Please do try to reproduce it - the company that is responsible for this "discovery" also happens to be selling a product that is supposed to prevent this attack, and the tone of their PR has got my BS-detectors ringing.
An example of the sort of thing that gives me doubts. They refer to another supposed demonstrated attack called "Wifigate", which no-one has been talking about, except for themselves. And when you read the details, they claim that iPhones come preloaded with a bunch of WiFi SSIDS that the phone will automatically connect to. mostly telecommunications companies. Up until recently I used to work for one of those listed companies, and I have owned iPhones continuously since the iPhone 3G. I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims. This fact destroys an important part of their claim for this current "attack", that you can be affected even if you've never connected to a Wifi hotspot.
So that's one guaranteed example of exaggeration right there, which seeing as it's the only piece of information in the article that I'm capable of verifying myself, makes me very distrustful of the entire article.
My iPhone do connect auto-magically to FreeWifi_secure networks which is the preloaded SSID for the other french operator listed by Skycure.
However it's supposed to connect with EAP-SIM [1]. Skycure mentions that "some of [those] bundles include SSID passwords". Do they mean that only those would make devices vulnerable? Could you let us know if SFR uses EAP-SIM or a basic PSK?
It could be that iPhones connect automatically only to EAP-SIM preloaded networks.
>I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims.
My understanding is that AT&T wifi users have to connect just once to attwifi and then going forward it will connec to the SSID whenever it sees it, which is a lot considering its in every McDonalds and Starbucks and other locales.
Some people say their phone connects to attwifi without once first connecting to it. This article from last year supports that claim:
> Settings for AT&T iPhones, for instance, frequently instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available. Carriers make the Wi-Fi signals available in public places as a service to help subscribers get Internet connections that are fast and reliable.
>Sharabani said the settings that cause AT&T iPhones to automatically connect to certain networks can be found in the device's profile.mobileconfig file.
If anything, this shows how unreliable wifi security is. I could see a next-gen wifi that uses SSL cert-like signing to verify identity and stop spoofers. Wifi is still the wild west.
> When combined with an earlier vulnerability, named “Wi-Figate”, which lets attackers force a device to automatically connect to a given WiFi network
I'm not fully up on exploitable iOS tricks, but it sounds like they're spoofing a BSSID to be one that the iOS device has already connected to (because iOS devices broadcast this when scanning for networks IIRC?), but has RADIUS authentication with a specially crafted server certificate that manages to crash the network stack.
> (because iOS devices broadcast this when scanning for networks IIRC?)
Not anymore, Apple fixed that in recent iOS versions. Probe requests are not divulging SSIDs anymore. However WifiGate uses common SSIDs and network operators preloaded ones as honeypots.
Not aware of anything from Apple about this issue. It was just an assumption, sorry. What I did is test up to date devices (i think i even tested an up to date iOS 6) and couldn't get any specific SSID. The probe requests were still there, but SSID parameter was always set to Broadcast.
However I did see a lots of probe requests WITH a SSID parameter set but those were not coming from my devices :). I assumed they were not up to date.
I am very interested to know if the probe requests you're seeing are also coming from unknown devices: if they aren't, could you provide us with the iOS version you're using/testing with?
An example of the sort of thing that gives me doubts. They refer to another supposed demonstrated attack called "Wifigate", which no-one has been talking about, except for themselves. And when you read the details, they claim that iPhones come preloaded with a bunch of WiFi SSIDS that the phone will automatically connect to. mostly telecommunications companies. Up until recently I used to work for one of those listed companies, and I have owned iPhones continuously since the iPhone 3G. I can tell you categorically that iPhones do not automatically connect to SFR wifi hotspots like this company claims. This fact destroys an important part of their claim for this current "attack", that you can be affected even if you've never connected to a Wifi hotspot.
So that's one guaranteed example of exaggeration right there, which seeing as it's the only piece of information in the article that I'm capable of verifying myself, makes me very distrustful of the entire article.