Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Apparently Open To Old Wi-Fi Attack

Posted by timothy on from the any-old-wireless-port-in-a-storm dept.

judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."

25 of 90 comments (clear)

  1. HTTPS enforces HTTPS? by cdrudge · · Score: 5, Funny

    Other devices are protected thanks to the use of HTTPS, which enforces HTTPS

    HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.

    1. Re:HTTPS enforces HTTPS? by telchine · · Score: 3, Informative

      Other devices are protected thanks to the use of HTTPS, which enforces HTTPS

      HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.

      I assume they mean HTTPS STS

    2. Re:HTTPS enforces HTTPS? by judgecorp · · Score: 2

      That should have read "HTTP STS which enforces HTTPS" Peter Judge

    3. Re:HTTPS enforces HTTPS? by spazdor · · Score: 3, Funny

      In Soviet Hypertext, Laws enforce Judge!

      --
      DRM: Terminator crops for your mind!
  2. HTTPS by telchine · · Score: 2

    Most sensitive mobile data these days is carried over SSL surely? I can't see this being any more dangerous than connecting to a public network voluntarily.

    1. Re:HTTPS by The+MAZZTer · · Score: 2

      I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.

    2. Re:HTTPS by DigitAl56K · · Score: 5, Informative

      I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.

      That can only happen if the Ask to Join Networks setting is off.

      No, that's the whole point of TFA, which basically points out iOS devices have carrier pre-defined WiFi settings built it, and will connect to such networks automatically, such that placing an access point near a target that masquerades as one of these pre-defined access points is likely to cause such devices to connect automatically.

      The original article is here, and includes notes that on some occasions, not only the baked-in SSIDs are visible, but also the passwords in plaintext:
      http://blog.skycure.com/2013/06/wifigate.html

    3. Re:HTTPS by petermgreen · · Score: 2

      It's SUPPOSED to be carried over https.

      Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.

      There is a new spec called http strict transport security which tries to mitigate this by allowing servers to tell the browser "if in future you see a http url pointing to me use https instead". TFA is complaining that IOS doesn't implement this new spec while andriod does and also complaining that carriers set up open wifi networks by default (though honestly even if they didn't most users would probablly end up adding several open wifi networks manually because wifi is usually faster and cheaper than cellular data).

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    4. Re:HTTPS by 93+Escort+Wagon · · Score: 2

      I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.

      I'm not clear on why this is an iPhone-specific problem. The Android phone I bought from AT&T two years ago seemingly does exactly the same thing. It will automatically join AT&T wifi networks if they are in range - for example, when you walked into a Starbucks.

      --
      #DeleteChrome
  3. Editors didn't read the summary? by Imagix · · Score: 4, Informative

    the use of HTTPS, which enforces HTTPS

    What does that even mean?

    1. Re:Editors didn't read the summary? by cualexander · · Score: 3, Funny

      You must be new here.

    2. Re:Editors didn't read the summary? by Lord+Byron+II · · Score: 3, Informative

      That and "BTWiF" which makes no sense. It's supposed to be "BTWifi" which is BT's public WiFi network.

    3. Re:Editors didn't read the summary? by water-and-sewer · · Score: 3, Funny

      That's an acronym common in the industry which stands for "by the way I farted."

      --
      If this were Usenet, I'd killfile the lot of you.
  4. Comment removed by account_deleted · · Score: 3, Informative

    Comment removed based on user account deletion

  5. Misleading Summary by rogueippacket · · Score: 3, Informative

    Just to be clear here, protocols like HTTPS only secure data from the Application Layer - this man in the middle attack takes place at a much lower layer (Data Link/Network), meaning any device which automatically connects to familiar SSID's is susceptible. HTTPS will not save you from rogue AP's.
    This is largely a convenience feature implemented by Apple, but it doesn't matter which device you're using - if you aren't encrypting your traffic, you are vulnerable to eavesdropping. Period.

    1. Re:Misleading Summary by Old97 · · Score: 2

      http://arstechnica.com/security/2013/06/iphones-can-auto-connect-to-rogue-wi-fi-networks-researcher-warns/

      --
      Very often, people confuse simple with simplistic. The nuance is lost on most. - Clement Mok
  6. Definitely Entertaining by dontbemad · · Score: 2

    I'll sometimes set up my phone's wifi hotspot with the SSID of 'attwifi' at work occasionally, just to watch how many people's phones autoconnect to what is the standard SSID for starbucks (and others) hotspot names.

  7. So the summary completely sucks by Stewie241 · · Score: 5, Informative

    The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to. I suspect this is the same for Android devices, but I am too lazy to test atm.

    The issue that relates to https is related to something called HTTP STS. (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). HTTP STS is supposed to be a way by which servers can communicate to browsers that requests to a particular site should always be sent over https. The issue that is being raised is that Chrome supports HTTP STS and hence Android devices do as well, but Safari does not. I guess what this would get you is that if you connect over https to a site over a trusted network, then further requests to that domain are forced to be made over https with a certain validity of certificate.

    1. Re:So the summary completely sucks by DigitAl56K · · Score: 2

      The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to.

      Sort of. The vulnerability is that carriers are pre-configuring access points that devices will automatically connect to - not necessarily personal access points (e.g. at home) that you've previously used - and by configuring a malicious access point to look like the carrier's pre-defined one, you can cause the device to connect to the malicious access point:

      TFS and TFA are both shit, look here instead (linked from TFA):
      http://blog.skycure.com/2013/06/wifigate.html

    2. Re:So the summary completely sucks by cyber-vandal · · Score: 2

      And that's an advert for iOS security software, so not exactly objective.

  8. iPhone can forget old networks by sjbe · · Score: 2

    I've wanted the ability to tell my iPhone to forget old networks

    The iPhone can forget old networks or did you mean something else? To my knowledge it has always had this capability.

  9. Re:iphone lacks ability to "forget" old networks by quacking+duck · · Score: 2

    Indeed, there's no option to manage/delete from a list of networks you're not already in range of. You unfortunately have to do a "Reset network settings", which clears everything out but of course means re-entering passwords for wifi stations you *do* want to keep (next time you're in range).

  10. Re:Fairly common problem... by wbr1 · · Score: 2

    >Of course, if I use HTTP, traffic from the VPN provider and the destination can still be obtained, but getting access to a trunk switch or router tends to be a lot harder than compromising an AP in public.

    The NSA has access to those.

    --
    Silence is a state of mime.
  11. Re:By design by guruevi · · Score: 2

    Why would we need yet another standard. Simply don't trust open access points and encrypt everything, use HTTPS, IMAPS, SMTPS, SFTP, ... VPN if necessary. Even traffic on hotspots with a PSK are vulnerable as long as the attacker can get to the key.

    HTTPS is another layer entirely and already complains when the certificate isn't valid or isn't signed by a trustworthy vendor, it's relatively hard to get a trusted SSL certificate to be accepted by any ol' device. HTTP STS only builds further on SSL by having a built-in list of sites or sites telling you (with a time) to connect only through HTTPS to that site. HTTP STS still doesn't fix MITM attacks with valid signed certificates by a compromised or untrustworthy root.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  12. Re:Actually ... no. by cheater512 · · Score: 2

    Where can I find this patch? I love having the best speed possible on my servers so I'll definitely apply this one asap.