Hacker News new | past | comments | ask | show | jobs | submit login
Wi-Fi hack creates 'no iOS zone' that cripples iPhones and iPads (theguardian.com)
224 points by walterbell on Apr 23, 2015 | hide | past | web | favorite | 90 comments

> Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.

While I can certainly agree it would be annoying, a nuisance and productivity-hindering, calling this "catastrophic" is probably overdoing it a tad much.

Catastrophic means by definition that it's related to or involves a catastrophe. iPhone-users not being able to use their iPhones hardly counts as that, no matter where on the planet that happens.

With all that said: Neat hack. Now I feel like reproducing it :)

Please do try to reproduce it - the company that is responsible for this "discovery" also happens to be selling a product that is supposed to prevent this attack, and the tone of their PR has got my BS-detectors ringing.

An example of the sort of thing that gives me doubts. They refer to another supposed demonstrated attack called "Wifigate", which no-one has been talking about, except for themselves. And when you read the details, they claim that iPhones come preloaded with a bunch of WiFi SSIDS that the phone will automatically connect to. mostly telecommunications companies. Up until recently I used to work for one of those listed companies, and I have owned iPhones continuously since the iPhone 3G. I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims. This fact destroys an important part of their claim for this current "attack", that you can be affected even if you've never connected to a Wifi hotspot.

So that's one guaranteed example of exaggeration right there, which seeing as it's the only piece of information in the article that I'm capable of verifying myself, makes me very distrustful of the entire article.

My iPhone do connect auto-magically to FreeWifi_secure networks which is the preloaded SSID for the other french operator listed by Skycure.

However it's supposed to connect with EAP-SIM [1]. Skycure mentions that "some of [those] bundles include SSID passwords". Do they mean that only those would make devices vulnerable? Could you let us know if SFR uses EAP-SIM or a basic PSK?

It could be that iPhones connect automatically only to EAP-SIM preloaded networks.

[1] https://mobile.free.fr/assistance/262.html

>I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims.

My understanding is that AT&T wifi users have to connect just once to attwifi and then going forward it will connec to the SSID whenever it sees it, which is a lot considering its in every McDonalds and Starbucks and other locales.

Some people say their phone connects to attwifi without once first connecting to it. This article from last year supports that claim:

> Settings for AT&T iPhones, for instance, frequently instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available. Carriers make the Wi-Fi signals available in public places as a service to help subscribers get Internet connections that are fast and reliable.

>Sharabani said the settings that cause AT&T iPhones to automatically connect to certain networks can be found in the device's profile.mobileconfig file.


If anything, this shows how unreliable wifi security is. I could see a next-gen wifi that uses SSL cert-like signing to verify identity and stop spoofers. Wifi is still the wild west.

> When combined with an earlier vulnerability, named “Wi-Figate”, which lets attackers force a device to automatically connect to a given WiFi network

I'm not fully up on exploitable iOS tricks, but it sounds like they're spoofing a BSSID to be one that the iOS device has already connected to (because iOS devices broadcast this when scanning for networks IIRC?), but has RADIUS authentication with a specially crafted server certificate that manages to crash the network stack.

> (because iOS devices broadcast this when scanning for networks IIRC?)

Not anymore, Apple fixed that in recent iOS versions. Probe requests are not divulging SSIDs anymore. However WifiGate uses common SSIDs and network operators preloaded ones as honeypots.

Seems that wasn't fixed reliably. Still seeing lots of probe requests. Is there a https://support.apple.com/HT... talking about it?

Not aware of anything from Apple about this issue. It was just an assumption, sorry. What I did is test up to date devices (i think i even tested an up to date iOS 6) and couldn't get any specific SSID. The probe requests were still there, but SSID parameter was always set to Broadcast.

However I did see a lots of probe requests WITH a SSID parameter set but those were not coming from my devices :). I assumed they were not up to date.

I am very interested to know if the probe requests you're seeing are also coming from unknown devices: if they aren't, could you provide us with the iOS version you're using/testing with?

The devices I know are several iPhones 6/6+ running iOS 8.3.

“With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless.

So it only crashed the whole device if the device was under 'heavy use', which seems to contradict the claim that it renders devices unusable immediately.

Shame, though. I'd love a guerrilla enforcement tactic for the Quiet Carriage on our local trains.

Let's hope that the iPads used as electronic flight bags (containing charts, etc) by pilots all have their wifi disabled.

They're likely all in airplane mode.

I can't tell if this is a joke or not :)

With wifi on?

Let's pray pilots flying air crafts are not relying on an iPad as their only navigation instrument.

Phone jamming is a great way to prevent people from calling 911, friends, or family, so there's that.

Large utility plant? Mind runs down list of catastrophy vectors for iOS in large utility plants

Large utiltity plant... iOS... large utility plant... iOS... Did I miss the post where large utility plants said "Why we stopped using closed control systems for our reactors and switched to iPads" ?

It could be used to paralyze communication networks and, in conjunction with other actions, could be catastrophic. Or even just used to interrupt iOS service for anyone that uses it in part of their job. You could go small and interrupt a small business's iPad POS, or you could disable an airplane's usage manual running on the cockpit iPad. There's a lot of stuff you could do with this exploit.

Hospital staff communicates with text messages


It doesn't sound like you're in any position to judge or complain about other people, given how little respect you show for others.

I know it doesn't just happen with any certificate but:

How illegal is it to set up a Wi-Fi network with an SSL certificate? Are you responsible for the fact that iOS has a bug in the certificate handling?

> How illegal is it to set up a Wi-Fi network with an SSL certificate? Are you responsible for the fact that iOS has a bug in the certificate handling?

If you're crashing/DOSing a remote internet-server by exploiting your knowledge of a bug in the server-software, you may technically just be "sending data", but in court it's the intent which makes it hacking, vs just accidentally crashing something.

I would expect this to be treated similarly, but ofcourse legal IT is a jungle of randomness in itself, so I won't make any guaranteed predictions :)

Okay, then I'm going to start kicking air, like this! And if any part of you should fill that air, it's your own fault!

How illegal is it to type on a keyboard?

Btw, how reproduce it? I can't find any technical details about this hack

The last paragraph in the article:

"The researchers say they have warned Apple of the error, and are refraining from releasing technical details about it until after the company has issued a fix. Apple did not respond to a comment request ahead of publication."

They haven't disclosed technical details publicly.

What a shame. This would've been a neat prank at work (I'm the only Android user in an office full of iPhone/iPad users).

Judging by the degree to which my girlfriend is glued to Facebook on her iPhone, she probably would classify getting hacked this way as a 'catastrophe' :)

We are a bunch of wimps now. Anything that is mildly inconvenient is now called an emergency or catastrophe or tragedy.

There's something very off about this story, especially since it doesn't even attempt to mention obvious scenarios like "what if I have WiFi turned off?".

If iOS would actually try to find WiFi networks with WiFi turned off, that would be a much bigger story than some exploitable vulnerability. This whole story smells of sensationalism over facts.

Not necessarily. Android has an option (which is on by default) where Wi-Fi off really means off except for location assistance. If iOS has something similar and the issue even affects that passive scanning, it could be a deeper problem. I wouldn't say that's likely, but it is possible.

I don't actually know how iOS deals with this, but judging by the fact that iOS says "turning on wifi will improve location accuracy" when wifi is off makes me think it's really off for all purposes.

Do you have any source for this?

I'm pretty sure wifi needs to be on for location assistance (Google Maps complains about this all the time).


From 4.3 you can have Wifi "off" but still allow location through WiFi.

Just wanted to say thanks for posting this. I wasn't aware that this was the case on Android. I've now turned my WiFi "completely" off.

But it always asks about doing that while setting up the phone.

The fact that they call catastrophic people that are not able to use their iphone speaks about sensationalism.

If this lead to a way to grab information from the phoen that would be more damaging, than a simply a denial of use in a delimited area.

Pretty sure it relies on iOS connecting to a wifi network, see comment here: https://news.ycombinator.com/item?id=9425926

Am I right in thinking that the user has to have attempted to connect to the network before the bug has triggered (I'm assuming so, since AFAIK iOS doesn't randomly download SSL certs from WiFi APs). If that is the case, calling it a 'no iOS zone' seems a bit much. The title makes it sound like some kind of iOS Specific "Cyber-EMP" ;)

Carriers pre-populate iOS 8 phones to automatically connect to their wifi signals. This hack involves spoofing official AT&T and Sprint wifi hot spots that the carrier has forced you to trust.

This earlier bug called WiFiGate has a list of pre-populated trusted wifi networks. From the same group https://www.skycure.com/blog/wifigate-how-mobile-carriers-ex...

I don't use any iOS devices anymore but I have many friends that do, is there a convenient way to disable these preconfigured wifi hotspots permanently?

Edit: according to the article you linked (under the consumers section), iOS has no interface for doing this. I find this pretty appalling.

Yes, it does. You just choose the SSID and tap 'forget this network'. You can also disable the 'automatically connect' functionality.

I 'forgot' the attwifi SSID long ago, and I have never had my phone try to auto-connect to one, even though they are everywhere.

The article ignores this because it weakens the headline.

Only possible when the wifi is in range.

So first you need to spoof the SSID ...

The Apple store wifi is also on the default trust list.

actually you can use a pineapple (https://www.wifipineapple.com/) or a similar device to force user to connect to your wifi.

The impression that I got from the article was that there was a separate, known iOS bug which would cause devices to connect to a wireless network without user intervention.

The article says it uses a second vuln that forces the device to connect to a specific network.

This is a whole lot of FUD coming from this company. Obviously it's a marketing ploy for attention. They should have waited to go public after Apple made a fix. By pre announcing the existence of the flaw they've helped miscreants point their fuzzers at a target, potentially putting users at risk.

Surely if you had a decent crash bug in iOS's SSL handling, you'd look to escalate that to some kind of exploit e.g. arbitrary code execution? This doesn't smell right.

Not all crash bug can lead to remote code execution. A null dereference bug is a good example of that. No mater the context, you won't be able to do anything other than crash the software.

Blog post about it from the company that discovered the bug: https://www.skycure.com/blog/ios-shield-allows-dos-attacks-o...

A bit breathless there:

"We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service (DoS) attack can lead to big losses."

And this is just one reason why I always switch on 'Ask to join networks'.

Seriously. This should be the default setting on all devices. Accessing random open networks is generally not a good plan for many reasons...

Edit: (See below comments) I actually have the equivalent of what you are talking about disabled on my phone (android), as it creates a popup context menu that is too easily pressed 'accessing random open networks'. You want the user to have to open the wifi settings and select a network they know / have preconfigured, not some open network that the phone is eager to join.

An iOS device will only connect to known networks. By enabling “Ask to Join Networks” it will list networks and ask if you want to join any of them – but only if no known network is in range. This is actually less safe, in that you're just a button press away from “accessing random open networks” instead of having to go into the settings and choose a network – so it makes sense to have it default to off.

tl;rl: iOS will only join known networks – toggling this setting will make it easier to join networks when no known networks are in range.

edit: Link to the relevant section in the manual: https://help.apple.com/iphone/8/#/iph1b489c85f

I just checked and on my android phone and you're right, I switched the 'notify me when wifi is available' setting off so that I have to select networks manually. I read the previous comment as meaning that iOS would join open networks if that option wasn't enabled. Du'oh.

However according to this post by the same researchers: https://www.skycure.com/blog/wifigate-how-mobile-carriers-ex... There is no way to disable the carrier pre-configured wifi hotspots which have been proven to be easily spoofable.

Here's the problem:

If a device will "only connect to known networks", that means that it sends out an ARP request. In a nutshell, the phone shouts wirelessly «HEY! IS BILL WI THE SCIENCE FI AROUND?»

You can very easily set up a system that will respond to every single ARP request and then 'broadcast' that SSID. If you broadcast the SSID, with no password, and the device sees it, then it will connect to this 'known' network.

That's a big problem

> If a device will "only connect to known networks", that means that it sends out an ARP request.

You seem to have confused IP address resolution with wi-fi access point discovery. ARP requests don't happen until after a device is associated with a wi-fi access point.

It is possible to arrange for a device to scan for wi-fi networks passively, so the device will not be detected until it actually discovers and attempts to connect to a particular network.

Loosely related: iOS devices are very talkative about seen Wi-Fi networks albeit Apple started to address such privacy issues with iOS 8, see http://www.reddit.com/r/Android/comments/2uyw50/wifi_privacy...

It doesn't seems to be iOS 8 only. Recent versions of iOS 7 seem to be fixed as well. (Tested my phone earlier this week)

How long did you test? I'd recommend sniffing for at least a few hours.

My house is about to become a no iOS zone... hehe

Can this be implemented in schools to curb use of digital devices (which in my opinion should be completely banned in every academic environment from kindergarten through university)?

Wow. Besides crashing users devices that happen to be in the area, you really want to ban devices from universities?

At the university I go to, a laptop is essentially a requirement for a lot of classes.

The issue is not the devices, it's how they're used. Besides, at least in my experience, trying to ban websites, devices, etc in schools doesn't actually work and just leads to kids getting around it, and continuing to do what they were doing before.

The internet censorship in particular got to be pretty absurd at my highschool, I remember not being able to register Native Instruments hardware in my engineering class because their site was blocked for 'having a toolbar'... And yet those of us that wanted free roam on the internet brought smartphones or used ultrasurf etc, but even the teacher couldn't access the registration site without us bypassing the filters while he looked the other way.

Devices are tools. You shouldn't ban tools. You should teach people how to use them effectively.

I predict a nice lawsuit when someone (even a teacher) tries to call 911 and has his/her device jammed.

Certainly wouldn't want libraries in the palms of our children's hands now, would we? /s;

Good luck teaching programming. Or anything related to computers, computer-based graphics, and a whole lot of other subjects.

Plus, it's way faster (and tidier) to take notes in a laptop rather than pen+paper.

Also, I've had a few students with disabilities who could not use pen and paper, but could write with special keyboards. And blind ones. Maybe we should tell them to stay out as well.

What? Search engines, online encyclopediae, and educational software are each an absolute boon to learning.

Yes, because there's nothing on the internet or available via a smartphone that can distract from school based education at any time, it's inconceivable. /s

I doubt that teenagers glued to their smartphones in class are actually looking at wikipedia.

Does academic environment include the entire university campus?

I use to make my own firewall on a spare pc. It is well known in my public and private life I have a strong anti-Apple bias. So much so that my teenage daughter rebelled by picking up an iPhone when she was 15.

My firewall always limited usage by OS. Linux and my desktop had the full fire hose. Everything else 75% and Apple products had 10% and video played at only low quality.

The only way people could get the 75% was to connect with their iPhone to my guest wifi Apple_Evil and type in the password applesucks. Great funs, but this hack, you get to personally own up and see their faces and not break stuff.

I was waiting for that story to end with “… and then I turned 12 and outgrew this”.

What ever happened to promoting OSS by making it better? Forcing people to play juvenile games seems like a great way to turn everyone off on Linux permanently.

Look at the bright side: if his children rebel by buying Apple products that's relatively harmless. Maybe they will consider that rebellion enough and refrain from the more dangerous actions.

Exactly. Plus we always laugh about it than I give "the stare."

You're right. That is very immature. But OS detection can have good sides to it.

For example, a stateful antivirus scanner turns on only for Windows machines. Or with Linux, certain connections and services are made available. Or it can also be used as a layer of defense in security (we know we have 2 windows machines and 3 linux machines, mac addresses bla bla, throw security tripwire).

I'm mixed on that - it has initial wins but inevitably leads to an arms race where malicious coders try to spoof the least-restricted OS. I strongly prefer to assume that no client can be trusted and avoid special-cases in security policy. It avoids surprises when someone reuses an old IP/NIC for a different role in the future.

No I am a Dad with 5 kids. This to me is a great Dad joke with everyone who comes into my home. If your my kids teenage friend or the mayor of our city you have to play with my rules :)

If I can't mess with them and their friends it is a sad life :)

I am not forcing anyone to do Linux. I just know if I jump on my machines I got top priority and my son's league of legends game isn't going to bother me one bit nor my kids watching Netflix or YouTube videos. Also everyone has a laugh when they realize what is happening because they forgot.

> If your my kids teenage friend or the mayor of our city you have to play with my rules :)

Do you require Apple devices to be deposited in the letterbox, as in Better Call Saul?

How deep does this go? Do you avoid software which might have been compiled with clang, for instance?

Goodness sakes. I used to be 'anti-Apple' because I thought it was a bunch of people following a trend. Then I entered high school and realized that I was acting like a child and people have different preferences.

I shudder to think what my middle school self would think of me as I type this from my MBP. I use a Mac as my laptop. So what? I run Linux on my desktop and have an Android phone. This all seems unnecessarily petty.

A dad know no end of petty. I have an Anti-Apple bias due to their business practices. Your to young but...

The fastest computers are computers with PowerPC CPUs.

than.... https://www.youtube.com/watch?v=ghdTqnYnFyg

The rest of the tech people were like how can a PowerPC CPU be faster? It is plain 1 and 0 and the more 1 and 0 you get through the faster the processor. It ended up being 4 to 6 times faster. The Apple fanboys were famous for this time of Apple history. Also Apple knew the truth since they were always running an x86 OS X for 5 years and knew the numbers and just were fine spreading "Apple Truths."

Sorry I digressed...

At various times, PPC was indeed faster than Intel's finest, either outright or in certain niches (particularly SIMD).

> Also Apple knew the truth since they were always running an x86 OS X for 5 years and knew the numbers and just were fine spreading "Apple Truths."

Consider what would have happened if the Intel switch had happened two years earlier. Take the iBook (then, AFAIK, Apple's best-selling product). They could have gone to Pentium M (the P3-based one), which was at best in the same speed range as the G4s used in Apple laptops, and used somewhat more power, resulting in diminished battery life. Or they could have gone to Pentium 4-M (the P4-based one), which would have been somewhat faster, and used vastly more power, resulting in massively diminished battery life.

Apple also at the time had the not unreasonable expectation that IBM would produce faster PPC970s, and mobile-suitable PPC970s, as was in their roadmap.

The Intel switch happened because it made sense at the time; the Core Duo laptops resulted in better performance vs the G4 and only a modest battery life it, while the high-end desktop waited for the Core 2 Duo Xeons, which resulted in better performance vs the G5. It would not, however, have made sense much earlier.

Obviously, they had MacOS 10 running on x86; NeXTStep did, after all, and it'd never be wise to close off options. I mean, _Windows_ supported PPC, Alpha and MIPS for a long time.

You are so cool and brave.

I have never been cool.

Except that time when I skipped my Senior year of High School and watched a matinée of Ferris Buehler's Day Off.

You are going to end up in the cheap old age home with bad food.

They keep telling me that all the time!!!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact