites or to attempt to attack accounts you connect to later.

Retailers have even looked at ways to track people by their mobile devices without Wi-Fi usage. Just by identifying the MAC address of your smartphone’s Wi-Fi interface or by tracking cellular “heartbeat” broadcasts and Bluetooth signals from your phone, retailers can follow your movements within a store, triangulating you with multiple antennas. A mall in Richmond tested this capability in 2011 using hardware and software from Path Intelligence but dropped it temporarily until it could find a way for customers to opt out of the tracking.

Paired with video cameras and credit card transactions, this data—while technically anonymous—could be used to identify customers’ behavior to the point where clerks could be alerted to frequent customers returning and even be given access to data on what they purchased in the past. The same data could be used by corporate security or law enforcement for very different purposes.

Pulling the wireless plug

There are a number of ways you can reduce your mobile exposure. If you have an iPhone, you can disable automatic network connections by setting the phone to ask before connecting; you can also take the hit on location service accuracy and just turn Wi-Fi off when away from trusted networks.

Mobile VPNs can protect smartphones from passive monitoring, but they may be blocked by some companies’ Wi-Fi services as part of their “compliance” rules. I tried using a mobile VPN while connected at a local hospital and was shut down; the hospital said it was because they were trying to prevent security breaches and access to adult content.

Of course, there’s one easy and complete way to lower the privacy risks posed by your smartphone when you’re out in the wild. You can turn the thing off—or at least put it in “airplane mode” to play that game while waiting to check out.

Listing image by Aurich Lawson