
Wi-Fi hack creates 'no iOS zone' that cripples iPhones and iPads - walterbell
http://www.theguardian.com/technology/2015/apr/22/wi-fi-hack-ios-iphone-ipad-apple
======
josteink
> Victims in range cannot do anything about it. Think about the impact of
> launching such an attack on Wall Street, or maybe at the world’s busiest
> airports, or at large utility plants. The results would be catastrophic.

While I can certainly agree it would be annoying, a nuisance and productivity-
hindering, calling this "catastrophic" is probably overdoing it a tad much.

Catastrophic means by definition that it's related to or involves a
catastrophe. iPhone-users not being able to use their iPhones hardly counts as
that, no matter where on the planet that happens.

With all that said: Neat hack. Now I feel like reproducing it :)

~~~
antimagic
Please do try to reproduce it - the company that is responsible for this
"discovery" also happens to be selling a product that is supposed to prevent
this attack, and the tone of their PR has got my BS-detectors ringing.

An example of the sort of thing that gives me doubts. They refer to another
supposed demonstrated attack called "Wifigate", which no-one has been talking
about, except for themselves. And when you read the details, they claim that
iPhones come preloaded with a bunch of WiFi SSIDS that the phone will
automatically connect to. mostly telecommunications companies. Up until
recently I used to work for one of those listed companies, and I have owned
iPhones continuously since the iPhone 3G. I can tell you categorically that
iPhones do _not_ automatically connect to SFR wifi hotspots like this company
claims. This fact destroys an important part of their claim for this current
"attack", that you can be affected even if you've never connected to a Wifi
hotspot.

So that's one guaranteed example of exaggeration right there, which seeing as
it's the only piece of information in the article that I'm capable of
verifying myself, makes me very distrustful of the entire article.

~~~
uxp
> When combined with an earlier vulnerability, named “Wi-Figate”, which lets
> attackers force a device to automatically connect to a given WiFi network

I'm not fully up on exploitable iOS tricks, but it sounds like they're
spoofing a BSSID to be one that the iOS device has already connected to
(because iOS devices broadcast this when scanning for networks IIRC?), but has
RADIUS authentication with a specially crafted server certificate that manages
to crash the network stack.

~~~
HackinOut
> (because iOS devices broadcast this when scanning for networks IIRC?)

Not anymore, Apple fixed that in recent iOS versions. Probe requests are not
divulging SSIDs anymore. However WifiGate uses common SSIDs and network
operators preloaded ones as honeypots.

~~~
000086
Seems that wasn't fixed reliably. Still seeing lots of probe requests. Is
there a [https://support.apple.com/HT..](https://support.apple.com/HT..).
talking about it?

~~~
HackinOut
Not aware of anything from Apple about this issue. It was just an assumption,
sorry. What I did is test up to date devices (i think i even tested an up to
date iOS 6) and couldn't get any specific SSID. The probe requests were still
there, but SSID parameter was always set to Broadcast.

However I did see a lots of probe requests WITH a SSID parameter set but those
were not coming from my devices :). I assumed they were not up to date.

I am very interested to know if the probe requests you're seeing are also
coming from unknown devices: if they aren't, could you provide us with the iOS
version you're using/testing with?

~~~
000086
The devices I know are several iPhones 6/6+ running iOS 8.3.

------
makeitsuckless
There's something very off about this story, especially since it doesn't even
attempt to mention obvious scenarios like "what if I have WiFi turned off?".

 _If_ iOS would actually try to find WiFi networks with WiFi turned off, that
would be a much bigger story than some exploitable vulnerability. This whole
story smells of sensationalism over facts.

~~~
fpgeek
Not necessarily. Android has an option (which is on by default) where Wi-Fi
off really means off except for location assistance. If iOS has something
similar and the issue even affects that passive scanning, it could be a deeper
problem. I wouldn't say that's likely, but it is possible.

~~~
Nutomic
Do you have any source for this?

I'm pretty sure wifi needs to be on for location assistance (Google Maps
complains about this all the time).

~~~
partiallogic
[http://imgur.com/fIFCLNi](http://imgur.com/fIFCLNi)

From 4.3 you can have Wifi "off" but still allow location through WiFi.

~~~
yekim
Just wanted to say thanks for posting this. I wasn't aware that this was the
case on Android. I've now turned my WiFi "completely" off.

------
JosephRedfern
Am I right in thinking that the user has to have attempted to connect to the
network before the bug has triggered (I'm assuming so, since AFAIK iOS doesn't
randomly download SSL certs from WiFi APs). If that is the case, calling it a
'no iOS zone' seems a bit much. The title makes it sound like some kind of iOS
Specific "Cyber-EMP" ;)

~~~
jay-saint
Carriers pre-populate iOS 8 phones to automatically connect to their wifi
signals. This hack involves spoofing official AT&T and Sprint wifi hot spots
that the carrier has forced you to trust.

This earlier bug called WiFiGate has a list of pre-populated trusted wifi
networks. From the same group [https://www.skycure.com/blog/wifigate-how-
mobile-carriers-ex...](https://www.skycure.com/blog/wifigate-how-mobile-
carriers-expose-us-to-wi-fi-attacks/)

~~~
BenTheElder
I don't use any iOS devices anymore but I have many friends that do, is there
a convenient way to disable these preconfigured wifi hotspots permanently?

Edit: according to the article you linked (under the consumers section), iOS
has no interface for doing this. I find this pretty appalling.

~~~
gambiter
Yes, it does. You just choose the SSID and tap 'forget this network'. You can
also disable the 'automatically connect' functionality.

I 'forgot' the attwifi SSID long ago, and I have never had my phone try to
auto-connect to one, even though they are everywhere.

The article ignores this because it weakens the headline.

~~~
000086
Only possible when the wifi is in range.

~~~
pbhjpbhj
So first you need to spoof the SSID ...

------
eyeareque
This is a whole lot of FUD coming from this company. Obviously it's a
marketing ploy for attention. They should have waited to go public after Apple
made a fix. By pre announcing the existence of the flaw they've helped
miscreants point their fuzzers at a target, potentially putting users at risk.

------
ZoFreX
Surely if you had a decent crash bug in iOS's SSL handling, you'd look to
escalate that to some kind of exploit e.g. arbitrary code execution? This
doesn't smell right.

~~~
HoLyVieR
Not all crash bug can lead to remote code execution. A null dereference bug is
a good example of that. No mater the context, you won't be able to do anything
other than crash the software.

~~~
mmozeiko
That's not quite right. NULL pointer dereference can be exploited:

[https://blogs.oracle.com/ksplice/entry/much_ado_about_null_e...](https://blogs.oracle.com/ksplice/entry/much_ado_about_null_exploiting1)

[http://tk-blog.blogspot.com/2009/01/exploitable-userland-nul...](http://tk-
blog.blogspot.com/2009/01/exploitable-userland-null-pointer.html)

------
BenTheElder
Blog post about it from the company that discovered the bug:
[https://www.skycure.com/blog/ios-shield-allows-dos-
attacks-o...](https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-
ios-devices/)

~~~
MichaelGG
A bit breathless there:

"We knew that any delay in patching the vulnerability could lead to a serious
business impact: an organized denial of service (DoS) attack can lead to big
losses."

------
bottled_poe
And this is just one reason why I always switch on 'Ask to join networks'.

~~~
BenTheElder
Seriously. This should be the default setting on all devices. Accessing random
open networks is generally not a good plan for many reasons...

Edit: (See below comments) I actually have the equivalent of what you are
talking about disabled on my phone (android), as it creates a popup context
menu that is too easily pressed 'accessing random open networks'. You want the
user to have to open the wifi settings and select a network they know / have
preconfigured, not some open network that the phone is eager to join.

~~~
ehamberg
An iOS device will only connect to known networks. By enabling “Ask to Join
Networks” it will list networks and ask if you want to join any of them – but
only if no known network is in range. This is actually less safe, in that
you're just a button press away from “accessing random open networks” instead
of having to go into the settings and choose a network – so it makes sense to
have it default to off.

tl;rl: iOS will only join known networks – toggling this setting will make it
easier to join networks when no known networks are in range.

edit: Link to the relevant section in the manual:
[https://help.apple.com/iphone/8/#/iph1b489c85f](https://help.apple.com/iphone/8/#/iph1b489c85f)

~~~
tomswartz07
Here's the problem:

If a device will "only connect to known networks", that means that it sends
out an ARP request. In a nutshell, the phone shouts wirelessly «HEY! IS _BILL
WI THE SCIENCE FI_ AROUND?»

You can very easily set up a system that will respond to every single ARP
request and then 'broadcast' that SSID. If you broadcast the SSID, with no
password, and the device sees it, then it will connect to this 'known'
network.

That's a big problem

~~~
rlpb
> If a device will "only connect to known networks", that means that it sends
> out an ARP request.

You seem to have confused IP address resolution with wi-fi access point
discovery. ARP requests don't happen until after a device is associated with a
wi-fi access point.

It is possible to arrange for a device to scan for wi-fi networks passively,
so the device will not be detected until it actually discovers and attempts to
connect to a particular network.

------
000086
Loosely related: iOS devices are very talkative about seen Wi-Fi networks
albeit Apple started to address such privacy issues with iOS 8, see
[http://www.reddit.com/r/Android/comments/2uyw50/wifi_privacy...](http://www.reddit.com/r/Android/comments/2uyw50/wifi_privacypolice_prevents_your_smartphone_or/cofucmk)

~~~
HackinOut
It doesn't seems to be iOS 8 only. Recent versions of iOS 7 seem to be fixed
as well. (Tested my phone earlier this week)

~~~
000086
How long did you test? I'd recommend sniffing for at least a few hours.

------
ender89
My house is about to become a no iOS zone... hehe

------
nakedrobot2
Can this be implemented in schools to curb use of digital devices (which in my
opinion should be completely banned in every academic environment from
kindergarten through university)?

~~~
learnstats2
What? Search engines, online encyclopediae, and educational software are each
an absolute boon to learning.

~~~
pbhjpbhj
Yes, because there's nothing on the internet or available via a smartphone
that can distract from school based education at any time, it's inconceivable.
/s

------
baldfat
I use to make my own firewall on a spare pc. It is well known in my public and
private life I have a strong anti-Apple bias. So much so that my teenage
daughter rebelled by picking up an iPhone when she was 15.

My firewall always limited usage by OS. Linux and my desktop had the full fire
hose. Everything else 75% and Apple products had 10% and video played at only
low quality.

The only way people could get the 75% was to connect with their iPhone to my
guest wifi Apple_Evil and type in the password applesucks. Great funs, but
this hack, you get to personally own up and see their faces and not break
stuff.

~~~
acdha
I was waiting for that story to end with “… and then I turned 12 and outgrew
this”.

What ever happened to promoting OSS by making it better? Forcing people to
play juvenile games seems like a great way to turn everyone off on Linux
permanently.

~~~
lmz
Look at the bright side: if his children rebel by buying Apple products that's
relatively harmless. Maybe they will consider that rebellion enough and
refrain from the more dangerous actions.

~~~
baldfat
Exactly. Plus we always laugh about it than I give "the stare."

