> Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.
While I can certainly agree it would be annoying, a nuisance and productivity-hindering, calling this "catastrophic" is probably overdoing it a tad much.
Catastrophic means by definition that it's related to or involves a catastrophe. iPhone-users not being able to use their iPhones hardly counts as that, no matter where on the planet that happens.
With all that said: Neat hack. Now I feel like reproducing it :)
Please do try to reproduce it - the company that is responsible for this "discovery" also happens to be selling a product that is supposed to prevent this attack, and the tone of their PR has got my BS-detectors ringing.
An example of the sort of thing that gives me doubts. They refer to another supposed demonstrated attack called "Wifigate", which no-one has been talking about, except for themselves. And when you read the details, they claim that iPhones come preloaded with a bunch of WiFi SSIDS that the phone will automatically connect to. mostly telecommunications companies. Up until recently I used to work for one of those listed companies, and I have owned iPhones continuously since the iPhone 3G. I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims. This fact destroys an important part of their claim for this current "attack", that you can be affected even if you've never connected to a Wifi hotspot.
So that's one guaranteed example of exaggeration right there, which seeing as it's the only piece of information in the article that I'm capable of verifying myself, makes me very distrustful of the entire article.
My iPhone do connect auto-magically to FreeWifi_secure networks which is the preloaded SSID for the other french operator listed by Skycure.
However it's supposed to connect with EAP-SIM [1]. Skycure mentions that "some of [those] bundles include SSID passwords". Do they mean that only those would make devices vulnerable? Could you let us know if SFR uses EAP-SIM or a basic PSK?
It could be that iPhones connect automatically only to EAP-SIM preloaded networks.
>I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims.
My understanding is that AT&T wifi users have to connect just once to attwifi and then going forward it will connec to the SSID whenever it sees it, which is a lot considering its in every McDonalds and Starbucks and other locales.
Some people say their phone connects to attwifi without once first connecting to it. This article from last year supports that claim:
> Settings for AT&T iPhones, for instance, frequently instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available. Carriers make the Wi-Fi signals available in public places as a service to help subscribers get Internet connections that are fast and reliable.
>Sharabani said the settings that cause AT&T iPhones to automatically connect to certain networks can be found in the device's profile.mobileconfig file.
If anything, this shows how unreliable wifi security is. I could see a next-gen wifi that uses SSL cert-like signing to verify identity and stop spoofers. Wifi is still the wild west.
> When combined with an earlier vulnerability, named “Wi-Figate”, which lets attackers force a device to automatically connect to a given WiFi network
I'm not fully up on exploitable iOS tricks, but it sounds like they're spoofing a BSSID to be one that the iOS device has already connected to (because iOS devices broadcast this when scanning for networks IIRC?), but has RADIUS authentication with a specially crafted server certificate that manages to crash the network stack.
> (because iOS devices broadcast this when scanning for networks IIRC?)
Not anymore, Apple fixed that in recent iOS versions. Probe requests are not divulging SSIDs anymore. However WifiGate uses common SSIDs and network operators preloaded ones as honeypots.
Not aware of anything from Apple about this issue. It was just an assumption, sorry. What I did is test up to date devices (i think i even tested an up to date iOS 6) and couldn't get any specific SSID. The probe requests were still there, but SSID parameter was always set to Broadcast.
However I did see a lots of probe requests WITH a SSID parameter set but those were not coming from my devices :). I assumed they were not up to date.
I am very interested to know if the probe requests you're seeing are also coming from unknown devices: if they aren't, could you provide us with the iOS version you're using/testing with?
“With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless.
So it only crashed the whole device if the device was under 'heavy use', which seems to contradict the claim that it renders devices unusable immediately.
Large utility plant? Mind runs down list of catastrophy vectors for iOS in large utility plants
Large utiltity plant... iOS... large utility plant... iOS...
Did I miss the post where large utility plants said "Why we stopped using closed control systems for our reactors and switched to iPads" ?
It could be used to paralyze communication networks and, in conjunction with other actions, could be catastrophic. Or even just used to interrupt iOS service for anyone that uses it in part of their job. You could go small and interrupt a small business's iPad POS, or you could disable an airplane's usage manual running on the cockpit iPad. There's a lot of stuff you could do with this exploit.
> How illegal is it to set up a Wi-Fi network with an SSL certificate? Are you responsible for the fact that iOS has a bug in the certificate handling?
If you're crashing/DOSing a remote internet-server by exploiting your knowledge of a bug in the server-software, you may technically just be "sending data", but in court it's the intent which makes it hacking, vs just accidentally crashing something.
I would expect this to be treated similarly, but ofcourse legal IT is a jungle of randomness in itself, so I won't make any guaranteed predictions :)
"The researchers say they have warned Apple of the error, and are refraining from releasing technical details about it until after the company has issued a fix. Apple did not respond to a comment request ahead of publication."
Judging by the degree to which my girlfriend is glued to Facebook on her iPhone, she probably would classify getting hacked this way as a 'catastrophe' :)
There's something very off about this story, especially since it doesn't even attempt to mention obvious scenarios like "what if I have WiFi turned off?".
If iOS would actually try to find WiFi networks with WiFi turned off, that would be a much bigger story than some exploitable vulnerability. This whole story smells of sensationalism over facts.
Not necessarily. Android has an option (which is on by default) where Wi-Fi off really means off except for location assistance. If iOS has something similar and the issue even affects that passive scanning, it could be a deeper problem. I wouldn't say that's likely, but it is possible.
I don't actually know how iOS deals with this, but judging by the fact that iOS says "turning on wifi will improve location accuracy" when wifi is off makes me think it's really off for all purposes.
Am I right in thinking that the user has to have attempted to connect to the network before the bug has triggered (I'm assuming so, since AFAIK iOS doesn't randomly download SSL certs from WiFi APs). If that is the case, calling it a 'no iOS zone' seems a bit much. The title makes it sound like some kind of iOS Specific "Cyber-EMP" ;)
Carriers pre-populate iOS 8 phones to automatically connect to their wifi signals.
This hack involves spoofing official AT&T and Sprint wifi hot spots that the carrier has forced you to trust.
I don't use any iOS devices anymore but I have many friends that do, is there a convenient way to disable these preconfigured wifi hotspots permanently?
Edit: according to the article you linked (under the consumers section), iOS has no interface for doing this. I find this pretty appalling.
The impression that I got from the article was that there was a separate, known iOS bug which would cause devices to connect to a wireless network without user intervention.
This is a whole lot of FUD coming from this company. Obviously it's a marketing ploy for attention. They should have waited to go public after Apple made a fix. By pre announcing the existence of the flaw they've helped miscreants point their fuzzers at a target, potentially putting users at risk.
Surely if you had a decent crash bug in iOS's SSL handling, you'd look to escalate that to some kind of exploit e.g. arbitrary code execution? This doesn't smell right.
Not all crash bug can lead to remote code execution. A null dereference bug is a good example of that. No mater the context, you won't be able to do anything other than crash the software.
"We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service (DoS) attack can lead to big losses."
Seriously. This should be the default setting on all devices. Accessing random open networks is generally not a good plan for many reasons...
Edit: (See below comments)
I actually have the equivalent of what you are talking about disabled on my phone (android), as it creates a popup context menu that is too easily pressed 'accessing random open networks'. You want the user to have to open the wifi settings and select a network they know / have preconfigured, not some open network that the phone is eager to join.
An iOS device will only connect to known networks. By enabling “Ask to Join Networks” it will list networks and ask if you want to join any of them – but only if no known network is in range. This is actually less safe, in that you're just a button press away from “accessing random open networks” instead of having to go into the settings and choose a network – so it makes sense to have it default to off.
tl;rl: iOS will only join known networks – toggling this setting will make it easier to join networks when no known networks are in range.
I just checked and on my android phone and you're right, I switched the 'notify me when wifi is available' setting off so that I have to select networks manually. I read the previous comment as meaning that iOS would join open networks if that option wasn't enabled. Du'oh.
If a device will "only connect to known networks", that means that it sends out an ARP request. In a nutshell, the phone shouts wirelessly «HEY! IS BILL WI THE SCIENCE FI AROUND?»
You can very easily set up a system that will respond to every single ARP request and then 'broadcast' that SSID.
If you broadcast the SSID, with no password, and the device sees it, then it will connect to this 'known' network.
> If a device will "only connect to known networks", that means that it sends out an ARP request.
You seem to have confused IP address resolution with wi-fi access point discovery. ARP requests don't happen until after a device is associated with a wi-fi access point.
It is possible to arrange for a device to scan for wi-fi networks passively, so the device will not be detected until it actually discovers and attempts to connect to a particular network.
Can this be implemented in schools to curb use of digital devices (which in my opinion should be completely banned in every academic environment from kindergarten through university)?
Wow. Besides crashing users devices that happen to be in the area, you really want to ban devices from universities?
At the university I go to, a laptop is essentially a requirement for a lot of classes.
The issue is not the devices, it's how they're used.
Besides, at least in my experience, trying to ban websites, devices, etc in schools doesn't actually work and just leads to kids getting around it, and continuing to do what they were doing before.
The internet censorship in particular got to be pretty absurd at my highschool, I remember not being able to register Native Instruments hardware in my engineering class because their site was blocked for 'having a toolbar'...
And yet those of us that wanted free roam on the internet brought smartphones or used ultrasurf etc, but even the teacher couldn't access the registration site without us bypassing the filters while he looked the other way.
Devices are tools. You shouldn't ban tools. You should teach people how to use them effectively.
Good luck teaching programming. Or anything related to computers, computer-based graphics, and a whole lot of other subjects.
Plus, it's way faster (and tidier) to take notes in a laptop rather than pen+paper.
Also, I've had a few students with disabilities who could not use pen and paper, but could write with special keyboards. And blind ones. Maybe we should tell them to stay out as well.
Yes, because there's nothing on the internet or available via a smartphone that can distract from school based education at any time, it's inconceivable. /s
I use to make my own firewall on a spare pc. It is well known in my public and private life I have a strong anti-Apple bias. So much so that my teenage daughter rebelled by picking up an iPhone when she was 15.
My firewall always limited usage by OS. Linux and my desktop had the full fire hose. Everything else 75% and Apple products had 10% and video played at only low quality.
The only way people could get the 75% was to connect with their iPhone to my guest wifi Apple_Evil and type in the password applesucks. Great funs, but this hack, you get to personally own up and see their faces and not break stuff.
I was waiting for that story to end with “… and then I turned 12 and outgrew this”.
What ever happened to promoting OSS by making it better? Forcing people to play juvenile games seems like a great way to turn everyone off on Linux permanently.
Look at the bright side: if his children rebel by buying Apple products that's relatively harmless. Maybe they will consider that rebellion enough and refrain from the more dangerous actions.
You're right. That is very immature. But OS detection can have good sides to it.
For example, a stateful antivirus scanner turns on only for Windows machines. Or with Linux, certain connections and services are made available. Or it can also be used as a layer of defense in security (we know we have 2 windows machines and 3 linux machines, mac addresses bla bla, throw security tripwire).
I'm mixed on that - it has initial wins but inevitably leads to an arms race where malicious coders try to spoof the least-restricted OS. I strongly prefer to assume that no client can be trusted and avoid special-cases in security policy. It avoids surprises when someone reuses an old IP/NIC for a different role in the future.
No I am a Dad with 5 kids. This to me is a great Dad joke with everyone who comes into my home. If your my kids teenage friend or the mayor of our city you have to play with my rules :)
If I can't mess with them and their friends it is a sad life :)
I am not forcing anyone to do Linux. I just know if I jump on my machines I got top priority and my son's league of legends game isn't going to bother me one bit nor my kids watching Netflix or YouTube videos. Also everyone has a laugh when they realize what is happening because they forgot.
Goodness sakes. I used to be 'anti-Apple' because I thought it was a bunch of people following a trend. Then I entered high school and realized that I was acting like a child and people have different preferences.
I shudder to think what my middle school self would think of me as I type this from my MBP. I use a Mac as my laptop. So what? I run Linux on my desktop and have an Android phone. This all seems unnecessarily petty.
The rest of the tech people were like how can a PowerPC CPU be faster? It is plain 1 and 0 and the more 1 and 0 you get through the faster the processor. It ended up being 4 to 6 times faster. The Apple fanboys were famous for this time of Apple history. Also Apple knew the truth since they were always running an x86 OS X for 5 years and knew the numbers and just were fine spreading "Apple Truths."
At various times, PPC was indeed faster than Intel's finest, either outright or in certain niches (particularly SIMD).
> Also Apple knew the truth since they were always running an x86 OS X for 5 years and knew the numbers and just were fine spreading "Apple Truths."
Consider what would have happened if the Intel switch had happened two years earlier. Take the iBook (then, AFAIK, Apple's best-selling product). They could have gone to Pentium M (the P3-based one), which was at best in the same speed range as the G4s used in Apple laptops, and used somewhat more power, resulting in diminished battery life. Or they could have gone to Pentium 4-M (the P4-based one), which would have been somewhat faster, and used vastly more power, resulting in massively diminished battery life.
Apple also at the time had the not unreasonable expectation that IBM would produce faster PPC970s, and mobile-suitable PPC970s, as was in their roadmap.
The Intel switch happened because it made sense at the time; the Core Duo laptops resulted in better performance vs the G4 and only a modest battery life it, while the high-end desktop waited for the Core 2 Duo Xeons, which resulted in better performance vs the G5. It would not, however, have made sense much earlier.
Obviously, they had MacOS 10 running on x86; NeXTStep did, after all, and it'd never be wise to close off options. I mean, _Windows_ supported PPC, Alpha and MIPS for a long time.
While I can certainly agree it would be annoying, a nuisance and productivity-hindering, calling this "catastrophic" is probably overdoing it a tad much.
Catastrophic means by definition that it's related to or involves a catastrophe. iPhone-users not being able to use their iPhones hardly counts as that, no matter where on the planet that happens.
With all that said: Neat hack. Now I feel like reproducing it :)