iPhone Apparently Open To Old Wi-Fi Attack 90
judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."
HTTPS enforces HTTPS? (Score:5, Funny)
HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.
Re:HTTPS enforces HTTPS? (Score:4, Informative)
HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.
I assume they mean HTTPS STS
Re: (Score:1)
So i made your HTTPS enforce HTTPS
*ducks*
Re: (Score:3)
Re: (Score:1)
Can we agree to drop the HTTPS and just say "STS enforces Peter Judge"
Re:HTTPS enforces HTTPS? (Score:4, Funny)
In Soviet Hypertext, Laws enforce Judge!
Actually ... no. (Score:2)
You can apply the 'HPN' (high performance networking' patch to SSH to get faster transfers speeds.
Of course, much of what it does is enable the 'None' cipher, so you don't have any encryption overhead. But you have to have both the server & client modified for it to work.
Re: (Score:3)
Where can I find this patch? I love having the best speed possible on my servers so I'll definitely apply this one asap.
HTTPS (Score:3)
Most sensitive mobile data these days is carried over SSL surely? I can't see this being any more dangerous than connecting to a public network voluntarily.
Re: (Score:3)
Re:HTTPS (Score:5, Informative)
I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.
That can only happen if the Ask to Join Networks setting is off.
No, that's the whole point of TFA, which basically points out iOS devices have carrier pre-defined WiFi settings built it, and will connect to such networks automatically, such that placing an access point near a target that masquerades as one of these pre-defined access points is likely to cause such devices to connect automatically.
The original article is here, and includes notes that on some occasions, not only the baked-in SSIDs are visible, but also the passwords in plaintext:
http://blog.skycure.com/2013/06/wifigate.html [skycure.com]
Re: (Score:2)
This is a fascinating problem. I can see the feature being incredibly valuable, yet awful as it's currently implemented. Is there an approach to doing this safely?
Re: (Score:2)
No. The example given is for a public hotspot (one of those things with a captive portal to enter your credentials), and those run on open wifi. No WPA, not even WEP.
Of course they can be spoofed and MITM used - that's been known for years. I don't know why the iPhone is any more vulnerable than any other phone. Does it hide the s in https perhaps, so the user won't notice they aren't on SSL?
Re: (Score:3)
I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.
I'm not clear on why this is an iPhone-specific problem. The Android phone I bought from AT&T two years ago seemingly does exactly the same thing. It will automatically join AT&T wifi networks if they are in range - for example, when you walked into a Starbucks.
Re: (Score:3)
It's SUPPOSED to be carried over https.
Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.
There is a new spec called http strict transport security which tries to mitig
Re: (Score:2)
It's SUPPOSED to be carried over https.
Unfrotunately people rarely go to websites by typing in a https url. They go to websites by typing something in a search box or by typing in a url without protocol (which for historical reasons defaults to http). This gives an attacker an opertunity to hijack things before the user switches to https and keep the client on plain http as the connection from attacker to server switches to https.
Exactly, and it is trivially easy to accomplish these attacks with man in the middle tools like SSLstrip [thoughtcrime.org] and the Middler [google.com]
p0wned (Score:2)
I think the problem is that we've seen over time many web based jail breaks of iPhones. Just visit a URL, and it breaks your phone's security to the root level. So if you can combine man-in-the-middle with a jailbreak style hack, you can redirect everyone's safari to your web site and p0wn everyone's iPhone in the city. Not easy to pull off, but potentially devastating to large numbers of users if you can.
Re: (Score:2)
Most sensitive mobile data these days is carried over SSL surely?
Smaller sites on name-based virtual hosting still have to fall back to HTTP in the clear to support Android 2.x, whose default browser can't use SNI [wikipedia.org].
yep, i do this all the time (Score:1)
i set up my and my inlaws' wifi to be the same SSID and password so that when we visit each other the devices get on wifi automatically
i wonder what will happen if i do this with one WIFI router requiring a password and another with the SSID not requiring one. wonder if SSIS will connect.
either way, how will someone know the list of my saved SSID's? does apple allow an app to pull it?
Re: (Score:2)
I think the idea is that you use the name of a popular provider of public Wifi services. The example given is BTWifi, and they are the largest in the UK.
Re: (Score:2)
Time to head to a popular open wifi spot in town and start up my hotspot on my rooted phone. Could be interesting, could be ungodly boring.
Re: (Score:1)
Editors didn't read the summary? (Score:5, Informative)
the use of HTTPS, which enforces HTTPS
What does that even mean?
Re:Editors didn't read the summary? (Score:4, Funny)
restricted, top secret, need to know, codeword (Score:2)
otherwise known as a brain fart, secured from shame. in my business, it is reported on the logs as "Special (Freaking) Magic."
Re:Editors didn't read the summary? (Score:4, Informative)
That and "BTWiF" which makes no sense. It's supposed to be "BTWifi" which is BT's public WiFi network.
Re:Editors didn't read the summary? (Score:4, Funny)
That's an acronym common in the industry which stands for "by the way I farted."
Re: (Score:1)
Are you on Facebook by chance?
Re: (Score:2)
Wrong! It's "By the way iFarted."
Re: (Score:2)
Comment removed (Score:3, Informative)
Terrible summary (Score:1)
But the article is partially correct, preset SSIDs that some carriers use are a vulnerability, I was messing with a WiFi attack with some other people where we would deauth everyone around us and then have our access points giving out SSIDs that were part of various major carriers presets.
Just because Chrome uses HSTS doesn't mean that there wasn't some useful information acquirable.
Also, people are stupid and will join networks that look legit.
Misleading Summary (Score:4, Informative)
This is largely a convenience feature implemented by Apple, but it doesn't matter which device you're using - if you aren't encrypting your traffic, you are vulnerable to eavesdropping. Period.
Re: (Score:2)
"This is largely a convenience feature implemented by Apple"
From what I understand, this is mostly implemented not by Apple, but by the carriers. AT&T iPhones come pre-programmed to "know" about AT&T hotspots, etc.
Re: (Score:3)
Re: (Score:2)
The article seems more to do with HTTPS STS and Apples lack thereof then anything specific about open WiFi. So even if you end up on a malicious network, with Android phones, your browsing is a little more secure (although first time visits to websites can be just as insecure because of HTTPS STS limitations).
The WiFi component is just about 'spoofing' a know SSID to trick your iPhone into connecting to your network and not the actual trusted one; this part of the problem should apply to any phone or devic
Fairly common problem... (Score:2)
This is one reason why it doesn't hurt to use a VPN with a profile that restarts the handshake should it get disconnected, so no traffic travels the Net unless it is to the VPN provider.
I just pick a service that has a low latency and has servers near me, use that. The result is that even if the Wi-Fi AP is completely compromised, the only traffic that will be obtained are packets to/from the encrypted tunnel.
Of course, if I use HTTP, traffic from the VPN provider and the destination can still be obtained,
Re: (Score:3)
>Of course, if I use HTTP, traffic from the VPN provider and the destination can still be obtained, but getting access to a trunk switch or router tends to be a lot harder than compromising an AP in public.
The NSA has access to those.
Definitely Entertaining (Score:2)
So the summary completely sucks (Score:5, Informative)
The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to. I suspect this is the same for Android devices, but I am too lazy to test atm.
The issue that relates to https is related to something called HTTP STS. (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). HTTP STS is supposed to be a way by which servers can communicate to browsers that requests to a particular site should always be sent over https. The issue that is being raised is that Chrome supports HTTP STS and hence Android devices do as well, but Safari does not. I guess what this would get you is that if you connect over https to a site over a trusted network, then further requests to that domain are forced to be made over https with a certain validity of certificate.
Re: (Score:3)
The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to.
Sort of. The vulnerability is that carriers are pre-configuring access points that devices will automatically connect to - not necessarily personal access points (e.g. at home) that you've previously used - and by configuring a malicious access point to look like the carrier's pre-defined one, you can cause the device to connect to the malicious access point:
TFS and TFA are both shit, look here instead (linked from TFA):
http://blog.skycure.com/2013/06/wifigate.html [skycure.com]
Re: (Score:3)
And that's an advert for iOS security software, so not exactly objective.
Re: (Score:1)
I've noticed that iOS devices are pretty flexible in how they connect to wireless networks. Flexible, in that they will automatically try a whole bunch of stuff to get connected. I imagine this is in a best-effort to get connectivity and to avoid bothering the user as much as possible.
All it needs is an SSID an an associated password. If you change the access point, wifi settings, encryption protocols, etc it does not matter. As long as the SSID and password are correct the device will generally connect up.
By design (Score:2)
This is entirely by design, large deployments of WiFi simply have the same settings on each base station and then use WPA2 Enterprise (instead of WPA2-PSK) to do access control.
If you have large deployment of unsecured wireless networks (such as guest networks), same thing happens, the client connects to the base station with the best signal and the given SSID.
I don't see where this is a problem:
- It is defined in the 802.11 standard for roaming
- If you use an insecure (open) network, by definition you don'
Re: (Score:2)
If you use WPA2 Enterprise does the client authenticate base station? i.e. if a device finds a base station with the same SSID will it connect to it? If the fake base station also uses WPA2 Enterprise can it trick the device into sending the credentials?
Re: (Score:2)
Actually, the authentication doesn't happen at the base station level. The authentication gets passed to a RADIUS server (which authenticates individual base stations based on individual pre-shared keys), the RADIUS server has their own SSL certificate which needs to be accepted on the client (even if there is a trusted chain, and the certificate is 'valid', my iOS devices still asks me to verify the server certificate), then through TTLS or PEAP (or whatever authentication mechanism you specify) the RADIUS
Re: (Score:2)
- This is all mitigated using WPA2 Enterprise since you have end-to-end per-user encryption
The real problem is that WPA lacks a mode suitable for secure public hotspots. Such a mechanism would need to provide
1: a way of verifying with a reasonable degree of certainty that the operator is who they claim to be evern though the user hasn't previously interfacted with them. Likely this means some kind of certification authority. At least the WPA enterprise deployment i've used (eduroam) required the user to manually install a certificate to connect securely.
2: a way of connecting as an "unknown user"
Re: (Score:3)
Why would we need yet another standard. Simply don't trust open access points and encrypt everything, use HTTPS, IMAPS, SMTPS, SFTP, ... VPN if necessary. Even traffic on hotspots with a PSK are vulnerable as long as the attacker can get to the key.
HTTPS is another layer entirely and already complains when the certificate isn't valid or isn't signed by a trustworthy vendor, it's relatively hard to get a trusted SSL certificate to be accepted by any ol' device. HTTP STS only builds further on SSL by having a
Re: (Score:2)
Even traffic on hotspots with a PSK are vulnerable as long as the attacker can get to the key.
I think you're underestimating your opponent!
~#: reaver -i mon0 -vv -b 'ImInUrWifi' > results.txt &
~# logoff
Now go to bed. When you come back, you'll have not just the PSK, but any PSK that router changes to in the future.
MITM on first visit (Score:2)
HTTPS is another layer entirely and already complains when the certificate isn't valid or isn't signed by a trustworthy vendor
If you're using Internet Explorer on Windows XP or Android Browser on Android 2.x, it also complains when the site happens to share an IP address with other sites using different certificates.
HTTP STS still doesn't fix MITM attacks with valid signed certificates by a compromised or untrustworthy root.
Nor does it fix MITM SSL-stripping attacks the first time you visit a site.
Re: (Score:2)
Why would we need yet another standard. Simply don't trust open access points and encrypt everything, use HTTPS, IMAPS, SMTPS, SFTP, ... VPN if necessary.
The procedure for safely using an untrusted wireless access point that has a captive portal with a VPN goes something like:
1: shut down any internet using applications that could potentially send private information over unencrypted connections. Hope you didn't miss any.
2: connect to the wifi
3: launch your browser with special parameters to make sure it doesn't try to do a session restore or otherwise leak any private data from pre-existing cookies. Alternatively keep a seperate browser that you only use fo
Read the original blog post, not the TechWeek arti (Score:1)
Re: (Score:2)
SOME phones come pre-loaded and I wouldn't be surprised if Android and even feature-phones come pre-loaded. You could also wipe pre-installed configuration profiles if you are so inclined. Or simply don't trust any hotspots that aren't your own, you know, common sense...
iphone lacks ability to "forget" old networks (Score:1)
I've wanted the ability to tell my iPhone to forget old networks so it doesn't waste time and power sending probe frames trying to provoke any hidden access points/SSIDs to advertise themselves. The security concern raised by this article is yet another.
Re: (Score:1)
The iPhone can in-fact forget old networks. It has been able to do this for a long time.
Settings -> wifi
Hit the little blue arrow (not the name) next to the network you want to forget (it is a little I in a circle in iOS7). Then click on "Forget network". Your iPhone now has forgotten that network.
There is no "bulk" forget. If you want to forget all of them, iirc you can reset network settings.
iPhone can forget old networks (Score:3)
I've wanted the ability to tell my iPhone to forget old networks
The iPhone can forget old networks [apple.com] or did you mean something else? To my knowledge it has always had this capability.
Re: (Score:1)
As the posts there point out that only works if you're still in range of the old network. It's a pain to have to remember to forget a network each time I check out of a hotel, nor do I want to have to reset all settings and reteach the phone about the networks I do want it to use.
Re: (Score:2)
Yeah, there is no way I have found to forget a network if it has been turned off, other than putting up your own "fake" network and then removing it.
Too bad I did not know this so I could create a list of every public network I ever attached to.
Re: (Score:3)
Indeed, there's no option to manage/delete from a list of networks you're not already in range of. You unfortunately have to do a "Reset network settings", which clears everything out but of course means re-entering passwords for wifi stations you *do* want to keep (next time you're in range).
WiFiFoFun for Jailbroken iPhones & iPads... (Score:2)
... I'd recommend the installation of WiFiFoFum. It's basically like iStumbler for the iPhone, so you can at least see if the local access points are ad-hoc or infrastructure, & other stuff like that. I always run it before connecting my phone/iPad to any public hotspots.
Disclaimer: not connected to the development of this app, just a happy user.
Applies to a very specific case. (Score:2)
Misleading article (Score:1)
But this attack could might as well be used against any laptops or Android devices.
How often have many of you not been to Starbucks and used thei
Who ever wrote this article is either a troll, or (Score:1)
Evil twin/ disassociation attacks are old hat and don't only work on apple devices.
I thought we had real geeks here?
The article didn't make sense and has been updated (Score:2)
UPDATE: Vodafone has told TechWeek why it believes its users are safe: “The embedded configuration that is applied for our iOS devices ‘1WiFiVodafone1x’ and ‘Auto-BTWiFi’ are locked to ‘EAP-SIM’ authentication which is a bi-directional authentication protocol.
“Man-in-the-middle attacks rely upon a hacker setting up an access point pretending to be the configured AP [access point].
“With EAP-SIM configured, the device will send the AP a challenge to make sure that it is Vodafone that it is connecting to. This transaction is resolved with our network, which sends back the response to the challenge and its own challenge. The handset then responds to the network challenge and providing all of these challenge response pairs work then the user gets access. If the initial test for it being Vodafone fails, the device doesn’t connect.”
Re: (Score:2)
UPDATE: Vodafone has told TechWeek why it believes its users are safe: âoeThe embedded configuration that is applied for our iOS devices â1WiFiVodafone1xâ(TM) and âAuto-BTWiFiâ(TM) are locked to âEAP-SIMâ(TM) authentication which is a bi-directional authentication protocol.
EAP-SIM is broken.
iPhone users are delusional, consultants say (Score:1, Offtopic)
WiFi Pineapple (Score:2)
The WiFi Pineapple has made this sort of attack possible for a long time. It's not just the iPhone that is vulnerable. Nearly everyone has connected to a "linksys" or "attwifi" hotspot before, and you can easily spoof this with Karma.
http://hakshop.myshopify.com/products/wifi-pineapple