NFC is suddenly in news everywhere ,almost with every new major mobile or tablet launch the feature is expected to be in there .The recent announcement of Apple iPhone 4S and also lack of NFC in it disappointed techies across the globe.NFC has many uses as a technology. But the one that has pushed it into the spotlight lately is as an enabler of the mobile wallet.The recent launch of Google Wallet has further proves it .However there are concerns as how secure it is.
For people who have heard of Face niff or Firesheep , they must have a idea, how easy these apps make it possible to access Facebook accounts of people in your wifi network. Now we have another app called DroidSheep based on Firesheep which gives you access to Facebook ,Flickr ,Google account etc of anyone logged in your wifi network. This apps can even bypass WPA security. Okay let me stop here and elaborate for people who did not understand what i said above.
We do come across wifi networks in public places such as airports,cafes , restaurants and offices. Now if you have an android tablet , you need to install Droid Sheep from android market and here you will find yourself accessing Facebook , Google , Flickr , Youtube accounts just at one click.Difficult to believe but trust me it’s quite easy. Thanks to open wifi networks. The purpose of the article is not to promote use of such apps but rather such apps should be used to find loopholes in wifi network . Besides this we also wants to create an awareness as how unsafe these public wifi spots can be & how vulnerable these new devices are.
Now the question that people must be having is that how is it that one can access others accounts .The app works even on networks protected by WPA and WPA2 encryption schemes by using a technique known as ARP spoofing to redirect local traffic through the attacker’s device. An attacker would have to know the wifi security password, however.
The apps gives you access to others accounts. Now how does it work.
When the victim is using the WiFi, his laptop sends all the data intended to be received by Facebook, over the air to the coffee bars wireless router. “Over the air” means “ the data can be captured by anybody”, attacker can read all the data sent by victim. As some data is encrypted before being sent, attacker cannot read victims Facebook password, but in order not to make victim enter his password after each click, Facebook sends victim a so called “session id” after logging in, which sends with each interaction, making it possible for Facebook to identify Bob. Usually only victim knows this id, as he receives it encrypted. But when victim uses the coffee bars WiFi, he spreads his session id over the air to everybody. So attackers takes this session id and uses it as his– and Facebook cannot determine who used the id.
There are two possible ways to install DroidSheep:
- One of the Android Markets (Google, AppBrain, …) — Simply search for DroidSheep and install the application
- Download it from the “GET-IT” section using your phones browser and open the file — your phone should ask for installing the app.
Make sure, your phone is connected to a WiFi-Network, start DroidSheep and push the “start” button. Just wait for few seconds and it will show all accounts opened which can be directly opened.