iPhones are automatically connecting to certain Wi-Fi networks, which could be run by cyber crooks
The way certain iOS devices, like iPhones or iPads, automatically connect to Wi-Fi networks could place users at serious risk, researchers have warned.
Security firm SkyCure said it had discovered a feature in iPhone devices running on certain networks, including Vodafone, that would connect automatically to a Wi-Fi network with a specified SSID, such as ‘BTWiFi’.
Cyber crooks could set up fake Wi-Fi networks with the same specified SSID, spy on users’ traffic and hijack their online accounts, all without the user having done a thing.
“We saw that many leading carriers actually include Wi-Fi settings as part of their carrier setting bundle,” SkyCure wrote.
“Consequently, Wi-Fi networks are set on the iOS devices automatically without any user intervention. Attackers can simply look at these bundles, create access points with the SSIDs listed in them, and get nearby victims to automatically connect to their malicious networks.”
Wi-Fi iPhone danger
Other affected providers outside of Vodafone include AT&T and Swisscom. But Vodafone claimed it has other mechanisms that can prevent attacks taking place, although at the time of publication had not expanded on this.
The researchers are showing how an exploit involving an iPhone and a fake Wi-Fi hotspot would go down at Tel-Aviv’s Third International Cyber Security Conference.
Such man-in-the-middle (MitM) attacks are not new, but the way in which iOS devices are hooking up to certain Wi-Fi networks automatically has concerned onlookers.
The case has also highlighted a comparative weakness in the way Apple protects traffic going managed by its Safari browser, according to Ohad Bobrov, CTO and co-founder of Israeli security firm Lacoon.
“On the browser end, the industry is advancing towards the enforcement of the HTTPS protocol through a mechanism called HTTP STS. This mechanism was released in 2012 and already Chrome supports it. All new Android versions, then, support HTTP STS,” Bobrov told TechWeekEurope.
“Apple’s Safari, however, does not implement this policy… the vulnerability that SkyCure discovered definitely increases the exposure of iOS devices to MitM threats.
“Apple could beef up their security offering by implementing HTTP STS. And until the problem of MitM is completely solved, consumers can use an app such as those offered by Shield and Onavo, which isolate devices from malicious networks.”
Traffic managed by apps should be fine, however. Every app holds a chain of trust based on certificates, which should verify communications are trusted.
Apple had not responded to a request for comment at the time of publication. It rarely comments on security matters.
UPDATE: Vodafone has told TechWeek why it believes its users are safe: “The embedded configuration that is applied for our iOS devices ‘1WiFiVodafone1x’ and ‘Auto-BTWiFi’ are locked to ‘EAP-SIM’ authentication which is a bi-directional authentication protocol.
“Man-in-the-middle attacks rely upon a hacker setting up an access point pretending to be the configured AP [access point].
“With EAP-SIM configured, the device will send the AP a challenge to make sure that it is Vodafone that it is connecting to. This transaction is resolved with our network, which sends back the response to the challenge and its own challenge. The handset then responds to the network challenge and providing all of these challenge response pairs work then the user gets access. If the initial test for it being Vodafone fails, the device doesn’t connect.”
What do you know about Internet security? Find out with our quiz!