App Exposes Wi-Fi Credentials for Thousands of Private Networks

For travelers, finding available Wi-Fi hotspots has become a task on the same level as finding public restrooms or drinkable coffee — one of the necessities of modern life. Travelers who turned to a free Android app called WiFi Finder might have found a convenient hotspot, but in doing so they potentially helped hackers find thousands of private wireless networks.

Security researcher Sanyam Jain found the database used by WiFi Finder was open to the Internet, unprotected by either authentication or encryption. Within that database were Wi-Fi network names, their precise geolocations, basic service set identifiers (BSSIDs), and network passwords for thousands of Wi-Fi networks, both public and private.

The same feature — allowing users to pull up login information for Wi-Fi hotspots — that provided login convenience for public networks created a huge security issue for home and private business networks.

"The HotSpot finder app presumes their user has the authority to disclose potentially sensitive information and thus can consent to the app receiving and potentially storing that data," says Tim Mackey, senior technical evangelist at Synopsys. "This then creates a situation where the threat model defined by the WiFi network owner might be insufficient."

The database has been taken offline by the hosting provider, but Mackey recommends that Wi-Fi network administrators change passwords. He also advises using this as a reminder that regular network monitoring and a process of password changes are reasonable security steps for any network.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.