Slashdot Mirror
iPhone Apparently Open To Old Wi-Fi Attack
judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."
HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.
Most sensitive mobile data these days is carried over SSL surely? I can't see this being any more dangerous than connecting to a public network voluntarily.
i set up my and my inlaws' wifi to be the same SSID and password so that when we visit each other the devices get on wifi automatically
i wonder what will happen if i do this with one WIFI router requiring a password and another with the SSID not requiring one. wonder if SSIS will connect.
either way, how will someone know the list of my saved SSID's? does apple allow an app to pull it?
the use of HTTPS, which enforces HTTPS
What does that even mean?
I'm sorry, maybe I'm the idiot here (doubtful) but are you saying that the iPhone is vulnerable to connecting to fake Wi-Fi access points, but that other devices somehow don't make the connection because they use... https?
I think what you mean to say is that any device that auto-connects to a wifi hotspot based on SSID is vulnerable, but that many devices are, by default, not configured to do this. Also, everyone should use encrypted connections so that their login/pass aren't leaked.
Comment removed based on user account deletion
But the article is partially correct, preset SSIDs that some carriers use are a vulnerability, I was messing with a WiFi attack with some other people where we would deauth everyone around us and then have our access points giving out SSIDs that were part of various major carriers presets.
Just because Chrome uses HSTS doesn't mean that there wasn't some useful information acquirable.
Also, people are stupid and will join networks that look legit.
Just to be clear here, protocols like HTTPS only secure data from the Application Layer - this man in the middle attack takes place at a much lower layer (Data Link/Network), meaning any device which automatically connects to familiar SSID's is susceptible. HTTPS will not save you from rogue AP's.
This is largely a convenience feature implemented by Apple, but it doesn't matter which device you're using - if you aren't encrypting your traffic, you are vulnerable to eavesdropping. Period.
I guess I don't know what the article is saying, but I don't see anything new here or anything that doesn't actually impact any device.
The phone connects to a wifi network based off the SSID it knows - if the operator of that wireless point wants they can sniff the traffic. Traffic that isn't encrypted is readable...am I misunderstanding something here.
My laptop will connect to a SSID that it had connected to before - if I send unencrypted traffic that can be snooped.
This is one reason why it doesn't hurt to use a VPN with a profile that restarts the handshake should it get disconnected, so no traffic travels the Net unless it is to the VPN provider.
I just pick a service that has a low latency and has servers near me, use that. The result is that even if the Wi-Fi AP is completely compromised, the only traffic that will be obtained are packets to/from the encrypted tunnel.
Of course, if I use HTTP, traffic from the VPN provider and the destination can still be obtained, but getting access to a trunk switch or router tends to be a lot harder than compromising an AP in public.
I'll sometimes set up my phone's wifi hotspot with the SSID of 'attwifi' at work occasionally, just to watch how many people's phones autoconnect to what is the standard SSID for starbucks (and others) hotspot names.
The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to. I suspect this is the same for Android devices, but I am too lazy to test atm.
The issue that relates to https is related to something called HTTP STS. (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). HTTP STS is supposed to be a way by which servers can communicate to browsers that requests to a particular site should always be sent over https. The issue that is being raised is that Chrome supports HTTP STS and hence Android devices do as well, but Safari does not. I guess what this would get you is that if you connect over https to a site over a trusted network, then further requests to that domain are forced to be made over https with a certain validity of certificate.
otherwise known as a brain fart, secured from shame. in my business, it is reported on the logs as "Special (Freaking) Magic."
if this is supposed to be a new economy, how come they still want my old fashioned money?
This is entirely by design, large deployments of WiFi simply have the same settings on each base station and then use WPA2 Enterprise (instead of WPA2-PSK) to do access control.
If you have large deployment of unsecured wireless networks (such as guest networks), same thing happens, the client connects to the base station with the best signal and the given SSID.
I don't see where this is a problem:
- It is defined in the 802.11 standard for roaming
- If you use an insecure (open) network, by definition you don't have any security or encryption
- If you use a WPA2-PSK network, you should use a good key, if the attacker knows your key, regardless of whether they set up a fake base station they can decrypt your data
- This is all mitigated using WPA2 Enterprise since you have end-to-end per-user encryption
What the fuck does HTTPS have to do with this? This is an entirely different layer.
Custom electronics and digital signage for your business: www.evcircuits.com
Read the original blog post instead: http://blog.skycure.com/2013/06/wifigate.html Summary: phones come pre-loaded with wifi SSNs, which you can spoof and get random iPhones to connect to you. Reach-arounds ensue.
Listening to "security researcher discovers" more often than not I find myself being dismayed by what comes next.
Do I really need someone to enumerate all of the ways in which an insecure system may be abused?
Hey ARP messages are not authenticated so anyone else can forge them todo x y and z.
Hey SMB is not encrypted so I can inject or redirect 1, 2 and 3..
Shocking "discovery" LEAP is insecure when everyone already knew at the time MSCHAPv1 was broke.
Windows is insecure because OMG I can mount an unencrypted disk and access all of your files without knowing the administrator password.
While I love strict transport headers and I think this feature deserves a lot more attention than it has received (Microsoft please add to IE)...
These sorts of articles seem to be quite obviously designed to draw ill-deserved attention.
I've wanted the ability to tell my iPhone to forget old networks so it doesn't waste time and power sending probe frames trying to provoke any hidden access points/SSIDs to advertise themselves. The security concern raised by this article is yet another.
STS and rogue access points are only related insofar as they are both security-related terms. So no, STS doesn't mean Android is protected from rogue access points. Bad blog post, terrible news article, and worse summary.
I've wanted the ability to tell my iPhone to forget old networks
The iPhone can forget old networks or did you mean something else? To my knowledge it has always had this capability.
... I'd recommend the installation of WiFiFoFum. It's basically like iStumbler for the iPhone, so you can at least see if the local access points are ad-hoc or infrastructure, & other stuff like that. I always run it before connecting my phone/iPad to any public hotspots.
Disclaimer: not connected to the development of this app, just a happy user.
So if you RTFA it might clear a bit of the confusion up. The issue has to do with carrier branded WiFi networks. If you buy a phone from, say, Vodaphone (mentioned in the article) there is a feature the carrier can enable on their iPhones that allows the phones to connect automatically to the carrier owned WiFi hotspots. I believe AT&T does the same thing. The phones have built in authentication, so the user never sees it. Most are using HTTPS STS but I guess Apple hasn't pushed that out yet. Vodaphone brings up a good point though: for their network, they use EAP-SIM auth, which is a two-way authentication protocol so it would not fall for a simple spoofing of the SSID.
I browse on +1 so AC's need not respond, I won't see it.
You can apply the 'HPN' (high performance networking' patch to SSH to get faster transfers speeds.
Of course, much of what it does is enable the 'None' cipher, so you don't have any encryption overhead. But you have to have both the server & client modified for it to work.
Build it, and they will come^Hplain.
SOME phones come pre-loaded and I wouldn't be surprised if Android and even feature-phones come pre-loaded. You could also wipe pre-installed configuration profiles if you are so inclined. Or simply don't trust any hotspots that aren't your own, you know, common sense...
Custom electronics and digital signage for your business: www.evcircuits.com
This article has a misleading headline and /. simply relays the misleading.
This is not an Apple iDevice problem, all WIFI devices are subjectable for such an attack.
Underlying problem in Apple's case is that some carriers seem to add predefined WIFI networks to an iPhone/iPad when the device get their carrier settings. So this must be the carrier's issue!
But this attack could might as well be used against any laptops or Android devices.
How often have many of you not been to Starbucks and used their free WIFI. Their WIFI (in most countries) is open with no security and all you have to do is agree to some terms on the webpage. So in the US, basically I should simply set up af network called attwifi. I really dont need to do a landing page with Starbucks/AT&T terms, many would probably not even wonder if they came directly on the internet. And then devices would begin to connect to my network, I could sniff through the traffic.
It is an old school man in the middle attack and not much Apples problem. And yes HTTPS protects you, no wait, it only protects your payload. Metadata is still floating through.
Evil twin/ disassociation attacks are old hat and don't only work on apple devices.
I thought we had real geeks here?
UPDATE: Vodafone has told TechWeek why it believes its users are safe: “The embedded configuration that is applied for our iOS devices ‘1WiFiVodafone1x’ and ‘Auto-BTWiFi’ are locked to ‘EAP-SIM’ authentication which is a bi-directional authentication protocol.
“Man-in-the-middle attacks rely upon a hacker setting up an access point pretending to be the configured AP [access point].
“With EAP-SIM configured, the device will send the AP a challenge to make sure that it is Vodafone that it is connecting to. This transaction is resolved with our network, which sends back the response to the challenge and its own challenge. The handset then responds to the network challenge and providing all of these challenge response pairs work then the user gets access. If the initial test for it being Vodafone fails, the device doesn’t connect.”
http://news.cnet.com/8301-17852_3-10414356-71.html
I think the problem is that we've seen over time many web based jail breaks of iPhones. Just visit a URL, and it breaks your phone's security to the root level. So if you can combine man-in-the-middle with a jailbreak style hack, you can redirect everyone's safari to your web site and p0wn everyone's iPhone in the city. Not easy to pull off, but potentially devastating to large numbers of users if you can.
Not only is this not a discovery, since anyone with an ATT phone may notice their phone connecting to 'attwifi' when walking into mcdonalds and walmart, but it is not even iPhone specific. The LG Optimus G I got from ATT will join lolnetworks by default too. At least on that phone though it is more obvious to disable.
HTTPS is another layer entirely and already complains when the certificate isn't valid or isn't signed by a trustworthy vendor
If you're using Internet Explorer on Windows XP or Android Browser on Android 2.x, it also complains when the site happens to share an IP address with other sites using different certificates.
HTTP STS still doesn't fix MITM attacks with valid signed certificates by a compromised or untrustworthy root.
Nor does it fix MITM SSL-stripping attacks the first time you visit a site.
The WiFi Pineapple has made this sort of attack possible for a long time. It's not just the iPhone that is vulnerable. Nearly everyone has connected to a "linksys" or "attwifi" hotspot before, and you can easily spoof this with Karma.
http://hakshop.myshopify.com/products/wifi-pineapple
UPDATE: Vodafone has told TechWeek why it believes its users are safe: âoeThe embedded configuration that is applied for our iOS devices â1WiFiVodafone1xâ(TM) and âAuto-BTWiFiâ(TM) are locked to âEAP-SIMâ(TM) authentication which is a bi-directional authentication protocol.
EAP-SIM is broken.