The iPhone's ability to connect to "Known Networks" over WiFi is a handy feature... I'd hate to have to manually reassociate with my own wireless network every time I came home, for example. But what if the Known Network is an Unknown Network, posing as the Known Network? A security researcher found out how easy it is to spoof an iPhone
, based on a dumb exception to basic security that Apple put into the OS for its buddies at AT&T.
Ordinarily, an iPhone is going to check the MAC address of a wireless access point in addition to the network name in order to figure out if the network is Known. This is sensible as well as convenient: MAC addresses are unique and set at the factory, while WiFi network names (properly: Service Set IDentifiers or SSIDs) can be changed much more easily than MAC addresses can be spoofed. However, as researcher Samy Kamkar discovered almost by accident, there's an exception for one and only one
WiFi network name: "attwifi
Kamkar (probably best known for the Samy is my hero
MySpace worm) explained to Elinor Mills, the CNET security blogger
, how he was at a Starbucks and "noticed that the prompt was different than normal" when he disconnected. He went home and had his own laptop broadcast the "attwifi" SSID. Sure enough, his iPhone automatically connected, as did "one or two other iPhones" within range. Apparently, the iPhone OS just flat bypasses MAC address verification
if the WiFi network name is found. To prove that it's possible for iPhones to be hijacked by exploiting this vulnerability, Kamkar created a program (which he will supposedly announce on his Twitter feed
when it's released) that will display messages and "make other modifications" to an iPhone user's Google Maps app when they are connected to the computer running the hijack.
Apple - in what one would have to admit is a pretty lame response - says the "iPhone performs properly as a Wi-Fi device to automatically join known networks." However, according to the spokeswoman quoted in the CNET
article, if you'd rather not
be a victim of a man-in-the-middle attack, you can always "select to 'Forget This Network' after using a hot spot so the iPhone doesn't join another network of the same name automatically." Of course, you have to first connect
to the network before you can Forget it.
Yeah OK. Thanks, Apple.