Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: iOS lets carriers add WiFi networks that you can’t stop from joining
1025 points by newZWhoDis on April 5, 2023 | hide | past | favorite | 391 comments
Well this was a major surprise so I figured I’d share it here to get some eyeballs on it.

Essentially, the latest iOS (16.4 at post time) allows your cellular carrier (via eSIM) to add “managed networks” to your device.

These networks cannot be removed, they cannot have “automatically join” disabled, and they have equal priority with your real, personal networks.

So guess what happens when your neighbors get a wifi/modem combo that blasts a free hotspot SSID? Not only does it pollute the already crowded 2.4ghz band, your iPhone will often prefer this connection over your real /local wifi (despite said wifi being at 1 bar).

As of post-time, there is no way to remove these networks short of completely disabling cell service/removing the eSIM and resetting all network settings.

You can see this for yourself by going to WiFi/“edit” and scrolling down.

Edit: to clarify, I can disable “auto join”, but in 4-5 minutes all of my devices have auto-join turned back on. I’m guessing it re-syncs with the carrier profile. Also, this does not seem to be eSIM or SIM related it can happen on both.




I know something about this. I built and ran a service for carriers to help with “WiFi offload”.

It’s intended as a consumer-friendly way to increase capacity in dense areas (like a sports stadium or mall) where the carrier’s cell towers don’t have enough capacity.

Wifi offloading is not new. AT&T helped invent these standards back in ~2009 when their network was getting crushed by massive increases in traffic as iPhone usage took off.

WiFi offload networks are configured as “Managed Networks” which are lower priority than any user-selected networks. You can disable them by turning off “auto-join”. (Also these WiFi offload networks are secure; you can’t spoof them).

However it appears that the original poster’s carrier (presumably Xfinity Mobile or Spectrum Mobile) has done something new - they’ve disabled the user’s ability to turn off “auto-join” on iOS. Some overzealous team is trying to lower their cellular costs. That’s because both Comcast and Spectrum rent capacity on Verizon Wireless towers, but their MVNO cellular service is not profitable unless their customers are using the cable company’s own WiFi fairly often.

However this (disabling “auto-join”) is a dumb move. It’s obviously problematic for users whose neighbors are broadcasting the [Xfinity WiFi or Spectrum Mobile?] SSID.

To my knowledge, no major carrier does this. If you’re on AT&T, T-Mobile, or Verizon, the “managed offload networks” can be easily disabled. And the major carriers are using higher-quality commercial WiFi networks for offload, not random home cable modems.


Friendly remark.

Recently the term "consumer-friendly" became the synomym of "we shove it down your throat whether you like it or not!". If you wish to communicate some real user-friendly feature better find some other phrase. Reading "consumer-friendly" statements of providers makes me turn away and never look back.

See the above example. Hijacking the device we use for our daily operations, very important one with sensitive data, already in risk from multitude of origins, hijacking it remotely into some unknown channels along hidden organisational incentives is a very offensive and frightening move. The technology is not new and it is OPTIONAL for very long time. Shoving it down the throat is bad. Very bad.

(I am pretty disappointed with the population of the world that accepts anything from service providers for mostly marginal or never missed gains, accepting the elimination of choice. Providers feel they can get away with anything and became increasingly hostile.)


If the use case is as described (connecting to WiFi APs owned and controlled by the network in deadspots / hotspots - e.g. stadiums and large buildings - and not end-user APs in homes), it's not clear to me that this poses any significant threat above and beyond connecting to the same operator's cell towers. If you don't trust them to run a WiFi network, probably shouldn't trust their cell network either.

Having phones automatically and uncontrollably route via random 3rd party APs is a bad decision, but I didn't read GP as advocating for this.


The knowledge and equipment to hack WiFi-related systems is a lot easier to obtain on most of the world than the cellular equivalent.

In the US, at least, tampering with cell service risks getting the FCC involved, so very few people do it compared to WiFi hacking.

I'm very curious, for example, if the devices that connect to these APs are vulnerable to the WiFi client isolation bypass that was disclosed about a week ago.[1] That seems a lot scarier when there are potentially thousands of random people's personal phones connecting to the same WiFi infrastructure instead of a bunch of more or less trusted corporate devices in an office.

[1] https://github.com/vanhoefm/macstealer


> If you don't trust them to run a WiFi network

WiFi APs are not secure enough unless you're using another layer of security on top (a VPN, for instance). It's not a matter of trusting them to properly run a WiFi network. It's a question of if there's an additional layer of security on top. Is there?


Whilst I agree with what you're saying in premise, I think if you told most consumers "hey, when you have bad reception like at a stadium, your provider will connect you over WiFi instead of 4G", they simply wouldn't care and more importantly wouldn't want to know.

This probably is "consumer-friendly" in the sense of "provides the outcome desired for most consumers".


Sensibly and originally the consumer-friendly term is desirable, also the obvious and default behaviour from providers selling products to users.

Unluckily it is over and misused for things forced through regardless of wanted or not - but benefitial for the provider for sure -, being a routine misdirection (basicly bullshit) text.


To amplify this: a recognised problem with GSM/GPRS was that although the mobile device authenticated itself to the network. This introduced MITM vulnerabilities. As a response, 3G brought in mutual authentication. Do these managed WiFi networks have mutual authentication? As far as I know, no.


Yes, WiFi offload uses the Hotspot 2.0 spec with mutual authentication (EAP-AKA or EAP-SIM typically). Both the phone and the WiFi network will mutually authenticate with the carrier’s Authentication Server.


> If you wish to communicate some real user-friendly feature better find some other phrase.

The cycle of deception never ends. If a company misuses words, they'll do it again with new ones. We must resist by sticking to the plain meaning of words.


Sigh. Would you to someone this way were they were telling you this story at a conference lunch?

I really hope not.

They have chimed in to provide further context based on their personal experience. You’ve latched onto and have subsequently read way too much into two words that they used, and tried to offset your unjustified browbeating with “friendly remark”.


If someone tells me to my face that ignoring user preferences is actually 'consumer-friendly', I will tell them to their face that it isn't. 'Friendly remark' is passive aggressive and can be left out.


Thanks for explanation.

> they’ve disabled the user’s ability to turn off “auto-join” on iOS

How (and why) is it even possible for carriers?


Frankly, I don’t know. This thread is the first I’ve heard of it.

Carriers ask phone makers for config changes all the time. It’s possible this is a new capability that was requested by certain carriers.

To be fair, it’s also possible that the OP and I are misinterpreting what’s going on. For instance, iOS syncs your preferences across devices. Perhaps there’s some bug that’s causing the wrong setting to propagate back to this person’s phone because their iPads, etc are still set to allow “auto join”.


> iOS syncs your preferences across devices.

This theory could be tested by signing out of iCloud before changing "auto-join".


> How (and why) is it even possible for carriers?

This happened in India. So one day mobile data was quite slow on my non-Apple phone. I asked my friend to enable hotspot on his iPhone. We were stumped when we couldn't find the "Personal Hotspot" option at all in ios settings. Called Apple support who informed us that Hotspot option is only available if the carrier enables it. They asked us to contact the carrier.

We were outraged and thought the carriers in India had suddenly decided to charge us extra for this option. Or maybe just for iPhone users. (In india, no carrier charges us extra for this option - and that is how it should be right? We are already paying more according to the bandwidth (3g/4g/5g speeds) and they also already limit how much data we can download. Imagine being charged extra for the "privilege" of sharing your data and consuming it faster!). We were prepared to yell at the carrier if they wanted more money from us for this but their customer support explained to us that this is a common complain they have with Apple iPhones, and all we needed to do was add some more info in the mobile data settings, which she provided us.

That's when we realised that it is a very American / Apple thing because the US business model of mobile phone and carriers are very different from India. In the US, most mobile phones are sold through the carriers and Apple and its competitors have to work with them closely. Whereas in India, consumers purchase their mobile phones independent of the carrier.


Every now and then, maybe every year or two, my iPhone says it needs to update mobile settings from the carrier. Fo those settings they asked you to change, it sounds like the Indian carriers probably could update them through that mechanism, or possibly that they were going to do so but hadn't got round to it yet.


That happens with indian carriers too. From what I understood, Indian carriers don't bother with the HotSpot settings because it is enabled by default for all users at their end. This works fine with Android phones but often not iPhones (in my personal experience).


Why don't the stadiums just setup an open wifi network? (no password)


Some do. Allianz Field in St Paul has an open guest network, then you “sign in” with your email like you would at a coffee shop.

It works great, super speedy. Definitely better than the cell network during a game.


Probably because the stadiums don't want to incur the expense of doing so. That scale of setup wouldn't exactly be cheap.


Confirmed. I’m on one of the major carriers and after multiple hours, auto-join is still disabled after I turned it off. Though, I haven’t tried rebooting.


I’m in the same boat as you. It’s been off for almost 24 hours and I rebooted my device. I’m not using an eSIM like OP maybe that’s the difference, I don’t think so.

I wonder if those with the problem were to restart or reset their device, if they would still have the problem?


> (Also these WiFi offload networks are secure; you can’t spoof them)

How do we know this? What's the security mechanism?


Hotspot 2.0, a.k.a. Passpoint. Within that standard, the phones, WiFi networks, and carriers are all using EAP-AKA or EAP-SIM authentication.


Apple Configurator (self-hosted local MDM, free macOS app in store) has an option for "supervised" iOS devices so that Wi-Fi connections are limited to SSIDs which are pre-defined in the MDM profile. It's intended for enterprise usage. Worth testing to see how MDM policy interacts with carrier-managed Passpoint networks.

Note: you can't supervise an existing device without wiping it, so this is an experiment to conduct with a spare phone, or one already managed by Configurator/MDM.

Apple Configurator training: https://it-training.apple.com/tutorials/deployment/dm095

Wi-Fi payload: https://developer.apple.com/documentation/devicemanagement/w...

Another option is using Apple's MDM for small business to define a list of approved SSIDs, https://www.apple.com/business/essentials/

Edit: is there an option to "Remove Profile" in Settings?

  General -> VPN & Device Management -> Configuration Profiles
Edit2: workaround by null routing the carrier's Wi-Fi SSID? https://www.reddit.com/r/tmobile/comments/vvt6dd/comment/iyr...

  Change IP address to manual and 127.0.0.1
  Change subnet mask to 255.255.255.0
  Change DNS to manual and 251.252.253.254


Thank you for that first link. I stumbled across Apple Configurator when I was trying to lock down an old phone, to have at home as a pseudo-landline (but which I can take with me on trips) that is safe to leave accessible to kids. I got it working by muddling through, and that link would have at least let me situate myself in the space of "what does this thing do?" better.


What settings did you use to lock down your phone?


More or less:

  - prevent removal of profiles:
    general -> security -> "with authorization", and added a password
  - prevent total phone wipe:
    general -> functionality -> [ ] allow Erase All Content and Settings (supervised only)
  
  - only allow a few apps to run:
    restrictions -> apps -> restrict app usage -> only allow some apps
    phone, messages, facetime, settings
  - disallow installing new apps:
    restrictions -> functionality -> [ ] allow installing apps (supervised only)
  
  - content filter -> filter type -> limit adult content
    I'm not really sure what this does but makes sense to enable it
  
  - wi-fi -> configure one payload,
    for my home guest network
  - google account -> configure one payload,
    for a phone@vanitydomain.com google account
I have a copy of the resulting .mobileconfig file that also allows safari, but I only enable that when I'm e.g. taking a flight on Southwest and want to be able to use that phone as another screen for passing time in the plane


This seems like a heavy handed solution to a simple problem, which isn’t necessarily bad. Why did you not get a number forwarding service to forward to your primary cell phone instead of carrying 2 devices?


This is a phone I let my kids use; it's a landline "house phone" replacement, that I can take with me on vacation. It wouldn't make sense for it to forward to my primary phone.

I want a POTS landline (guess I'm stuck in my late 90s "it's more reliable than the internet connection, since the power comes over the copper" attitude), but I can't even get POTS installed here.


Is there an SMS forwarding service that works for 2FA?


I do not have any profiles installed, and none of my devices are managed.

I’m aware this could potentially be fixed by enrolling all my family’s devices in an MDM.

But I mean come on, wipe everyone’s phone to enroll in MDM? Seems pretty crazy when the phone should just let you control what it does/does not join.

Edit: I misread your post, I see now it was more suggesting a test. My bad.


If Carrier MDM policy can override Configurator/Enterprise MDM policy, then corporate security admins will likely be unhappy about their lack of control over enterprise device networking.

Has the industry forgotten the pre-iPhone disaster of telco-controlled devices? https://www.quora.com/Why-was-the-iPhone-initially-exclusive...

> The landscape of the cell phone market was very different pre-2007. Most notably, the carriers had complete control over what phones were allowed on their network. A carrier could nix a feature that had been in R&D for years and suddenly you couldn’t sell your new phone with this amazing feature. They were especially protective of data and overloading their networks, which led to browsers on phones being stripped down and limited. The whole “full web” was not a technical impossibility, it was just that carriers wouldn’t allow phones on the network that had a full browser.

https://archive.is/4ZCH5

> Apple bucked the rules of the cellphone industry by wresting control away from the normally powerful wireless carriers ... Mr. Jobs once referred to telecom operators as "orifices" that other companies, including phone makers, must go through to reach consumers.


Since when did you have to wipe your phone to enroll it in MDM? You don’t even have to wipe it if you unenroll, and that would certainly be more important since the phone could have downloaded sensitive content in that time.


Don't know since when, but definitely for a few years. To fully unenroll too. The reason is because in order to fully manage the device it needs to reset and restart in a managed mode.


This isn't true. You can enroll and unenroll without wiping. You can't _supervise_ without wiping. These are two seperate (commonly confused) things.


I mean, you plainly don’t. I asked a rhetorical question and made it clear by explaining you don’t.

This thread explains the difference between enrolling and supervising and is pretty clear that enrollment does not require a wipe.

https://www.reddit.com/r/Intune/comments/yd7mo5/do_you_need_...


You don't have to wipe to enrol, only to supervise a device. Supervision enables a lot of features that would be considered user hostile in a different context - it's definitely not something you want being enabled without you knowing.


The "Remove Profile" option in Settings might be helpful if it's available, but it seems like it could be carrier-dependent, and not all users may have this option.

The null routing workaround seems interesting and could potentially help in avoiding unwanted connections to the carrier's Wi-Fi SSID. However, this method might require some technical knowledge and might not be ideal for less tech-savvy users.


T-Mobile's you absolutely can disable, but I would have never ever thought to look there until I read this.

I switched off Auto-join on both "t-mobile" and "TMobileWingman", but I couldn't hit the "Done" text-but-its-really-a-button in the upper right until I made some change to the normal known networks list, so I deleted a couple that I didn't remember or recognize. YMMV.

It's gross either way. No way, no way in hell this is something that should be shadow dropped onto my phone.


This is insane. I have never heard of these and after checking I also have them on my iDevice. Tmobile should explain what wingman is and why it's on IOS devices.


I don't understand why Apple allows carriers to do this. Apple id a well-respected brand by most of their customers while carriers are seen as an evil you cannot do without.


I suppose "brand perception" loses to "we bought all the RF spectrum". If T-mobile, AT&T, and Verizon say "no iPhone", guess who is out of business? Not the spectrum owners.


> If T-mobile, AT&T, and Verizon say "no iPhone", guess who is out of business?

If Apple said, "no, you can't force users onto Wi-Fi networks without their consent," T-Mobile, AT&T, and Verizon would just say, "ok, it was worth a try," and carry on as if nothing happened. People will still want Apple products in sufficient numbers, and carriers will still want money from those people. But Apple isn't interested in what people want, Apple is interested in what they can convince people they want.


If my cellular provider stopped supporting iPhones as a first class device I would switch providers by the end of the billing period, no question.

AT&T got my business by supporting the iPhone first. I assume if one major carrier drops the iPhone the other would recognize the opportunity and court users asap.


I mean I’m certainly not switching back to a dumb phone or android. And since iOS maintains 56% market share in the US Apple can easily force some hands.


Apple already fought and won that battle when they introduced the iPhone, when they had much less negotiating power than today.


"Apple id a well-respected brand". Less and less so. With stunts like this.


I had a chuckle too. Maybe it was, in 20th century.


Because without the ability to join carriers' networks, Apple would be selling overpriced paperweights.

How can Apple be well-respected after wanting to scan your photos for CSAM is well beyond me, but I guess everyone is different.


What's our better alternative, that will also permit us to easily communicate with non-techie friends and business associates?


Reality Distortion Field


BTW, every single cloud provider does CSAM scanning.


Yes they do, but they don’t using MY device (phone, tablet, PC) before it touches their infrastructure.


I count that as a plus. If the scanning is done on my device, they have zero reasons to scan the content in the cloud and thus can encrypt it at rest so nobody can access it even with a warrant.

But I've had this same argument a thousand times and it's like shouting at the tide and trying to stop it...


The reason you are likely wrong here is because it's an ownership boundary - the cloud service is understood to be renting, but you purchased the phone and own it.

What you are suggesting doesn't necessarily make zero sense to desire, but practically speaking I don't think it makes sense based on the transactions that have occurred in this scenario. They may have a right to do that stuff on the cloud, but they don't have a right to do it on your device. It has nothing to do with which is better.


...but they didn't scan anything unless you were uploading images to the cloud anyway.

Disable cloud upload -> no local scanning.

People were stumbling over each other in one of the biggest competitive misunderstanding contests of the 2020's and Apple backed down to shut people up just because nobody bothered to RTFM and just got angry based on random internet hot-takes that were based on incorrect assumptions.


Yes, they scan data that will be stored on their hardware.


As was Apple's idea.

Their plan was to scan stuff that would be sent to their hardware on your hardware so that they could encrypt it on their hardware without having the key themselves. And law enforcement wouldn't have had the "what about child pornography" -angle to force access to data, since everything would've been pre-scanned.

If no data would've been sent to their hardware, no scanning would've happened.

It wasn't a complex idea, but The Internet decided collectively to misunderstand it.


> a well-respected brand by most of their customers

Not surprising. I don’t respect or trust them, so I’m not one of their customers.


Not respecting or trusting Apple is a valid position to have. Not sure why people would down vote this.

It's clear that Apple uses the feelings of trust and respect in their marketing campaigns, but this is just a calculated strategy that works for them. As a company, they are like most companies - they desire to create and maximize revenue streams. To the extent that they value trust and respect they actually value customer perceived trust and respect as it relates to their marketing strategies.

Tl;Dr if they think they can get away with things that are customer hostile without tarnishing their marketing image they'll do it. They will take calculated risks here as well.

Examples:

Apple will hold a monopoly on iOS for books and this is fine: https://www.techemails.com/p/ibooks-is-going-to-be-the-only-...

Apple forces a 30% fees on subscriptions, negotiates with Uber (and presumably others) to pass this cost directly onto the user in cases where the margin is so low the 3rd party cannot economically eat the fee: https://www.techemails.com/p/lets-take-a-cut-of-membership-p...

iMessage is exclusive to iPhone because they fear that parents may buy Android for their children over iPhones if the app was available on both - which obviously indicates that the dark UX treatment of non iMessage sms (green bubbles) is an intentional segmentation of the messaging ecosystem designed to bring users to the iphone thru social effects. Any platitudes to security are purely marketing. https://www.techemails.com/p/imessage-for-android

Apple is a company, their users are revenue streams, trust and respect matter in terms perspective not in terms of meaningful action. They will do things that put their trust/respect at calculated risks to maximize revenue.

Folks thinking otherwise are pleasantly naive - it is totally reasonable to question Apple's actions and motivations.


Apple's priorities are, in order:

  Apple
  End Users
  Distribution partners
  Other companies
Once you realize that then their decisions make sense. And for me these priorities aren't the worst thing ever. Yes, Apple putting Apple first means I pay a premium.

(And BTW, to clarify: Apple has a book store monopoly on iOS, not "a monopoly on iOS for books". I can read my Kindle books perfectly fine)


You can read books from Amazon/Kindle on iOS because Apple lost an antitrust price fixing case in US federal court and paid nearly half a billion in damages.

Apple conspired with publishing houses to shut Amazon out of the market through leveraging it's huge device platform. Steve Jobs literally said: "The price will be the same... Publishers are actually withholding their books from Amazon because they are not happy."

If Apple had won their case it is a serious question if you would have Kindle books to read.

https://en.m.wikipedia.org/wiki/United_States_v._Apple_Inc.

All that said - this is reasonable rational behavior for a company. Which is why we also have antitrust laws. ;)


They make you successfully believe end users are that high on their priorities, which is different.


I don't really see any evidence the other way. Notably the examples higher in the thread all match this behavior.


When was the last time you requested a feature in ASOP? Or tried to merge one in?


Maybe Apple doesn't know carriers are doing this and the capability is an oversight? Verizon and AT&T seem to be respecting the user auto-join preference flag.

I'm thinking Apple didn't expect the carrier to do this.


Probably to force more traffic onto wifi to keep people off of their network whenever possible.


T-mobile here as well, no wingman. This means you’ve used in flight wifi.



> what wingman is

Not really related but hypothesizing it's the following makes me chuckle: https://www.youtube.com/watch?v=y8OnoxKotPQ


I have T-mobile but I haven't a clue what you are talking about. There are Wi-Fi networks called "t-mobile" and "TMobileWingman"? I just don't see them at all. Under what condition should I see them?


Settings/Wifi/edit/scroll down to “managed networks”

These are networks added by your carrier you can’t remove. They have equal priority to your real networks.

In my case, 2 neighbors have freebie wifi/modem combos blasting out 1-bar hotspots that match my carriers free hotspot SSIDs, so all my family’s personal devices constantly switch between my real home network and these “hot spots” with no way to stop it short of removing everyone’s SIMs


Appalling.

You'd need an extremely strong reality distortion field to advocate for it. I can only guess it's a way for the telcos to offload 5g traffic.

In the Android world, if Samsung/Telstra introduced something similar in Australia that'd be enough for me to jump ship to another manufacturer that didn't. There's an auto-enabled "Hotspot 2.0" feature that I've turned off; it's not ideal that it's on by default but for people on lesser data plans it could be convenient. It's a simple toggle to turn off, nothing's forced.


How does this offload traffic? That wifi router is likely a 5G home internet router which is connecting to the same tower. So while connected clients would reduce, bandwidth usage would not as these devices are not powerful enough to run any meaningful caching services.


Fair question! My assumption was that the wifi access points would be connected to eg gigabit fttp, not wireless.


I could see a system where carriers partner with cities to install wifi at crowded locations, preset a carrier provided password and use that for better service than 5g.

But I am shocked that they would force connection to open ssids.


I’m not shocked the carrier would try, I’m shocked the OS lets the carrier dictate this with no user recourse.


I am able to disable "Auto-join" on those, but I don't have these WiFi hotspots near me so I can't test if that Auto-join toggle actually works.


Wait 4-5 minutes and open the menu again.

In my case I disable auto join on all and they’re all back on in 4-5 minutes.

I was also able to verify this as the device will still really connect to the “disabled” hot spots, even after switching it off. Just took a while for the profile to resync.

Edit: only 5 of 9 re-enable auto join after I disable it.


looks like a few of mine resynced and toggled auto join. My iPad has none of these managed network entities at all, seems to be a phone thing only.

Looks like comcast xfinity type networks are being imposed too. The xfinity App may be toggling these XFI, Xfinity Mobile, xfinitywifi pieces your way too.


The Xfinity ones show up only after you install a profile from the Xfinity app or website, and manually enable it in Settings.

The Xfinity hotspot service typically has two SSIDs going: "xfinitywifi", which is unencrypted and has a captive portal to log in, and the "XFINITY" network, which the installing the profile enables access to and which is encrypted with 802.1X authentication.

For everyone except apparently the carriers, Apple is very strict about the opt in nature of managed WiFi networks.


I have devices with 0 Comcast apps and 0 profiles but they all have the Xfinity managed networks, the only thing they have in common is the cellular service.


Also if we eventually leave the carrier that imposed this stuff, do they remove them as we exit their networks?


I wonder if the xfinity mobile carrier is pushing this stuff.


It's been more than five minutes, I opened the menu again and it's still disabled. I'm on an iPhone 12 Pro Max on iOS 16.4, which is the latest iOS.

> even after switching it off

This might be your issue, because after a restart your iPhone no longer has access to your saved Wi-Fi credentials, but it can still use EAP-SIM to join T-Mobile's Wi-Fi network first. But I see your point that it does not respect the "Auto-join" toggle.


Sorry, to clarify my device will reconnect to a carrier-managed hotspot that has had auto-join manually disabled without a reboot within 4-5 minutes.


Yeah, that's probably a bug.

If this happens often enough to annoy you, you could file this bug with Apple by typing "applefeedback:///" into Safari. It could take some guesswork to figure out what component to file this against.


Does Apple ever respond to bug reports? I've only ever heard of them disappearing into the void. Beyond that though, users shouldn't have to file bugs against hostile features like this. Spreading the word as widely as possible about Apple's behavior here is likely to be far more effective.


Apparently they don't normally respond to them directly but they do look at/analyze them. Once in a blue moon you'll hear about someone getting contacted by an Apple engineer for more information.


I'm on 16.2 and this is an issue here too


I do not have that section under Settings/WiFi. Does that mean tht my carrier simply has not added any managed networks, or should this section always be there, even if it is empty? Or is this a US thing, as I am in Germany?


Its at the top right, where the "next" button normally is. Blue ink.

Probably not a US thing. Its an IOS thing as that is where you can delete/forget networks you have joined (that arent in range anymore)


Thanks, yes, I have it too. Must have had a brainfart yesterday.


I see it under Settings/WiFi/Edit, scroll to the bottom


Thanks I just did this as well. I often defend Apple's decisions but this is downright ridiculous.


Make sure you check up on it later, in my case the carrier turns auto-join back on a few minutes later.


Thanks. Doesn't seem to have happened yet but I have no confidence it'll remain that way.


Wingman does not stay turned off for me, as op mentioned in his edit.


It doesn't stay off for me either, but after some digging on the internet, Wingman appears to be an in-flight wifi network on planes (which may not actually exist anymore and T-Mobile are in the process of removing from devices according to this recent comment by a stranger on an old Reddit thread[1]). While it's annoying that it doesn't stay off, it doesn't seem to be something that would cause problems in practice because flights typically only have one wifi network.

1: https://reddit.com/r/tmobile/comments/7u535i/_/jcl01il/?cont...


What happens if someone spoofs the SSID though?


MITM I would assume



You can hit Cancel and it will still retain the auto-join setting (very counterintuitive).


Wait 5 minutes and check it again. “Auto join” will be turned on again


Very bizarre: I unchecked the auto join settings and, as you said, the done button wasn't enabled. So I pressed cancel, and the changes persisted.


I noticed this a couple days back at Home Depot, of all places. Was looking up the locations of stuff I needed to pick up via their website while sitting out in the parking lot and my iPhone kept switching off 5g to hop on some single bar wifi that I couldn’t delete or deselect auto-join.

Eventually just turned off wifi and the problem was “solved” but man this is going to be annoying if it starts happening at the grocery store or something.


tinfoil hat but frys used to seem to fuck with competitor websites on their in building wifi. amazon would never work. At last 2 times I had to go outside to get cell coverage and then pull up the amazon price to show them to get a price match. nothing really stopping home depot or whomever from shoving a pi-hole in front of competitor sites either.


> nothing really stopping home depot or whomever from shoving a pi-hole in front of competitor sites either.

And this is why people who say "DNS-over-HTTPS is bad since it bypasses Pi-hole!" are wrong.


I think the argument is about choice, not whether this tech should exist. When a device or app forces DNS-over-HTTPS it does so to take away my choice.


The owner of a device not being able to change whether or not it uses DoH is definitely bad. But a lot of people say DoH is bad even when the owner can easily turn it off.


A pi-hole that null roots traffic? No, unfettered by TLS certificates and morals, the competitors site would show the item as being out of stock and drastically more expensive, and the store's closing early today.


I also think they adjusted prices to the stores list price not the on the web price for fry's but I only called them on it once. The other time it was in a TV and I just haggled and walked and they chased me down to the parking lot to say yes


I mean blocking 8.8.8.8 and 1.1.1.1 should be enough.


I‘m generally not a big fan of most consumer VPNs, but this is one scenario where they can really help.


I noticed this because a condo has neighbors nearby with routers blasting said hotspot, so now you’re not even safe in your own home.


Oh god no. I live in one of those “techbaby’s first econobox” neighborhoods where you can shake hands with your neighbors if both of you lean out the window a smidge.

I have never had so much trouble with network radio interference as I do here, so I can only imagine the fresh hell when one of my neighbors lights up one of these things.

There’s already a “stop hitting yourself” scenario going on with a guy blasting multiple competing 160mhz width APs for some reason. Thank god for Wifi 6E


A condo-sized Faraday cage would solve that problem...


They have faraday paint if you’re so inclined.


What's old is new again!


Or you could coat all your walls in aluminum foil...


YC24 here I come


On Android with tmo if I go near a home depot my phone will hop on their wiri and get a little R next to the wifi signal icon. This R doesn't go away even after I go home and get on my home wifi. Can only get rid of it by rebooting the phone.


R for reboot /s


If some carrier representatives reads this they may come to the conclusion that it is time disabling wifi switch off remotely too!


This has been around for a while now and is not some new eSIM thing. It's existed with physical SIMs too. It's Passpoint access authorized via your SIM. Your device won't just randomly connect to anything with the same SSID. It has to auth via the SIM and it's on secure networks that your carrier has agreements with. Same as the access you get over the LTE or 5G network.


This is wrong, the networks show up as “my networks” and a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.

>and it’s on secure networks

No it’s not, my home networks are behind strong firewalls and things like pie hole. Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?


> a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.

That isn't what Apple says - https://support.apple.com/en-us/HT202831

At least according to the support doc, the most preferred network should be joined first, other private networks are the next priority, and public networks (including EAP-SIM, the subject of this thread) are the lowest priority.


These hotspot networks show up under “My Networks” on iOS 16.4 FWIW.

They can say what they want about “being given the lowest priority”, but but they clearly are competing with my home network and winning some fraction of the time.


I suspect this has to do with beaconing and once you force it to join your wifi it will stop until you leave your wifi coverage.

If you are walking towards your house and it sees one of these 'sponsored networks' it will autojoin it, when you walk into your house it won't switch. It saw the 'sponsored networks' beacon first.


>I suspect this has to do with beaconing and once you force it to join your wifi it will stop until you leave your wifi coverage.

Great point. Wouldn't that mean it "beacons" to your neighbor when you drive home? Then stays connected as you go inside?

Wifi is tricky, if a momentary loss of your main SSID results in your device hopping to the next-available SSID your phone is basically always at risk of jumping LANs


Which is fine for a house, but imagine a (wifi) crowded condo/apartment. You could be in bed but opposite your neighbors closet so physically closer to their WiFi thus “louder”.


it's not about louder, it's about who it sees first. Once you manually override it should be good unless your wifi drops out for some reason.


People buy the cheapest shit cable modem/router they can buy and use it until it physically dies or rent a very basic unit for a large space. Because they are unwilling to buy or rent sufficient hardware there is going to be spaces in the house where a temporary drop or dip that is going to turn into a roam on an adjacent network.


Fortunately my carrier doesn’t do this, but having to manually select my own Wi-Fi every time I come home (so that I can reach local devices) sounds extremely annoying.

I‘d hope that the iPhone would at least periodically rescan for higher priority networks.


Yeah, that doesn't match their spec. Unless your home network goes down momentarily and the iPhone immediately switches to the other wi-fi network. You could maybe check the iPhone logs (or the router logs!) to see if this happens, but this is going to be a pain to figure out what is happening and when.


>Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?

I have T-Mobile. T-Mobile maintains agreements for Passpoint networks at random places like airports, T-Mobile stores, or (I recently found out) Home Depot. These networks are encrypted and authorized against a RADIUS server.

My SIM has them programmed into it. I can't just stand up the "t-mobile" or "Passpoint Secure" SSID from my home network and my phone automatically connects to it. That's not how it works.

Based on the fact that your devices are showing preference, I'm gonna take a wild guess and say you have Xfinity/Spectrum/Optimum Mobile. The cable co. MVNOs maintain their own WiFi networks which are (again) connected to via Passpoint and authorized using RADIUS. However, the cable company WiFi networks extend far into neighborhoods and are broadcast from CPEs. Your devices prefer them because that's part of the network you signed up for.

Just VPN back to your home network if you're not confident in their security.


You explained why this might be happening technically but why are you acting like it's okay? "Just VPN home" is not a solution if the phone is preferring a terrible one bar connection over the home one. Imagine the quality of that vpn connection you're suggesting as a fix.


I invite the WiFi Alliance to participate more in 3GPP meetings and straighten out the standard for handover between LTE/5G and Passpoint WiFi networks then.


And I invite the 3GPP alliance and Apple to stay the hell out of my Wi-Fi preferences (or at least give me a clear option of opting out of autoconnecting).

Their job is to get my phone on a 3GPP network, and (already a stretch) to possibly offer a reasonable default of autoconnecting to secure Wi-Fi networks that can alleviate mobile network load in crowded locations, but never in preference over my home network, and never ever without a way to opt out of all of it.


This has nothing to do with your preferences. This is network management pure and simple. This is how you implement efficient infrastructure in congested locations like stadiums, airports, and large retail (where you may have no signal at all). Whether the cellular radio or wifi radio is used has nothing to do with you; you are paying for a connection and there are some very intelligent people tasked with figuring out the best way to solve that problem. Because if they didn't, your phone wouldn't have connectivity in those locations and you'd be on here complaining that their service sucks


Either the device serves me and follows my commands, or it's not my device anymore.

This bullshit is exactly why Stallman was right.

If I make a decision, the device should obey me and no one else.

You've got no consent whatsoever to overrule the user's decision.


> If I make a decision, the device should obey me and no one else.

There's obviously limits to this, and in fact network traffic management is commonly agreed to be one of them. You can't tell your iPhone to blast on the channel of an operator you have no contractual agreement with.

The same goes for Wi-Fi on 5 GHz: You get to use these frequencies, but by law, device manufacturers are required to implement an algorithm that gives the primary user (weather radars important to aviation safety) priority. Patching out that algorithm could actually cost lives.

Where exactly your freedom ends, and that of the general public begins, is a fascinating and important conversation: Should you be allowed to skew your 802.11 or TCP implementation's congestion management algorithms to get priority for the data you send, for example? (All it takes is changing the multiplicative decrease factor up, or the random waiting time after a collision down a bit!)

What's the boundary of where your device ends: The baseband? The 802.11 hardware radio? The kernel, running your 802.11 soft-PHY driver? Userspace? I don't think it's a purely technical question with an easy technical answer.

Personally, I'm fine with my phone coming with a default setup to trust my operator's Wi-Fi networks, but only if the device vendor can absolutely make sure that my home network will be preferred, and in any case with a clear opt-out switch.


> There's obviously limits to this, and in fact network traffic management is commonly agreed to be one of them. You can't tell your iPhone to blast on the channel of an operator you have no contractual agreement with.

Why shouldn't I?

Sure, if I do so, I'll end up with a massive fine from the BNetzA, FCC, or equivalent local authority, but that's still my problem. I agree that freedoms are limited, but you can't enforce social restrictions with technological solutions.

The device should obey me, nothing else. I'm not going to accept devices becoming ever more locked down.

And it's not like it helps, either – I can just as well take an SDR and do the very same myself without any restrictions.

> The baseband? The 802.11 hardware radio? The kernel, running your 802.11 soft-PHY driver? Userspace?

Kernel, drivers, userspace have to be 100% under control of the users. Ideally, hardware should also be entirely under control of the user.

It's already so much work to custom patch the firmware on my cameras to e.g. allow using certain file formats without requiring the storage medium to have been certified by the manufacturer.

I'm already transplanting ICs from the manufacturer's original toner cartridges for my printer to circumvent the shitty DRM brother now introduced as well.

I've already got to use custom devices to strip HDCP so I can watch movies on my PC. My secondary monitor is a really high quality one from 2004 which is still better than many today, if I was bound by some shitty limitations I'd have to turn this into e-waste.

I’m already building customized kernel drivers for some of my WiFi cards because the official ones apply US channel restrictions even outside of the US, which means I've got less spectrum available than I should have.

I want this to be reduced, not increased. I want to move into a future where I need to make less such changes and devices obey me without question.


This is bullshit apologetics. The WiFi radio is mine, not the carrier’s. This completely screws up connections to p2p WiFi stuff (odb reader, private camera network, etc).


Whatever strategy is implemented it absolutely should respect the user preference for which wifi network is preferred. How can you defend getting in the way of a user connecting to their home network when at home? Seriously, address that particular concern and maybe we can have a debate.


That’s all fine and even laudable if it works (and does not actually degrade quality more often than not), until it disrupts my ability to connect to my own network in any way (which has devices on it I can‘t reach from my mobile operator’s network).


How gracious. In exchange, I invite all of the 3GPP stakeholders to respect people's technological autonomy and refrain from enabling solutions that force crap down their throats.


If you have a better solution than the 3GPP and member parties i.e. carriers have come up with I invite you to build your own better network experience and handsets rather than just posting snark. Perhaps try mounting some hubcaps to trees.


> Just build your own network.

I did build my own network, and my ability to connect to it was forcibly overridden with no way to opt out.

That is entirely the point.

Edit: rulebreaking removed.


I don’t think 3GPP is on trial here, seizing customer owned wifi radios is


This isn't about technological autonomy. OP signed up for wireless service that is specifically sold as Hotspot WiFi-first. That's one of its main features. It's sold as that very, very clearly. If you don't want their WiFi, go get service from another provider!


Just because a service is marketed as having a feature doesn't mean they have an excuse to undo a user setting in their OS that explicitly says they don't want to use it. Maybe they do want to connect to the advertised network when traveling but auto connect shouldn't be forced on them. I don't understand why you are trying to defend this so adamantly.


> OP signed up for wireless service that is specifically sold as Hotspot WiFi-first

No I didn’t. I bought cell service, they advertise that they also offer hotspots but all the carriers do that.

Nowhere did I sign up for unauthorized modifications of my owned devices wifi stack.


> Just VPN back to your home network if you're not confident in their security.

I’m sorry but wtf?

You’re saying that, in my own home, I should just accept that my devices connect to an external wifi against my will and VPN back into my own home… while in my home?

Seriously?


(Gonna assume you have a cable MVNO still)

Yes. You signed up for a cable provider mobile service. A huge part of their whole value proposition for their service is "get access to millions of cable WiFi hotspots!" That's their product. They plaster it everywhere in all their ads.

Your situation with Pi-hole and firewalls etc. is a niche use case. Their service is made to appeal to people who are 1) cable company customers and 2) want cheaper service. The majority of people who fall into those categories have an Xfinity router at home that broadcasts the Passpoint SSID. The phones connect to that SSID and have service. Passpoint is going to be more secure than any WPA2/3 network anyway.

If you don't want that to happen, then get a different mobile provider. This one is not for you.


WiFi isn’t just for accessing the Internet. It’s also for accessing other devices on your home network such as printers. This is a broken implementation with no room for argument.


Xfinity hardware provides a separate SSID that uses WPA2/3 to secure your connection and a SSID for "Xfinity WIFI". On Android one can and should in fact select which nodes to connect to not merely whether to connect to all nodes but whether to connect to individual nodes. This is essential because in real world non test environments real customers using real networking hardware and phones do not handle adjacent networks well because signal strength varies wildly throughout their space resulting in devices roaming back and forth for no fucking good reason. This is especially true in dense environments like apartment buildings.

Xfinity customers using xfinity wifi on their android device NEVER experience conflict from dancing between AP with xfinitywifi in their home or from their neighbors unless they explicitly connect to adjacent networks and if they do so they can correct the issue by long pressing on the undesired AP name and selecting "forget".

Nobody cares what a company thinks they signed up for. They give essentially two shits. They pay tech companies to solve their problems and expect solutions that work. The situation as described doesn't work for normal network conditions and equipment. The fact that it also breaks niche stuff that techies like is just diarrhea icing on a shit cake.


I signed up for cellphone service.

Absolutely no where did I consent to have my devices (yes, my owned devices not leased/payment planned) suddenly lock me out of basic networking settings.

This is almost as stupid as buying a Walmart keyboard and finding out plugging it in disables eth0 because you might load Amazon.


You can restrict apps from using the internet in the cellular menu. But with wifi, they can communicate unrestricted.


That’s a very obvious omission in the iOS privacy/security settings I‘ve never understood.

Why can I grant fine-grained access to my photos, location etc., but not just outright denying network access to an app that works offline, which would make all of the other concerns mostly moot?


> Just VPN back to your home network if you're not confident in their security.

So you expect the average user to be able to set up a Zeroconf/mDNS-proxying VPN, since that’s the only type that will allow things like Google Cast or AirPrint to still work?

Home networks are not just about security or speed, some people have devices on them they can otherwise not reach.


Having multiple adjacent networks enabled is liable to cause customer devices to roam between access points on and off their LAN even when

- Remote access point doesn't provide access to desired resources

- Have acceptable performance

- Have acceptable security parameters according to users needs

Most users can't stand up a vpn inside their network and configure it to alleviate the self inflicted wound of having their phone decide that the user isn't qualified to select the wifi access points it prefers to connect to. You may as well ask them to grow wings and skip Delta. Instead they will be placing irate calls to their ISP about why their wifi sucks so much and I will be silently cursing Apple.


Thank you for adding some technical context to this discussion. There's a lot of (sadly) uninformed people in this thread spitting mad prophesying about a topic they clearly do not understand with any technical depth. If only the retail stores replaced their enterprise gear for EAP with a "pi hole". P.S. nice username


> "No it’s not, my home networks "

When your phone is on 5g it is not behind a strong firewall, or any firewall at all. It's sitting directly on the internet. I can run a webserver on my phone and you can browse it.

> Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?

If you've been laboring under the misconception that your phone is safe on your home network then perhaps this is a shock. But having your phone connected to a carrier means the carrier is responsible for providing a network.

Normally your phone is connected both to the carrier network and to whatever wifi network the user prefers, if wifi is available.

It seems like the major usability problem here is that instead of connecting to both networks, the carrier network supplants the user's network -- which breaks expectations when near user-run wifi.


> When your phone is on 5g it is not behind a strong firewall, or any firewall at all.

I‘d be surprised if that’s true for most operators.

And even if there really is no stateful firewall: On IPv4 you’ll be behind carrier-grade NAT (so no inbound connections), and on IPv6 (including NAT64/DNS64), successfully guessing somebody‘s IP address seems extremely unlikely. (A server that you’ve visited might "dial you back", though.)

And for most users, the most visible effect will probably be that they can’t connect to their Chromecast, smart speakers, AirPrint etc, not decreased security.


> I‘d be surprised if that’s true for most operators.

It's true for the operators I've tested so far

> On IPv4 you’ll be behind carrier-grade NAT (so no inbound connections)

Sometimes, but often still not the case.

> on IPv6 (including NAT64/DNS64), successfully guessing somebody‘s IP address seems extremely unlikely

Guessing a specific person's ip is a very different threat model from being hit by a random scan.


Except it’s shit. I constantly have to disable WiFi to get 5g again in the airport if I want something that actually works. Verizon with passpoint is absolutely trash and has nearly driven me to cancel my Verizon service because it can’t be removed.


I remember something like this happening nearly a decade ago with an iPhone 5S. I was at a large mall I visited often and saw I was connected to a WiFi network I hadn't used before.

The mall had WiFi but there was a portal which required SMS authentication and was time limited (the same as every other hotspot, it was rules of the country), so I didn't bother using it on my phone. Plus the carrier had a modern LTE deployement, where I'd often get over 50mbit download speeds - which was faster than my home internet. The network was named something like "<carrier> offload" so I assumed they had a kind of WiFi deployment to limit cell tower load, and it was added by the carrier settings profile.

I can't remember if I was able to disable or delete the network (it worked, so I didn't care). I'm wondering if this feature has been there for a while, but OPs ISP has only just decided to use it (I imagine some exec had an OKR to increase adoption of their public WiFi hotspots).


Being around unknowingly for a while does not make a thing good!


Yeah I don't get this angle, I've seen a bunch of people here act like it's no big deal because carriers "could" have done this a long time ago.

Well, we know NOW and it's not ok.


I was all prepared to be very irritated. Especially if I could not disable them.

But disabling does work for me. And according to the documentation[0] these networks wouldn't get selected in preference to my home network anyway. My blood pressure is dropping a bit.

Assuming these are actually authenticated networks as described, then I don't know if this is any worse than allowing the phone to use the cellular signal. Same provider.

If your phone is hopping onto one of these while at home, I guess check your home wifi signal strength because it's probably dropping out?

[0] https://support.apple.com/en-us/HT202831


On my device these hotspots show up under “My Networks”

Disabling (switching auto-join to off) also does not work, most of them switch back on a few minutes later. This seems to be carrier-dependent from the comments thus far.

I disagree based on my reading of the documentation, these are treated as identical to your other networks. The only benefit is my home network is usually louder, but that’s the rub it doesn’t always work and devices routinely switch.

In my case I noticed this in a condo, so the physical distances are less


I can understand the frustration this issue might cause, especially if your device keeps switching to these managed networks despite having a stable home Wi-Fi connection. It seems like there might be a difference in behavior based on the carrier, which complicates the situation further.


I strongly believe these carrier networks should only be added to “my networks” as a permission-gated prompt, and also be deletable.

Would solve this whole thing I think


If I make a new SSID with the name of an xfinity/att/Verizon hotspot would that means every up to date iPhone user would automatically connect to it?


No, unless you have found an exploit for EAP-SIM, Passpoint, etc.


i didn’t think ios had the capability to enforce any specific auth method for any specific SSID. you’re saying it does?


You can use an MDM solution/Apple Configurator.

I do this so (among other things) my iPhone connects to my home network and won't connect to my young friend's wifi "pineapple" or even suggest it's an option when he thinks I haven't turned peoples internets upside down over twenty years ago...


Yes. These managed networks require EAP-SIM (or something similar).


For a managed network? Absolutely.


Yes.


No. That’s not how it works. These managed networks require a specific secure authentication from the carrier itself.


If we trust the providers and manufacturers and we know that they are careful and with the best intentions then there may be no problem, but hey, they force things, they do secretive things, some even mislead and scam us, they eroded the trust in them themselves collectively!

I do not feel comfortable not knowing what wifi network my device will connect to the next minute along some opaque incentives of an organization I have no control or insights about. What if I have resources or devices in a specific wifi network that I rely upon and they hop over to something else because they want to? I have serious doubts about this move. To me even the hidden direct wifi communication switched on silently allowing two Apple devices communicate each other in the vicinity was a drastic move. We watched some movie on Apple TV and suddenly interrupted with the message and confirmation code display that my second neighbours MacBook Air wants to connect to my Apple TV. "How did he connect to my network?!", came the panic. I have important and confidential data available on my local network (with passwords, but still, one barricade was broken already!). Luckily the guy was aware of this new ""feature"" (more like a nuisance) and so now it is turned off on my Apple TV.

The trust is eroded a lot.


I’ve tested this on iPhone 14 Pro Max, 13 Pro Max, and 12 Pro Max. Using iOS 16.4 and 16.5 beta, I’m unable to replicate this.

AT&T 54.0.1

Managed Networks: AT&T Wi-Fi Passpoint, attwifi

Verizon 54.0.1

Managed Networks: PrivateMobileWifi, VerizonWifi, VerizonWifiAccess

T-Mobile 54.1.0

Managed Networks: t-mobile

———

I’ve tested the following scenarios

- confirm auto-join disabled, wait 10min, recheck and still disabled.

— confirm auto-join disabled, reboot, recheck and still disabled.

- confirm auto-join disabled, enable airplane mode, recheck and still disabled.

- confirm auto-join disabled, disable wifi, re-enable wifi, recheck and confirm still not auto-join enabled.

- confirm auto-join disabled, switch cellular data to alternate esim, switch back, confirm still not auto-join enabled.

At this point I feel there must be something different about your setup that’s non-standard in some way.

It’s slimey as hell that they get added automatically, but still very much possible to disable at least it seems.

Edit: “Wingman” and related variations never appear on either of my T-mobile devices.


Wow, thank you for your detailed post.

I have multiple iPhone 14 Pro Max, all 16.4

All on Xfinity Mobile 54.0.1

Yes, I know Comcast sucks but they are the only provider in my area for gigabit and they whitelabel Verizon mmWave 5G for a serious discount if you bundle with their internet (which I’m basically forced to use)

In my case, I disable auto join on all 9 managed networks and 5 of them are back to enabled before I’m done checking the list.


If you don't want the service, why did you buy it, even if the discount was 100%?


“The service” was cellphone service, there is no logical reason my phone OS should arbitrarily lock me out of wifi settings due to my cellular carrier.


Oh. By the way you called it out as "mmWave" I assumed this meant it was some sort of wide-area thing and not generic 5g coverage.


Ah, no it’s regular LTE/5G but also has the advantage of being 5G+ (mmWave symbol on iOS) so I get near-gig cellular speeds.


I noticed this type of thing a LONG time ago (years) when my browser session was hijacked by some starbucks terms of service popup. my phone had auto joined an at&t wireless hotspot at a nearby starbucks.

I could disable auto-join at that time and it didn't happen again.

Also as a general precaution I turned off wifi except at home.

However, if it cannot be disabled, I find it troubling.


In my particular case it’s happening in my condo and all of my families devices routinely switch between my real network and the 1-bar hotspots several floors away.

It’s impossible for me to disable and breaks all local connections to things like PLEX, as well as kid safety/adult content filtering.


Killing local network access is an actual bug.

related - I wonder if this is specific to esim or if this would happen with a regular sim too?

and can you just call your carrier?

I had a comcast business router and it started broadcasting an open comcast wifi access point (for comcast customers). I called and asked them to turn it off and they did.


I just checked my phone, There were 3 verizon networks in there I don't recognize. I'm using a regular SIM.


The carrier told me to contact apple.

And in my case, I can’t exactly harass all my neighbors to disable their “free hotspot”. I should be able to control my own phone and dictate what it does/does not connect to.


> I should be able to control my own phone

That battle was lost a long time ago. I should be able to restrict (or know) what the apps do. I should be able to firewall my phone. I should be able to access the files on it.

But in the end, only apple decides this, and their decisions are self-serving.


Sheesh, a linux phone can't come fast enough.


What do you mean?

Sent from my Librem 5.


morally you cant but actually you can, go to a few thift shops, get enough routers to cover all channels, create many screaming imposter networks portal eachone to something not pretty, soon[day or 2] you will see the original network gone.

beware of FCC.


This is perfectly legal, FCC will not care.

But it will not work.


saturating the air with [SSID] at high dB across all channels absolutely will work, it compels the operator of [SSID] to turn it off and buy another router.

the high dB signal is where the FCC Will care.


That’s not how 802.11 works. If your device can’t connect to a given BSSID that’s broadcasting an SSID it wants, it will put that BSSID on an ignore list and try the next one, whatever the received signal strength.

You can of course saturate the entire spectrum, but that breaks every network, not just the SSIDs you’re "waging war" against, and will probably get you a visit by the FCC sooner or later.

Maybe you could broadcast thousands of spoofed BSSIDs; I have no idea about the legality of that, and the legitimate operator of the SSID might not find that too funny and take legal action against you as well, as that would be pretty transparent denial of service on a public band.


yes you have it right. this has been done in the past, and can still be done.

legally, you dont want to do it. i have had experiences with seeing my SSID coming from a router that is not mine, and the nieghbor basically said effoff ill do what i want. in that case i did what i want as well.


What’s the problem with your neighbor using "your" SSID?

It’s not like anybody can "own" an SSID name, and if you’re using WPA, the only effect would be a few milliseconds longer of initial connection time per device.

Actively running a DoS against your neighbor might or might not be legal, but it sure is petty (and given the above, unnecessary).


when someone follows your wifi around, repeatedly changing thier SSID to match yours, they are doing it on purpose.

https://news.ycombinator.com/item?id=35449153

this is called MITM


There is no way ATT is going to abandon the attwifi SSID.

You did not mention exceeding Part 15 emitter limits in your previous post.


screaming was mentioned, and im not talking about making ATT abandon the attwifi SSID im talking about the end user abandoning the onsite equipment.


> Killing local network access is an actual bug.

Yeah in additional to any local servers you have it would break continuity (handoff etc), it would break casting. Sounds very poorly thought through.


It amazes me how features like this make it through to release and seemingly nobody considered this very basic experience of your home being hijacked


It gets more sickening every day. I own every Apple device there is. But there has never been a company more anti-Steve-Jobs-vision than Apple.

The seamless experience has turned into a my fight against Apple's hatred of their customer.


> I own every Apple device there is.

I'm not sure anyone really ever "owned" an apple device, at least since the first iPhone or so, it seems to me we kind of redefined what ownership means. Apple owns every device they make, you are allowed to pay for limited and revokable usage rights. You have very limited knowledge or control over most of its proprietary hardware and software. Apple, the phone carrier, the apps you install, all have more, varying control over your device. The kind of freedom Stallman talked about for example has been lost for a very long time.


Maybe? I certainly still have more control than on windows.


Last I checked, you were still able to install apps on Windows from sources other than the Windows store.


The real reality distortion field is that folks believe that Apple (or Steve Jobs) is somehow benevolently pro-user, almost to an extent of sacrificing itself for the users benefit. This never was true, Apple is a company like every other company and it views their customers are simply revenue streams.

Apple's pro-user perception is an (amazing) marketing campaign.

Would a pro-user company use it's monopoly position to raise eBook prices 20-30% and simultaneously eliminate any competition in the eBook space, on the backs of their users? Apple did exactly this, directed explicitly by Steve Jobs and was forced to pay nearly half a billion dollars and be found guilty of violating antitrust law.

https://en.m.wikipedia.org/wiki/United_States_v._Apple_Inc.

https://www.techemails.com/p/ibooks-is-going-to-be-the-only-...

Apple's priority is Apple - and that is the only priority. This is a perfectly reasonable thing too, they are not running a charity. They often build pretty good products, but I think folks are doing themselves a disservice to believe that Apple maintains some kind of user focus moral high ground. They want the dollars in your pocket, and if they can get more of them by acting against you they will do it if they think it's unlikely they will be called out on it.


Steve used to care about things like this. And even if he didn’t once it has his attention you know something will be done or at least looked into with a reasonable eye. Now it is nothing.


They're instruments of social control and behavioral management. People will get upset and this comment will probably even get removed (censored), but this is the truth with closed source software from for-profit corporations.


Get an Android phone. It's the bee's knees.


Some comments suggest android is effected as well.


Apple stood up against carrier customisation. No custom firmware, boot logos, or pre-installed bloatware. Upgrades occurred when Apple was ready to release them, not years later than carriers had finished their "testing". This was fairly revolutionary at the time.

This is definitely a backwards step contrary to that vision of career subordination.


Whenever someone sadly hits their personal "last straw" threshold for iPhone, one option to consider is the privacy&security-focused GrapheneOS variant of Android.

https://grapheneos.org/features

You can run GrapheneOS on recent models of Pixel hardware. (It usually has to be a unit purchased from Google, or that otherwise hasn't had OEM-unlocking disabled by the carrier that sold it.)

https://grapheneos.org/faq#device-support

https://grapheneos.org/install/web#enabling-oem-unlocking

You might also try minimizing the apps that you depend upon, though GrapheneOS has put work into supporting apps in a bit more private&secure way. There's also the option of the F-Droid app store, if you want to try to avoid commercial apps altogether, but still need things like an OpenStreetMap app.

There were a lot of things I liked about iPhone, but I overall feel more respected by GrapheneOS.

If you end up liking GrapheneOS, and have the means, there's an optional Donate page on their Web site.


Top posting because there is a lot of mis/false information overwhelming the comments section and this needs to be known.

Facts:

1. OP is a customer of Xfinity Mobile - which is a "Wi-Fi first" internet service. Note they don't call it "cellular" because it isn't.

2. Their terms of service are clearly laid out here: https://www.xfinity.com/mobile/policies/broadband-disclosure...

To quote:

"Comcast's Xfinity Mobile broadband Internet access service ("Xfinity Mobile service" or "Service") utilizes Wi-Fi service - both Xfinity WiFi and Wi-Fi provided by other Internet Service Providers ("ISPs"). When not connected to Wi-Fi, the Service utilizes our carrier partner's mobile broadband Internet access service network and is subject to its network management practices and controls."

Basically they roam onto cellular when their WiFi is out of range.

3. OP keeps claiming that he never agreed to anything blah blah yes you did. When you sign up for anything with Comcast they make you sign an agreement that you agree to their ToS. See South Park episode "Human CentiPad".

4. The service OP signed up for is at a discounted price because of trade offs. The trade offs are that your device will prefer the Xfinity hotspots over cellular. That's literally how it works. That's why you're getting it for cheaper because the service sucks by design. That's on the customer.

5. People attempting to point these facts out have been getting downvoted which is just sad.


The OP isn't complaining that their phone is roaming to a managed Wi-Fi _in preference to cellular_

They're complaining that it's not using their own Wi-Fi and causing real issues for their family members.

Trying to justify this behavior because "well, the ToS maybe said something about this" rightly deserves to get downvoted, as do your other points.

None of what you call out changes the fact that:

1. The OP is experiencing real issues, preventing them from using their own Wi-Fi at home

2. This is because of a configuration setting they cannot change on a device they own.

What SIM they're using, what ToS they've signed, none of that should matter when OPs goal is just "I want to be able to use my own Wi-Fi at home".


We don't know much about the OP's WiFi setup other than he chose to use his own equipment and not to use the carrier's gateway - which would broadcast its own, stronger, passpoint SSID in his apartment and likely these issues would go away.

Consider the following scenario: the OP's router is flaky and disassociates stations during which time the phone gets kicked off then "sees" the carrier's SSID from the neighbor and joins it. Now it's on that network. Suddenly this becomes a self-created problem. The solution is to not use Xfinity mobile or any other "Wi-Fi first" MVNO.


It can both be true that OP is getting what they asked for, and that this is a bad thing for Apple to unilaterally allow. How does Apple know that OP signed up to have their preferences ignored?


This has been going on for years. Not many people know of the deep integration between Apple and the carriers. Your iPhone, when a SIM is inserted, pairs it with a "carrier profile" which is downloaded from Apple's servers. This profile, among other things, has network settings and preferences such as the APN. That's why you need to have the phone connected to the internet to "activate" it; it's part of the provisioning process. These wifi offload networks (along with likely a setting if it can be disabled or not) is likely downloaded as part of that profile.

This is reminiscent of those "ad supported" ISPs of yesteryear that people would subscribe to then complain that it has ads.


Here's something Apple could do: pop up a dialog saying something to the effect of, "this carrier wants to manage your wifi settings. Agree? [yes] [no]". If the user doesn't agree, that's communicated back to the carrier who is free to not render the service. Presto, Apple doesn't have to take the carrier's word that I agreed to a third party managing my networks.

That it's been like this forever doesn't make it right.

ETA: the ad-supported ISP analogy misses the crucial distinction that the ISP knows I signed up for them to MITM my data. Apple knows nothing of the sort.


It’s so pleasing to hear someone actually know what they are talking about.

(I founded a large MVNO and have been shouting at my screen for a lot of the incorrect assumptions made by others).


I like your fervour, but does any of what you said apply when cellular isn't involved and OP wants to use their own WiFi network but can't because of an unnecessary restriction in their phone OS?


> Top posting because there is a lot of mis/false information overwhelming the comments section and this needs to be known.

You posted this as a reply to a top comment. Perhaps re-post as a top-level comment? I think dang can move these, but likely won't see it for a while.


Replying to the top-voted comment, for visibility rather than relevance, is something I haven't noticed much on HN.

I'm not saying it's wrong, but it seems to be unilaterally subverting the voting mechanism, with the rationale that person is confident the message is so important that the voting mechanism is irrelevant or can't be trusted.

A person could be right, in an instance, but imagine if everyone did that every time they were confident. We'd need a way to mitigate the conflicts from all that individual confidence. Maybe with a democratized voting system.


Nothing in the terms of service you linked says they can disable my devices ability to NOT join their network.

And their advertising absolutely does not suggest they are “WiFi first”, they advertise cellular service with hotspot access. AT&T and Verizon do the same thing (advertise all these great free hotspots you get).

No one intentionally signs up to lose control of their WiFi system on devices they own, so stop making excuses for Apple’s behavior.


I just read their ToS and pulled up their sales/landing pages.

"Wi-Fi first" is a term you made up, their claim is that they _offer_ cellular service and wifi hotspots like all the other carriers.

Read your quoted section again, "utilizes" does not mean "force you to use over all other network options against your will".


wow they've done it: they've out-exploited an already monsterably ruthless monopoly!


As someone who reluctantly moved to iOS from Android and reluctantly stays on iOS there really is no other option for "normal" ("regular"?) users who don't want the Google crap all over their existence.

Graphene, Lineage etc are all excellent solutions for people who want to (or "can") get their hands dirty and can live without normal functions of "commercial" apps, for everyone else as of today there is just two option - Apple's iOS or Google blessed Android. I am not even talking about warranty and bricking woes.

This is a duopoly as clear as day. We can keep telling ourselves that we have options, we don't. It's settled, at least that is how it is right now (again, maybe except for "tinkerers" which I guess even I was until around a decade ago).


I will say GrapheneOS is much more usable than normal custom Android ROMs. Maybe this has changed but IME even Lineage based ROMs, official or otherisez don't have automatic updates the same way stock does.

But GrapheneOS and a few similar projects actual have fully automatic updates, for every Android security update and major versions.

Once installed which is very easy as long as your are starting fresh, GrapheneOS requires no effort to maintain. F-droid or even the Google Play Store works just fine once configured. The only apps that don't work are major banking apps and snapchat so not a big deal.

If you have family/friends that use smartphones but don't really use "Apps" then GrapheneOS is perfectly fine.


I am not 1% as technical as the regular HN contingiency - and i can only say - flashing a pixel 6 pro with graphene was smooth as silk. Just requires some good reading and instruction following skills.

Amazing OS...works fast, UI doesnt change whenever it feels like...absolutely the best tech related thing i've done this year.

I would have been on it sooner if i wasnt so annoyed about needing to own a Google phone to use it :P


My banking and finance apps are the mandatory apps that I keep on my phone :(

These are the kinds of caveats I tried to point to in my comment. That it’s not an option even though it feels like that.


> The only apps that don't work are major banking apps and snapchat so not a big deal.

Its a big deal for me if my banking app doeosn't work.


It's a duopoly. But what is the solution? Requiring developers develop for GrapheneOS? Or forbidding Apple from making iOS/iPhone secure enough to be used by at-risk individuals being targeted by nation state actors with n > $1M in resources to use on attacking someone (by forcing them to allow third-party app stores/downloading apps from websites/etc)?


Break them up!

The potential for manufacturers to abuse their customers when they control the full stack. Belllabs both Google and Apple. Hardware and software should developed by separate entities anyway. If it works for normal computers, it can work for small normal computers too.


> Or forbidding Apple from making iOS/iPhone secure enough to be used by at-risk individuals being targeted by nation state actors with n > $1M in resources to use on attacking someone (by forcing them to allow third-party app stores/downloading apps from websites/etc)?

This has always been a pretext. They could sell phones that allow you to do any of those things by default and allow the user to set an option that locks the device to only Apple's store until the device is factory wiped. That would not be any less secure for people who choose that option, but would give people the choice without tying that choice to the entire platform.

> It's a duopoly. But what is the solution?

That depends on who you are.

If you're a government, antitrust.

If you're anyone technical, buy a device that isn't always the easiest to use and then use your talents to make it better for everyone.

If you're in a managerial role at any kind of large enterprise, smart companies have purchasing requirements that penalize certain vendor behavior, by prohibiting purchases from them entirely or requiring them to come in some significant percentage lower than any competing bid. Make sure vendor-locked products get penalized by your company. Let the vendors know this is why they're not being chosen. (The reverse version of this also works: Have corporate charge individual departments a large premium for purchases of disfavored products. Then they have to decide how much they really need it and alternatives get attractive.)

If you're a regular person, don't buy anything that requires you to install an app on your phone. Use your bank's website and if you can't then get a different bank. Don't do business with companies that remove your choice of platforms, even if you still don't currently have one, so that someday you might.


> But what is the solution?

The solution is to abandon both and join the community of GNU/Linux phone users, https://puri.sm/products/librem-5 and https://pine64.org/pinephone.


For me that will require to change citizenship or get a visa or at least get the device shipped to another country at real exorbitant prices with essentially zero service or warranty


I use GrapheneOS on a Pixel 7 Pro daily and I can use banking, transport, and government apps just fine. There's only been one time I had to look up how to get an app working and that was trivial. I get notifications and can use the Google services I choose with permissions I pick. I can even use all the hardware features such as Google's AI image editing and camera features. Even installing GrapheneOS is done through a browser and takes just a few steps. If you are just slightly technically inclined I see no reason you can't use GrapheneOS, I haven't personally had to compromise in any way while I have gained complete control of my device.

Even if using GrapheneOS came with downsides, the amount of power you gain over your device would have been worth it. If you have a Pixel device you owe it to yourself to spend a few minutes finding out if you want to try GrapheneOS.


This doesn't address all your concerns, but for people who want to keep the commercial apps, GrapheneOS now supports that to some degree:

https://grapheneos.org/features#sandboxed-google-play


About a billion people in China can manage without a single Google program on their phone


Here's the thing: Lineage is for people who "can live without normal functions of commercial apps". Graphene is not. Because all "normal functions" work on Graphene.

It's also super easy to install - you literally just need to press a few buttons in a web browser.

(Lineage is also not an excellent solution because it has severe security flaws and questionable privacy benefits)


Another vote for GrapheneOS here. I moved away from a great iOS experience to a great GrapheneOS experience nearly two years ago. Pixel 5. Works fantastic. Bonus: I get nearly two full days of battery life between charges, even with heavy use, because my phone is not full of apps and system services chatting away to their motherships all day. I have all the mobile apps I need and enough of the apps I want. (And probably a little more peace and useful disconnection because I'm "missing" some apps that I used to spend time with but I honestly can't tell you what they were or that I actually "miss" them. Ha.)

I'm still a happy MacOS desktop user and while I occasionally miss some mobile/desktop automagic syncing that Apple does so well (iMessage, Photos, etc.) I find this split GrapheneOS/MacOS life forces me to smartly use more Signal Messenger and suggest others try it too. And I use the amazing Syncthing on all my devices for mobile/desktop syncing needs like photos and more.

Also ... moving away from an iPhone, I moved from Apple Watch to Garmin Fenix and am super happy about that move also. Two weeks of battery life from a watch that's more durable, has physical buttons that I prefer, and is more customizable when I'm feeling nerdy. Garmin's philosophy on user data/privacy seemed to be very good compared to Google, Samsung, and other watches. And they're better built watches and meant for 24/7 hard use.

Kudos and donation to the GrapheneOS team. Also, their regular system updates work so smoothly, perfectly, if a little too frequently.

Maybe it's not forever, but I did this purely as an experiment with my Apple safety net waiting for me. The iPhone and Apple Watch have depreciated and gathered dust and haven't been touched in nearly two years. Time will tell...


This! I'm very impressed with how well it works and the continued anti-consumer steps iOS and Android make are only driving Graphene's development!


Thank you. I previously relied exclusively on samsung to for phones, tablets, and smartwatches but decided to stop dealing with them after they decided to silently enable sending everything I typed to grammarly in an update. (Literally 2 decades of good will wasted).

If the next models remains secure with GrapheneOS, I'll be switching to using pixels exclusively instead. How long does GrapheneOS support pixel devices? A strong clear policy on Security updates was main reason why I stuck with samsung and continued to recommend them for so long despite them becoming more and more abusive.


There's active support going back to the Pixel 4a with the Pixel 4 being EOL.

https://grapheneos.org/faq#device-support

Looking under the next section "Which devices are recommended?" it sounds like support is planned for the full life of newer devices that have 5-year update guarantees.


My words! I made the switch to Copperhead / now GrapheneOS 7 years ago and never looked back. Can only recommend this OS and the lead dev is a legend.


Or you know, switch to Android.


This is a very US centric way of looking at this. Currently sitting in a packed subway carriage in Busan, South Korea. There are carrier WIFI APs installed in every carriage. Their network is literally built to offload people onto wifi where possible, I presume to reduce congestion on not much or very directional spectrum in the tunnels. In this case, it makes perfect sense to push people onto their wifi. Not connecting to your own networks preferentially is a pita though. Seems like a really neat solution imo


I think most Americans on here are concerned that if they're at home, and their neighbor has a carrier sponsored wifi hotspot, then their phone may prefer the neighbors hotspot to their own home network. Things like this could disrupt talking to local devices (airplay, homeassistant, etc).


Sort of. I can understand offloading to WiFi. I cannot understand preferring carrier WiFi hotspots over my own.


I live in Japan and first noticed this "feature" when I'd lose connection as every time I'd walk past a FamilyMart convenience store (which you can find every 3 blocks or so) it would connect to "0000docomo" and then immediately lose connection as I kept walking. Although in my case, disabling auto-join works fine.

Why would they install WiFi repeaters and not just 4G/5G microcells on the trains?


I suspect cell site density and that Wi-Fi infra doesn’t require the same regulatory permissions as a microcell. Wi-Fi is unlicensed.


Yeah I guess there may not be a regulatory framework for ambulatory cells


Cost seems like the most likely answer


Fair criticism. But can you defend blocking the user from manually disabling these networks?

I’d understand if I got a pop up saying “add these networks for the best experience”, I accepted them, etc.

I would have (upon detecting this problem) just removed them and gone about my day.

The problem here is that you are forced to use them with no opt-in and no way to disable it.


Why can't I remove the network from my phone then?

Makes "perfect" sense.


I can see how it can be a very useful feature – but why not let users decide if they want to keep enjoying it, or opt out of it for whatever reason? I can think of many valid ones.


I wish they’d install this in elevators here, too.


My office building‘s elevators have 5G signal, which makes much more sense as it avoids a hard handover between SSIDs/networks (or Wi-Fi and mobile data), which in turn has a much higher chance of not dropping calls.


I’d accept either, relative to what I have today, which is nothing.


If apple wants to add a second wifi radio to handle carrier offloading, and having it treat this second wifi radio as a cellular radio by another medium, sure.

but I should have fullllllllllllllllll fucking control over what wifi network my device connects to.

The fact it can connect to mobile data is only 10% of the device, and i don't see why connecting to a carriers mobile network should grant that carrier the ability to edit user settings like what wifi networks its allowed to connect to.


Is this based entirely on the SSID? In other words, could I force other people's phones to connect to my router by just changing the name of my Wifi network?

That seems like an obvious security vulnerability.


This is funny, because the very first iPhone did exactly this in the US for the SSID "AttWifi". Crazy that they brought it back 15 years later.


Presumably it uses EAP-SIM to authenticate, not just the SSID.

https://support.apple.com/guide/deployment/how-apple-devices...


unfortunately your link doesn’t mention anything of the sort (whether auth method is a requirement of the SSID)


The SSID is the key. There is no other security as far as I understand it - you can test this by changing routers and naming the SSID and password the same. Devices will join this new network no questions asked.


That depends on the carrier. There is such a thing as SIM authenticated WiFi networks and they can use it.


> There is no other security as far as I understand it

https://news.ycombinator.com/item?id=35447903 says it uses RADIUS authentication and “I can't just stand up [spoof] the ‘t-mobile’ or ‘Passpoint Secure’ SSID”.


> There is no other security as far as I understand it - you can test this by changing routers and naming the SSID and password the same. Devices will join this new network no questions asked.

AIUI this is a feature, not a bug. It allows devices to switch between different access points automatically.

For example, a large school will need to use many different access points in order to cover the entire building. Students will not want to manually switch between all of these access points, so the school gives each one an identical SSID and password. Devices will then switch automatically as needed.


I read this as cellular providers offloading traffic from their networks by making it so phones will piggyback on Wi-Fi networks. Maybe a symptom of increasing demand for more data but unwillingness to eat the cost or too many users. With Wi-Fi calling they’ve got that covered.


Hardly exotic these days. I have multiple APs at home, all sharing the same ssid with automatic handoff. Practically every ASUS router (at least) can do it, and it's only a few clicks to set up.


Every 802.12-compliant AP can do it. They can even be of different brands, since it’s just the Wi-Fi equivalent of plugging your computer into a different switch on the same (switched) subnet.


The Asus stuff is bit fancier than that, and will do stuff like optimize which AP each device connects to via signal strenth. It's true mesh networking.


> optimize which AP each device connects to via signal strenth

That's how most 802.11 STAs (clients) make a standalone roaming/handoff decision. But if the vendor supports it (and the APs can cooperate towards providing it, such as yours, probably), there's also 802.11v, which allows the APs/network to make the roaming decision based on their respective load, view of the client's signal strength (and not only the client's view of theirs) etc. It's nothing unique to Asus, though.

> It's true mesh networking.

Mesh networking is something else yet, as it concerns how the backing network of the APs is created and managed. You can have 802.11v with Ethernet-connected APs, or plain client-side roaming with meshed APs.


That is how pre-shared key (PSK) WiFi works, but it's not how WiFi that uses strong authentication (e.g. WPA2 Enterprise) works.

There may be bugs/vulnerabilities in the stronger authentication, of course.

Using PSK for untrusted clients is a bad practice, because everyone who knows the PSK can decrypt all of the wireless traffic even without setting up a malicious AP with the same SSID. If a phone carrier were forcing devices onto PSK networks, it would be an even bigger problem than the one discussed here.


along with the fact that you can restrict some apps from using the internet via the cellular menu and never hook to a wifi that lets them connect.

But with this in place, you cannot restrict some apps from using the internet, the type and amount of data will be unrestricted.


Basically, this is a HUGE argument with several simple solutions, but it does BEG to be resolved promptly before the vulnerability (and the WTF) threshold go through the roof...


> they cannot have “automatically join” disabled

They can on my AT&T iOS 16.4 device. I was able to disable auto-join on the two AT&T ones. I didn't need to delete a network to enable the "done" button from the edit screen - the state I toggled for auto-joining the managed networks persisted even if I hit cancel on the edit screen.

I don't like that they're there and auto-join is on by default, but it does appear that can be turned off.


Check again in 4-5 minutes, it will be on again. I can disable it too, but it just switches back.


It’s been 30 minutes and they’re still off for me. I’ll check again later.


Are all of them off? Sorry to ask, because I have 9 “managed networks” and it seems like now that some turn back on immediately and some stay off.

Of course the ones physically nearby all switch back on…


Yes. I have just 2 of these managed networks : AT&T Wi-Fi Passpoint and attwifi. It could be that they’ll switch auto join back on if I move somewhere that they’re visible. Edit: just out of curiosity I rebooted to see if that would toggle auto-join back on, but it did not.


Just confirmed with Verizon


This is a security non-starter. Why would Apple do this? These are not approved networks for most company usage.

Apple needs to start being a LOT more protective of their product’s privacy features, as it’s a major reason people stick with them and one of their core brand points.


This was clearly requested by carriers. The whole point is to ease demand on cellular towers by utilizing mass Wifi networks that ATT, T-Mobile, etc. have set up all over the place.

I can't believe Apple allows this, as every time my phone has tried connecting to my carrier's Wifi it either has no connection at all and kills whatever I'm doing until I turn Wifi off OR it's extremely slow. Horrible user experience.


This is not even listed in the change-list pop-up. Whenever I see such news I end up wondering how much power these organisations wield without any or much check that even after such incidents and findings they find it okay to just remain silent about them and maybe fix/revert it or maybe not.

I was incensed when Find My Device meant either I had to turn it OFF for my devices as well, or turn it ON for everything out there including random people's AirTags. What a choice!

It sounds ridiculous, even to me, but I don't think that time is far when phone companies will hand you over to the police on a platter with all the "assumed evidence" if you happen to be near a crime scene with maybe even a "%" attached to you while police will have a version of some AI where they will feed all that data and pick a clear winner. Saving cost, time, and making "justice" productive. Yay!

WiFi was one thing I was extremely careful about where to join and where not. Unless I was absolutely sure I always used mobile data when I am outside or wait until I get back home to a known and safe wifi.

It started with Apple Wifi turning off from Control Centre meaning "it's off, but it's not really off". At this point I am really not sure what happens when I do an action (even a hardware related action) on my iPhone. Does it really shutdown? Or it does not? I think it already doesn't if Find My Device is on or something. Sometimes I switch off my iPhone and go to sleep and see in the morning the phone was waiting eagerly for me to get up and greets me with the PIN screen. It creeps me out every single time.


This goes to show that the real way to succeed in life isn’t to go about wearing a tin foil hat, but rather to enclose your neighbours house in one.


It's "Passpoint" and uses certificate based 802.11x auth, there's really nothing to worry about except calls dropping due to Wifi switchover. Whitepaper from Aruba here: Solving the Indoor Wireless Coverage Problem: Passpoint and Wi-Fi Calling https://www.arubanetworks.com/assets/wp/WP_Passpoint_Wi-Fi.p...


> What analytics can a network extracxt [sic] from Passpoint traffic?

> Generally speaking, the local network will have visibility of the same client traffic it would see on any guest network, but it will not have visibility of the subscriber identity or any persistent identifiers other than the associated device’s MAC address

> From an analytics perspective, the major benefits of Passpoint are that it creates a much larger and more complete picture of visitor activity. Since a much higher percentage of visitors will be automatically associated with the network and their behavior and traffic will be visible to the local network, the value of any location, business, and security analytics in use will be improved.

... so the temporary host can theoretically MITM the connection and that's a feature? They don't just VPN everything from the phone to the ISP? :/

Sure, most traffic should be encrypted, but your neighbour could still see (and block) e.g. traditional DNS requests. Are DoH or DoTLS enabled by default yet under iOS?

Not great, IMO. :/


I'm pretty sure this kills all the MAC address randomisation and anonymized WiFi scanning features built into iOS when walking across a covered area. They've put all this effort in not being able to trace single phones through buildings and squares with randomised identifiers and then decided to automatically associate with magical networks, solidifying the MAC address for an extended period of time, bringing back the real-time tracking of unsuspecting people. Quite disappointing, in my opinion.


> there's really nothing to worry about except calls dropping due to Wifi switchover

When this happens: (my = family)

1) my devices are no longer behind my firewall or pihole

2) my devices can no longer access PLEX

3) my devices can no longer access my security system, cameras, etc

4) airdrop will fail

My network is my network, when I’m at home I want my devices to be on my network, not randomly dropping out and connecting to random hotspots multiple floors/houses away


That's nice but when carriers abuse shitty home routers for these WiFi APs the networks are absolutely not to be trusted.


As another data point:

I'm on ios 16.4. I see I have "AT&T Wi-Fi Passpoint" and "attwifi" added to "Managed Networks" - but I am able to disable auto-join for them. I wonder if that can be controlled by the carrier?

Does anyone know if there is a specific term for networks added like this to look for more documentation?


Something about "carrier to have access to "append"(the word managed was subverted here) the list or something like that in the documentation/news article stuff... I guess they just stuck the word "manage(d)" on the end users to physically read, but were prevented from using it in documentation...crazy


the carrier does already control your phone’s selection of DNS server and on iOS you can’t set DNS when connected to cellular without using apple’s VPN API through an app


Wait 5 minutes and check again, auto join will be on again


Mine have remained off for 30 minutes now. I'll try to check again tomorrow but if there's a reset time, it's more than 5 minutes.


So the good (?) news is this seems to be carrier dependent. In my case 5 of 9 carrier-managed networks will revert to auto join while with some carriers zero will.


I have a vague memory of this being a story many years ago, where iPhone's were connecting automatically to the Disney resort WiFi and someone realized if you set your hotspot to use the same name all iPhones in the vicinity would auto connect.

Can't find anything online any more though, does anyone remember anything similar?


Yes, there is a not very widely used API for this that allows apps to hook mobile hotspot logins and (I believe) also mark them for auto-connections.

It worked horribly. Not sure if it’s still around.


I was able to disable auto-join and after 10 minutes it's not re-enabled. As a precaution I also set manually IP/Gateway/DNS to 127.0.0.1 for the "AT&T Wifi Passport" and "attwifi" networks and those settings also seem to persist. I'll check it again in 24 hours or so.


Thanks for checking, in my case ~5 of the 9 (!) managed networks switch back on within 4-5 minutes. The rest seem to stay off.


When company A installs spyware on billions of smartphones, and conspires with B and C who provide a network of fake wifi endpoints to steal user data, that's organized crime and FBI gets very interested, but when A is Apple and the B and C are ATT and Verizon, the organized crime becomes above the law and FBI looks the other way.


Brand trust can be liquidated or purchased in various amounts just like any other corporate asset.

In this case Apple decided to sell some to the carriers. Given the % of users who will ever have their purchase decisions affected by this it was probably a highly profitable move.


This is insane. Thanks for taking the time to share. Good reminder we don’t control our devices.


INSANE


I strongly suspect that changing the auto-join setting is not disabled, but the profile is getting checked periodically and "updated" (either by the SIM application or some iOS service), overwriting your manual change.

Seems it's a known issue for some months now: https://discussions.apple.com/thread/254228630

Quote:

"I spoke to Apple support today and they helped me. First I had to reset Network settings, then at bottom of Wifi settings page, I had to make sure that ‘Ask to join networks’ is set at ‘Ask’, and ‘Auto-Join Hotspot’ is set at ‘Ask to join’"


Awful workaround: Any of the various ESP8266 deauthers, set to target only your specific MAC address.

Or, if the phone insists on randomizing MACs, just have it listen for packets above a certain RSSI and keep it very near your phone, and deauth the loud one.


Just tried it. I am on xfinity and indeed I cannot disable auto join lol. Dafuq. I have dual sim. Physical sim is with xfinity and esim from tmobile. I was wondering why my phone connected to fuckin xfinity shit while i was driving.


So now you better hope one of your neighbors doesn’t get a free wifi/modem combo from Comcast because it will advertise a hotspot by default and you’ll be in the same boat I am.


god damnit.


Maybe we should be complaining to the FCC[1]. Shouldn't they be protecting us from stuff like this?

[1]: https://consumercomplaints.fcc.gov/


Can you imagine this used by your employer to force your personal phone to connect to their network and be subject to their internet filtering?

Or what about at retail stores, blocking access to Amazon and competing stores while you shop.


Are you using the t-mobile app? Maybe uninstall it, if so. Next, on your home network you can block the HTTPS requests that your phone makes to check for profile updates. I don’t recall that domain name (it has to be a domain name and not an IP due to the use of HTTPS for those checks, which Apple requires) but you can probably figure it out from your pihole. You’ll still get updates over cellular.

I agree 100% that it should be opt-out (if not opt-in). I suspect however that the problem with overwriting your settings is as likely a bug as intentional. This area of software is buggy as heck.


Only my phone has any carrier apps installed but the behavior is global, so the only common factor is the cellular provider.

I could block it perhaps, but it will just sync up again next time the kids leave for school.


I am pretty sure apps can do this as well. Have noticed hotel apps doing it in Las Vegas and elsewhere. Adding in a Wi-Fi network that is to aid in connecting. Threw me for a loop when I was there last.


There is indeed such an API, and frustratingly there does not seem to be a way of preventing apps from doing it.

My contact with this was via "iPass", which was a Wi-Fi subscription that also included many in-flight network providers.

I was not really interested in connecting to thousands (in my city alone!) of horribly slow, insecure networks on the ground, but it was all or nothing, and required reinstalling the app every time.


I think that might be specific to your carrier, forcing these network to be automatically joined despite your preference. I'm not seeing the same behavior with Verizon, where I get the managed networks but auto-join happily stays off.

I'm guessing MVNOs like Comcast would rather force you on their wifi if they can because this way they avoid having to pay the underlying MNO for traffic. Which might explain why they would force enable auto-join.

I'd vote with my dollars and pick a different carrier that doesn't have such user hostile wifi policies.


I’d understand if this was a flip phone, but why should iOS lock the user out of wifi control?


Well that’s objectively terrible.

Question about security ramifications: aren’t APs without x509 set up trivially spoofable anyways? Or is that fixed? I have not paid attention to wifi security in a minute.


WPA3 has PAKE-based mutual authentication, so with a reasonably hard to guess passphrase, you should be mostly safe.

That said, these auto-connect carrier networks mostly use EAP-SIM, which does mutual authentication using the keys on your SIM card anyway.


what are the security requirements put forth by the carriers? is the backhaul encrypted in any way? are the devices tamper resistant? on one hand this seems similar to 5G stations where third parties have physical access but on the other this seems easier to pwn


With iOS the new UX seems a little bad. I have AT&T. If I go to the Wifi settings and tap "Edit", and then go to the AT&T Passpoint managed network, tap the "i" button, and disable auto-join, then back out of the detail view, the save button is still disabled. However, if I just tap the back button out of the managed view, it still saves.

So, anyway, at least for AT&T you can definitely disable the auto-join at least.


Do you want to re-check if that setting has been retained? It sounds like there may be a re-sync but with the carrier.


It's been about a half hour and so far so good.


Interesting. On an AT&T system, with 2 Passpoints listed. I can turn one off and it stays off; the other neither offers the option to save after the change nor retains the change.


Managed Networks are loaded via the carrier profile. The "attwifi" SSID is defined in:

Payload/ATT_US.bundle/profile.mobileconfig

You can find the the carrier file, i.e. the ipcc for AT&T here:

https://updates.cdn-apple.com/2022/carrierbundles/002-77749/...

Just unzip the file in order to see its contents.

If you remove the SIM card from your iPhone the managed networks are removed. If you have disabled any of the Managed Networks and remove/reinsert your SIM card the networks will be re-enabled.

Once upon a time you could edit and load your own ipcc carrier bundle, I do not know if this is still the case. ( Whether this has ever been ok/allowed/etc,... I have no idea. )


I guess it's time to download as much pirated content from these unremovable networks as possible. that should fix this idiocy.


How could this managed network be used with malicious intent? What could someone theoretically do with this?


Anybody remember class 0 sms? Anybody here that has built an IMSI catcher with osmocomBB and an old motorola phone?

The attack surface of 3g/4g/5g is real.

Somebody in your neighborhood can simply send you a hidden class sms and your phone will blindly download and install the zip/apk/app file, from an unsecured http server.

We live in the golden age of hacking, because there's nothing that the common consumers can do about it...except buying an open phone and flashing an AOSP rom on it, which theoretically can be modified if the GSM modem firmware isn't already implementing this. Oh, and those firmwares are as proprietary as it gets, with as many vulnerabilities as you can imagine. Broadpwn just scratched the surface of it.


Found this about tmobilewingman: https://www.reddit.com/r/tmobile/comments/7u535i/tmobilewing...

Seems to have been around for at least five years.


If this bothers you (and it bothers me!), you can write a personal automation Shortcut like: “When my iPhone joins the Wi-Fi network named … turn off wifi”. It won’t stop you joining in the first place, but can at least keep your phone from spending time on the unwelcome network.


This doesn't help if the hotspot is in your normal home range.


You could make the shortcut arbitrarily sophisticated.

Oh, and if it wasn’t clear, I don’t mean this as approving the design flaw. It’s not “look how easy it is to work around!”, but “well, here’s something you can do while we’re stuck with this terrible idea”.


This has been a thing for at least the last couple of years, 802.1x with EAP functionality based off the SIM. If you’re in London in the U.K., it’s how EE automatically grant access to the “EE Wifi Auto” network available in the London Underground


I have an iPhone 12 mini. I bought mine directly from Apple, and use it on the T-Mobile network.

I see “t-mobile” and “TMobileWingman” under managed networks. I disabled the auto join and it has not been switched back on after about an hour.


This is dreadful. I'm not an Apple user, but I suspect Android is not far from implementing similar "features". No way this is just "for technical reasons", it's clearly an agenda.


Happened to me in LAX international terminal. I’m with Verizon. So annoying. I was trying to figure out how I get connected to the crappy WiFi for an hour. Removed all the profiles and what not.

Very disappointed by Apple on this one.


I've used this mainly in places like shopping centres and arenas where my network have installed it, it works great, much quicker than the 4G signal I usually get. I don't see the issue



News to me


I don’t have managed networks on my iOS device, so I cannot test it, but https://discussions.apple.com/thread/254228630 says:

> I spoke to Apple support today and they helped me. First I had to reset Network settings, then at bottom of Wifi settings page, I had to make sure that ‘Ask to join networks’ is set at ‘Ask’, and ‘Auto-Join Hotspot’ is set at ‘Ask to join’

> The hotspot still shows up in my networks, but now it never joins


I'm on a prepaid MVNO carrier that does this and iOS has been allowing this for years now. The only difference is that now iOS lets you VIEW what's going on.


How can this possibly work with apartments/condos? You’re guaranteed to have multiple “hotspot” networks in range with zero ability to talk to local printers/cameras/TVs etc


In my experience, it only connects to carrier Wifi if one of your known networks isn't nearby. So while at home, you will always be connected to your own Wifi so everything local (printers, TVs, etc.) will continue to work.

The problem especially is when you are driving and stop at a red light, and it connects to carrier Wifi which will no longer work in 30 seconds, causing streaming music or anything else on your phone to have a momentary loss of connection.


Does this mean that the networks were spying on our WiFi signals without opt-in? Can we sound the alarm to shut this practice down??


Wow. Why is this a thing?! I didn't even know where to look for this if it wasn't for the comments here for T-mobile


Thanks for this. I was able to disable auto join. It sucks that they pull this shit with out telling us.


Just out of curiosity and I know the latter can be intrusive setting things back up again, but have you tried restarting and resetting your phone to make sure it’s not some weird glitch that’s causing it to not take?

*EDIT*

I found it, disabled auto-join, restarted my phone, and auto-join is still disabled.


SIM cards include a lot of capabilities. For example, a SIM card can contain multiple embedded applications, which can communicate with the outside (push and pull), without involving the phone's OS.

The secret life of SIM cards (2013) (simhacks.github.io)

225 points by cthackers on Aug 16, 2014 | 43 comments


This is beyond baffling. Does nobody in the approval chain for this even use a home network? This would immediately break half a dozen things for me. Local game streaming. Network share access. Local wireless backups. Local Plex access. Screen mirroring to my television.


I wonder if this can be worked around by using the Shortcuts app. Set the Trigger to be when you join the carrier’s SSID — as they show up in the list of valid trigger SSIDs, then set the action set to turn off WiFi.


Can anyone tell me if there is an equivalent option on Android that I should be looking to disable? (Google Pixel device, stock Android)


You should be able to find it by navigating to 'Connections > WiFi > Advanced > Hotspot 2.0' in the system settings. I'm using Samsung, but it should be in the same place for all other Androids too.


I'm seeing this behavior on 16.3 as well.


This is an excellent reason to avoid using iPhones. WiFi is too vulnerable to be used without additional security.


I'm sure NSA will love this feature


It's amazing how many people already forgot/ignore Snowden revelations. iOS and the rest of the complicit Apple walled garden is literal spyware for the masses. But with enough of a marketing budget, it's easy to convince people of anything, even when it is against their interests.


... iOS is the spyware for the masses? I have a background in security and I prefer iOS devices over android devices because the latter is an absolute wild west in comparison.

The most relevant bit I recall from the Snowden revelations is that NSA was treating big-4 tech companies as adversaries and splicing into their fiber networks. How would android be any better at protecting against that than apple/ios?


> How would android be any better at protecting against that than apple/ios?

The AOSP is much easier to hold accountable than the iOS codebase. Apple has a convincing security model if you take their whitepapers at face value, but between the PRISM revelations and Apple's own Transparency page[0] it's hard to claim that they won't let anyone access your data.

[0] https://www.apple.com/legal/transparency/


Similarities between AOSP and any Android device build are unclear at best.

Re: Transparency, Apple is obligated to cooperate with governments when presented with legally-valid warrants. This is not so much iOS as iCloud services though, and it applies to every service provider in the world.


> Similarities between AOSP and any Android device build are unclear at best.

Indeed. That's why other open source projects make custom ROMs and distributions based on AOSP so you can remove your dependence on those sketchy device builds. Both OSes come with guaranteed government-obligated backdoors, but only one still has the tools to mitigate them.

The AOSP is an undeniable net-positive for accountability, as well as giving security researchers an unprecedented platform for responding to and researching mobile exploits.

> This is not so much iOS as iCloud services though

Yes, they explicitly illustrate both device and iCloud warrants being filled en-masse. Apple builds backdoors into your system and offers them to state-level actors.

We can go down this "obligated" route if you'd like, but it only further illustrates the importance of accountable OS design, like how the AOSP is arranged.


Let's see, a literal fourteen year old found a bug in iOS that let him remotely listen to the microphone on any iPhone with only a phone number. Now imagine what a three letter agency is capable of, or is responsible for.


I think your memory of the Prism program is inaccurate.


> With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.

https://www.theguardian.com/world/2013/jun/06/us-tech-giants...

You're welcome to dispute these facts based on technical merit or other qualifying evidence, keeping in mind the obvious advancements in technology over the past decade, as well as societies' increased reliance on the proliferated devices.


Apple was not a participant in Prism. Neither was Google.

Consequently they are not complicit.

Smartphones concentrate so much personal data in a single inadequately-protected device. The severity of vulnerabilities is greatly magnified, and they are "juicy targets", as we say in the industry, for attackers of all kinds.

If that's your argument, then you're on solid ground.

If you believe that your phone is a tool of the NSA, then you're just hypothesizing a worst case scenario, unsupported by evidence.


> If you believe that your phone is a tool of the NSA

My phone is a tool of the NSA. The "worst case scenario" you're citing is backdoor access that exists on billions of phones and has been used millions of times. We are firmly in the age of warrentless surveillance.

The original claim was that iOS is "spyware for the masses". If you cannot deny that the ability to snoop on iPhones exists, I don't see a path for refuting it.


There is no evidence that NSA has backdoor access to iOS.

Original claim was also that Apple was complicit in this spying. There is also no evidence of this.

> If you cannot deny that the ability to snoop on iPhones exists, I don't see a path for refuting it.

OK, but keep going with this idea. Choosing to believe the thing not in evidence decreases your net understanding of the world.

E.g. You cannot deny the possibility of the existence of a supreme being. I might argue that there is no requirement for the existence of a supreme being to explain any known phenomena, and plenty of evidence suggesting the opposite. Further, speculating the positive existence has a cost, and it results in an increase in overall uncertainty. It's a leap of conjecture that takes you to a place of less knowledge. This is a useful tool for some exercises!

Yes, it's possible that NSA, or your older sibling, has backdoor access to iOS. And if your threat model includes actors you believe might have such capabilities, then it's a reasonable security posture to assume compromise, or the risk of compromise. Call it an abundance of caution.

It is still an extraordinary claim, it isn't necessary to explain any known facts, and it is contradicted by many pieces of evidence. But no honest person can definitively refute it -- like literally no human can be certain it is not true (some could be certain that it is true).

So if you believe your soul hangs in the balance, then by all means go through the motions, and we hope to see you on Sunday!


> But no honest person can definitively refute it

So there's the concession. All this boils down to the fact that you cannot hold Apple responsible or prove that they don't spy on you or sell backdoors to the CCP.

Do you want to arm wrestle for it, or would you rather try to discredit the Snowden leaks?


AOSP addresses part of this concern, but see also baseband firmware, repeatable builds, connected services, kernel exploits, etc ad nauseam.

Proving a negative is notoriously difficult. If you've decided as a matter of faith that Apple is malevolent, then it is possible to interpret any news as corroborative of those beliefs.

If you weigh the evidence objectively, things are far less clear. If you choose to err on the side of caution, then sure absolutely lean into the healthy paranoia (I do), but it makes more sense to evangelize the safer approach, than to preach against those you perceive (without evidence) as wicked.

Apple is not perfect, and some of their misses are mind-boggling. All other vendors too.

Snowden proved that NSA will do what NSA can do (we all suspected this). He did not prove that Apple (or Google) helped beyond their legal obligations. He helped Apple and Google find and improve some of their failures.

No one here is talking about the CCP!


> baseband firmware

Important indeed, I look forward to the day when FCC-unregulated hardware becomes available. Still not a reasonable threat vector unless the software layer is also maliciously complicit.

> repeatable builds

Many ROMs are.

> connected services

Many of which do not exist in custom ROMs.

> kernel exploits

Generally more of a problem when you run a poorly-maintained kernel like XNU :p

I get what you're trying to say here, and generally I agree with you - there is no secure computing anymore. So why defend Apple? They clearly have the means to remotely exfiltrate your device data, decrypt your private iCloud information and the willingness to cooperate with authorities. They're one bad regime away from operating with fascist impunit- oops, too late[0].

> Proving a negative is notoriously difficult.

There's nothing to prove. Apple reports themselves that they can compromise their own device and account security. You can personally assume that they won't use that for nefarious purposes, but that doesn't make the backdoor any more innocent than an unfired gun being held against my head.

> He did not prove that Apple (or Google) helped beyond their legal obligations.

He proved that our government was extremely good at hiding unprecedented levels of surveillance a decade ago. Even if you assume that our government hasn't expanded their control over these companies in that time (which I have for the purposes of this response), the point stands - Apple has backdoor access to both your device and account. Both they and the US government claim that they only use this power for it's intended purpose, whether you believe the two of them is up to you. It is irrelevant for the purposes of discussing how badly these systems are compromised.

> No one here is talking about the CCP!

Apple certainly talks with them, though. Unfortunately, their working relationship with China has repeatedly been an example of how despotic corporate culture can get. You're right - it's not a uniquely Apple epidemic, but they're certainly the largest example.

[0] https://support.apple.com/en-us/HT208351


Is this a leased phone thing or does it also happen for unlocked/purchased outright iPhones?


All phones unlocked, cash purchase.


Will lockdown mode disable this? It is supposed to block installation of configuration profiles.


This isn’t done via a normal profile, but via the carrier settings. I doubt lockdown protects you in this case


I think finally we will applause people who actively find a method to jail break iOS devices.


Just don't

Use a different sort of device


You mean not a mobile phone? Because it's not just iPhones with this feature.


Which other phones show this problem?


Sorry for the late reply, I missed your question.

Even several years ago, and hell, even called managed networks, people experienced this exact phenomenon on some Android phones. For example, https://forums.androidcentral.com/threads/tmobilewingman.862...


can you elaborate on the workaround to remove the settings? after removing an eS and resetting all network settings, once the eSIM is active again, wouldn't the unwanted network settings be added back again?


There is no real workaround, it all comes back as soon as you add cellular service again.

You can only temporarily fix it by disabling the “Phone” part of iPhone


Yes, it's a pain in the ass, I HATE it!


what about MVNO?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: