iPhone to bring wave of wireless woes
July 10th, 2008 Posted in Card Brands, PCI DSS, WirelessTomorrow, like so many others around the world I’ll be getting up early and waiting in line to purchase my new iPhone 3G when the stores open at 8 AM. And like so many other giddy users I’ll head off to work and want to use and configure my device ASAP.
The problem this creates is an entirely new attack vector (ok, not so new) by deploying millions of Wi-Fi based cell phones that are now connected directly to corporate owned laptops. Another way to think of this is that we are installing millions of wireless attack vectors into a corporate environment that will be undetectable from simple wired-side scanning.
When people look at PCI DSS requirement 11.1.b they think it may not apply to them because they have not purposefully deployed wireless devices. Or they may think they can simply scan the wired network looking for wireless access points. The hidden vector they are missing are devices that come enabled with wireless access. Everything from laptops with radio (Wi-Fi) cards, to iPod Touch, and now the iPhone 3G.
You see the requirement states that people should use a “wireless analyzer” to find wireless attack vectors, but this only tells half of the story. Historically, people did this via war-driving with Pringles can antennas attacked to Netstunbler or Kismit enabled laptops. (I know @dacort and I did our fair share of this in a past life.) But what happens when you have 1,000 or 5,000 retail stores? What happens when you walk into one store and 50 access points show up on your screen? How do you know the difference between the good and the bad? How do you protect against not just rogue but also unauthorized access points?
That is why we wrote this lengthy FAQ on Wireless. I’ll also be presenting on this topic next week in New York City (be sure to register.)
Not going to be in NYC? How about Chicago, IL (July 30, 2008) or Columbus, OH (July 31, 2008)?
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “iPhone to bring wave of wireless woes”
By Michael Janke on Jul 11, 2008
How is this a new threat? We’ve had small devices that could attach to wireless networks in corp networks for years. Some of them (the laptop kind) can even create their own adhoc wireless networks and bridge them to the corp network.
I was under them impression that rogue wireless detection was largely a solved problem.
By Michael Dahn on Jul 11, 2008
@Michael it is not a new threat, but one people should be aware of. I disagree that rogue wireless detection is a solved problem. I think it will persist for as long as we have such devices.
By Alex on Jul 15, 2008
Not only is this not a new threat, but I’ve yet to see data that suggests that *mobile* is a common/growing/existing source of threat events to an enterprise.
As such, I wonder under what premise (other than hypothetical ‘possibility’) you’re claiming that there will be a ‘wave of woes’?
By crawford on Jul 31, 2008
Can you recommend any wireless scanning tools, that provide Compliant reports.
Thanks for your information