Samy Is My Hero: Spots Hotspot Vulnerability

[Paul Daniel Ash]

The iPhone's ability to connect to "Known Networks" over WiFi is a handy feature... I'd hate to have to manually reassociate with my own wireless network every time I came home, for example. But what if the Known Network is an Unknown Network, posing as the Known Network? A security researcher found out how easy it is to spoof an iPhone, based on a dumb exception to basic security that Apple put into the OS for its buddies at AT&T.

Ordinarily, an iPhone is going to check the MAC address of a wireless access point in addition to the network name in order to figure out if the network is Known. This is sensible as well as convenient: MAC addresses are unique and set at the factory, while WiFi network names (properly: Service Set IDentifiers or SSIDs) can be changed much more easily than MAC addresses can be spoofed. However, as researcher Samy Kamkar discovered almost by accident, there's an exception for one and only one WiFi network name: "attwifi".

Kamkar (probably best known for the Samy is my hero MySpace worm) explained to Elinor Mills, the CNET security blogger, how he was at a Starbucks and "noticed that the prompt was different than normal" when he disconnected. He went home and had his own laptop broadcast the "attwifi" SSID. Sure enough, his iPhone automatically connected, as did "one or two other iPhones" within range. Apparently, the iPhone OS just flat bypasses MAC address verification if the WiFi network name is found. To prove that it's possible for iPhones to be hijacked by exploiting this vulnerability, Kamkar created a program (which he will supposedly announce on his Twitter feed when it's released) that will display messages and "make other modifications" to an iPhone user's Google Maps app when they are connected to the computer running the hijack.

Apple - in what one would have to admit is a pretty lame response - says the "iPhone performs properly as a Wi-Fi device to automatically join known networks." However, according to the spokeswoman quoted in the CNET article, if you'd rather not be a victim of a man-in-the-middle attack, you can always "select to 'Forget This Network' after using a hot spot so the iPhone doesn't join another network of the same name automatically." Of course, you have to first connect to the network before you can Forget it.

Yeah OK. Thanks, Apple.

[computid]

Brilliant, so glad that im in the uk and NOT on AT&T right now. Apple are brilliant at design, except when it comes to security. Maybe they should employ somebody who is... maybe it would also stop 4g iphones being left in bars...

[whereswaldo]

i hope it isnt the same with rogerswifi

[Zamphire]

Great job apple

[alxn91]

It is not at&t wifi issue but an iphone OS issue

[extremzocker]

Jesus. Apple, Fix it. Now!

[Zeal]

Apple... Retards

[FuseUnison]

Oh my God....

Embarrassed for apple, scared for me...

[rhekt]

brilliant =^6)

[Amadomon]

I've noticed this too with every open network named 'linksys'.

[PlatoTheForms]

lol, people are now desperate about this issue; after having used the iPhone with the same vulnerability for 3 years.

[Cer0]

So should one try this in a apartment building. Change the router to attwifi and then force block all sites so people's iPhones don't work for any site?

[Mes]

Most WiFi networks in the US have a WPK/WPA/WPA2 security key. I assume this security door is still valid --- better be

So ..... this vulnerability applies only if wifi security key is NOT set (open) and the SSID is attwifi.

[mar01006765]

also the same for BT Openzone

[jadi929]

is it the same if the iphones unlocked?

[Cer0]

This pertains to the iPhones wifi access. So yes it is all iPhones.

[Mes]

is it the same if the iphones unlocked?

Locked/unlocked/normal/jb'en. All iPhones are effected.

[awesomeSlayer]

Apple...are you that serious?

[Tylus]

well it wasn't a big deal for the past 3 yrs. I bet only a few people were aware of this vulnerability

now that it's out in the open though...yikes. you can bet easily 1/2 of all iPhone users will never hear of this problem. and a bunch of 'tards will utilize the exploit to screw people over.


hopefully Apple closes this loophole quickly


edit: note to self, stay out of Starbucks

[ModJoe]

Luckily, i am just using WPK or WPA2 networks
don't connect to free ones, like starbuck ,.Mac Donalds or somewhere else.