• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Samy Is My Hero: Spots Hotspot Vulnerability


    The iPhone's ability to connect to "Known Networks" over WiFi is a handy feature... I'd hate to have to manually reassociate with my own wireless network every time I came home, for example. But what if the Known Network is an Unknown Network, posing as the Known Network? A security researcher found out how easy it is to spoof an iPhone, based on a dumb exception to basic security that Apple put into the OS for its buddies at AT&T.

    Ordinarily, an iPhone is going to check the MAC address of a wireless access point in addition to the network name in order to figure out if the network is Known. This is sensible as well as convenient: MAC addresses are unique and set at the factory, while WiFi network names (properly: Service Set IDentifiers or SSIDs) can be changed much more easily than MAC addresses can be spoofed. However, as researcher Samy Kamkar discovered almost by accident, there's an exception for one and only one WiFi network name: "attwifi".

    Kamkar (probably best known for the Samy is my hero MySpace worm) explained to Elinor Mills, the CNET security blogger, how he was at a Starbucks and "noticed that the prompt was different than normal" when he disconnected. He went home and had his own laptop broadcast the "attwifi" SSID. Sure enough, his iPhone automatically connected, as did "one or two other iPhones" within range. Apparently, the iPhone OS just flat bypasses MAC address verification if the WiFi network name is found. To prove that it's possible for iPhones to be hijacked by exploiting this vulnerability, Kamkar created a program (which he will supposedly announce on his Twitter feed when it's released) that will display messages and "make other modifications" to an iPhone user's Google Maps app when they are connected to the computer running the hijack.

    Apple - in what one would have to admit is a pretty lame response - says the "iPhone performs properly as a Wi-Fi device to automatically join known networks." However, according to the spokeswoman quoted in the CNET article, if you'd rather not be a victim of a man-in-the-middle attack, you can always "select to 'Forget This Network' after using a hot spot so the iPhone doesn't join another network of the same name automatically." Of course, you have to first connect to the network before you can Forget it.

    Yeah OK. Thanks, Apple.
    This article was originally published in forum thread: Samy Is My Hero: Spots Hotspot Vulnerability started by Paul Daniel Ash View original post
    Comments 28 Comments
    1. psychodave's Avatar
      psychodave -
      I ran into this last summer. Was driving and trying to look up a place on Google maps. I was close enough to connect but far enough away it wouldn't do ****. Basically it temporarily killed my internet since the phone was trying to use wifi instead of 3G. Pissed me off that it happened since I was in a hurry.
    1. mvhurlburt's Avatar
      mvhurlburt -
      He will probably administer and attack on skyhook wifi positioning system...messages he will prompt on the iPhone...not to sure! I bet they will be trivial though. Unless some holes are found in the iPhone os the device per se is safe. You are however vulnerable to a mitm attack. Hope your using encrypted connections to your email servers and such. Even then with the data being intercepted, stored, then passed on and vice versa from the server end there is still a great potential for it to be cracked. Not that ba of a security flaw...one option to maintain this AT&T autojoin crap is for AT&T to use a standard vendor with a certain amount of characters in the mac being standard... That will only help a little.... Fact of the matter is people join open wifi all the time to leech
    1. trialnterror's Avatar
      trialnterror -
      So long story short ; I use wep encryption on my networks! So....
      1. Is this going to effect me?
      2. If someone uses this exploit, what can they do to my iPhone?
      3. Can someone explain a little better what exactly is taking place, or maybe give an example in terms I could better understand?
    1. Mes's Avatar
      Mes -
      ^If you use any encryption (WEP/WEP2/WPK/WAP) you're safe.
    1. Cer0's Avatar
      Cer0 -
      Basically he is saying that the iPhone is designed to auto signon to a network you have used before with the iPhone. So since the iPhone s free to use on ATT's free wifi network setup in many shops there is a small part in the phone that says, when you see a broadcast SSID of "attwifi" connect to that. So if you are in a building and someone has a router broadcasting attwifi then the phone will auto connect to that. Allowing them access to your phone.
    1. CZroe's Avatar
      CZroe -
      Quote Originally Posted by cerote View Post
      Basically he is saying that the iPhone is designed to auto signon to a network you have used before with the iPhone. So since the iPhone s free to use on ATT's free wifi network setup in many shops there is a small part in the phone that says, when you see a broadcast SSID of "attwifi" connect to that. So if you are in a building and someone has a router broadcasting attwifi then the phone will auto connect to that. Allowing them access to your phone.
      Actually, the first part is wrong. He's saying that you have to have connected to an "attwifi" hotspot before but that it will connect to any one from then on. They are saying that it will not do that with other SSIDs because the MAC addresses don't match but that the iPhone has been programmed to ignore the MAC addresses for that specific SSID.

      That last part is misleading too. It allows them to intercept web traffic. They can spoof, say, your bank, eBay, PayPal, facebook, etc login pages to steal your passwords. They can also intercept and substitute other unprotected traffic, like Google Maps' suggestions as shown in their example. It doesn't let them directly take over your phone without a browser expliot which, if combined with the trick "Spirit" would have used, could have led to rampant exploiting.

      That said, I never realized that it took anything other than the SSID into consideration. I could swear that if I had connected to an open "linksys" access point that it would jump on any other open linksys access point I encounter until I tell the phone to forget it. I know that some WiFi utilities stupidly work this way.
    1. Cer0's Avatar
      Cer0 -
      That is semi what I meant to have access to your phone. Got a migraine going on. Correct, could setup fake site of facebook and catch all those. Or catch someone that has SSH installed and not have the password changed.
    1. slugboy1122's Avatar
      slugboy1122 -
      What about the Boingo app that does this for me based on two pass authentication?