Bogus Web Certificates Threaten Mobile Users
Dozens of fake server certificates have been found on the Internet, posing a threat to users of mobile apps that don't check such Web "signatures" properly.
The fake certificates, which were discovered by Internet-security firm Netcraft of Bath, England, spoof Google, Facebook, Apple iTunes and banks, and could let criminals stage man-in-the-middle attacks to intercept Web traffic and capture login information, bank-account numbers and personal data.
Attackers would have to be on the same local networks as victims, but that's easy to achieve on public Wi-Fi networks, even those that require general-use passwords, in airports, cafes, hotels or parks worldwide.
Digital certificates, technically called SSL certificates, underlie all secure Web connections. When you connect to Gmail and the "http" in your address window changes to "https" or a padlock icon appears, it means Google's servers have presented a digital certificate verifying that they indeed belong to Google, and your browser has accepted it.
The bogus certificates found by Netcraft wouldn't fool Web browsers, which have tough signature-verification standards. But they would fool many mobile apps, which connect to Web servers directly and are frequently sloppier than browsers about verification.
"An increasing amount of online banking traffic now originates from apps and other non-browser software, which may fail to adequately check the validity of SSL certificates," Netcraft's Paul Mutton noted in a blog post Wednesday (Feb. 12).
Mutton cited a study last month by Seattle security firm IOActive that found that 90 percent of iOS banking apps mishandled certificates, and a 2012 German academic study that estimated 40 percent of all Android apps did so.
Man-in-the-middle attacks occur when a hidden party inserts himself into the communication between two other parties, neither of whom know the hidden party is there. The hidden party can talk to Party A as if he's Party B, and vice versa, and can steal or distort the messages being transmitted.
"Successful attacks would allow criminals to decrypt legitimate online banking traffic before re-encrypting it and forwarding it to the bank," Mutton wrote. "This would leave both parties unaware that the attacker may have captured the customer's authentication credentials, or manipulated the amount or recipient of a money transfer."
There's not much the average user can do to improve mobile apps that mishandle SSL certificates. Fortunately, as Mutton and Ars Technica's Dan Goodin note, top-tier apps such as those created by Facebook, Google and Twitter "whitelist" certificates so that they'll accept only those on a preset list issued by their makers.
If you want to be certain of your mobile connections, and don't mind spending a bit of money, install an app such as Hotspot Shield or TunnelBear, which will charge you a couple of bucks per month to secure all your Internet traffic.