Forgot your password?
typodupeerror
Wireless Networking IOS Iphone Security

iPhone Apparently Open To Old Wi-Fi Attack 90

Posted by timothy
from the any-old-wireless-port-in-a-storm dept.
judgecorp writes "Security researchers say that iPhone and other Apple devices are vulnerable to an old attack, using a fake Wi-Fi access point. Attackers can use an SSID which matches one that is stored on the iPhone (say "BTWiF"), which the iPhone will connect to automatically. Other devices are protected thanks to the use of HTTPS, which enforces HTTPS, but iPhones are susceptible to this man in the middle attack, researchers say."
This discussion has been archived. No new comments can be posted.

iPhone Apparently Open To Old Wi-Fi Attack

Comments Filter:
  • by Imagix (695350) on Thursday June 13, 2013 @11:32AM (#43996379)

    the use of HTTPS, which enforces HTTPS

    What does that even mean?

  • by telchine (719345) on Thursday June 13, 2013 @11:34AM (#43996413)

    Other devices are protected thanks to the use of HTTPS, which enforces HTTPS

    HTTPS enforces HTTPS? Whew. That's a relief. Does SFTP enforce SFTP and SSH enforce SSH too? Just checking to make sure I'm secured.

    I assume they mean HTTPS STS

  • by ebubna (765457) on Thursday June 13, 2013 @11:34AM (#43996423)
    pass a damn mcdonalds and bloop there i am connected. pretty annoying!
  • Misleading Summary (Score:4, Informative)

    by rogueippacket (1977626) on Thursday June 13, 2013 @11:35AM (#43996433)
    Just to be clear here, protocols like HTTPS only secure data from the Application Layer - this man in the middle attack takes place at a much lower layer (Data Link/Network), meaning any device which automatically connects to familiar SSID's is susceptible. HTTPS will not save you from rogue AP's.
    This is largely a convenience feature implemented by Apple, but it doesn't matter which device you're using - if you aren't encrypting your traffic, you are vulnerable to eavesdropping. Period.
  • by Stewie241 (1035724) on Thursday June 13, 2013 @11:46AM (#43996657)

    The article talks about a few different things which are only somewhat related. The wifi vulnerability is the fact that an Apple device will automatically connect to a wifi network that has the same SSID as a network it has previously connected to. I suspect this is the same for Android devices, but I am too lazy to test atm.

    The issue that relates to https is related to something called HTTP STS. (http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). HTTP STS is supposed to be a way by which servers can communicate to browsers that requests to a particular site should always be sent over https. The issue that is being raised is that Chrome supports HTTP STS and hence Android devices do as well, but Safari does not. I guess what this would get you is that if you connect over https to a site over a trusted network, then further requests to that domain are forced to be made over https with a certain validity of certificate.

  • by Lord Byron II (671689) on Thursday June 13, 2013 @11:53AM (#43996771)

    That and "BTWiF" which makes no sense. It's supposed to be "BTWifi" which is BT's public WiFi network.

  • Re:HTTPS (Score:5, Informative)

    by DigitAl56K (805623) on Thursday June 13, 2013 @12:10PM (#43997005)

    I think the problem is that the iPhone will connect to an unsecure network automatically without alerting the user while the user believes they are on a different, secure network.

    That can only happen if the Ask to Join Networks setting is off.

    No, that's the whole point of TFA, which basically points out iOS devices have carrier pre-defined WiFi settings built it, and will connect to such networks automatically, such that placing an access point near a target that masquerades as one of these pre-defined access points is likely to cause such devices to connect automatically.

    The original article is here, and includes notes that on some occasions, not only the baked-in SSIDs are visible, but also the passwords in plaintext:
    http://blog.skycure.com/2013/06/wifigate.html [skycure.com]

A freelance is one who gets paid by the word -- per piece or perhaps. -- Robert Benchley

Working...