Back to list
Re: Ghost ESSIDs in iPhone
Aug 01 2011 08:54PM
Robin Wood (robin digininja org)
On 1 August 2011 21:47, Steve Armstrong
<SteveArmstrong (at) logicallysecure (dot) com [email concealed]> wrote:
> Yea, we reported it to apple a while back - we called it a "Apple mobile device IOS 'Hidden Preferred Network List' Vulnerability."
> I was surprised they responded so quickly (less than 24 hours), but was disappointed they didn't view it a security problem. While it is not quite the SSL security problem of recent publicity, I still think it permits an attack vector that could be easily removed. Maybe the fast response is a hint that a fix is in the pipeline.
> The stuff we sent (1st June) and Apple's response (17 hours later the same day!!!) is below:
It can't be too hard for them to fix it but I guess they have more
important things on their mind that trump security.
>>Summary of Problem:
>>Users are not able to list the networks in their WLAN history (called a Preferred Network List on MS Windows systems). Therefore, users are not able to edit and prune
>>this list as appropriate. As the device will automatically connect to an SSID in this list, an attacker can create an environment where the device will connect to a WLAN
>>against the users wishes simply because it has connected to a WLAN with that SSID before.
>>When a user sees an SSID for a WLAN on his device, he can choose to connect to that WLAN or to ignore it. If he does not connect there is no link between his system
>>and the access point's ESS and there is no reduction in the devices security nor is any user activity placed at risk. If however, the user connects to a WLAN with no
>>encryption or authentication for example a coffee shop WLAN with an SSID of 'My_HotSpot_ISP' (as an example SSID).
>>The user has made a conscious decision based upon a number of factors including:
>> Their assessment of the operating environment.
>> The perceived legitimacy of the SSID in the location it is seen at.
>> The need for the user to conduct WiFi speed data activity.
>>Although this choice may be ill informed and somewhat basic, the user is able to make a choice, and express that choice through the selection and clicking on the
>>appropriate part of the connect request dialogue box. Later while connected, if the user later decides that they no longer wish to remain connected to the
>> 'My_HotSpot_ISP' WLAN they can get their device to stop the connection and cease future reconnections by, in the 'Settings -> WiFi' section, selecting the blue arrow
>>beside the WLAN to be disconnected from and then clicking the 'Forget this Network' button at the top of the IP address options.
>>However, and this is where the vulnerability lies, if the SSID is no longer visible or beaconing, the WLAN disappears from the 'Wi-Fi Networks' page. This also removes
>>the blue button that allows a user to 'Forget this Network'. Therefore, the user can only choose to not connect to a WLAN when then can see the WLAN in question.
>>The problem gets worse however. An attacker running a WLAN sniffing program like the tool airodump-ng, is able to observe other wireless; sniffing the raw 802.11
>>protocol frames with the likes of airodump-ng reveals the probes that are transmitted by devices as they probe to see if SSIDs they have previously connected to are in
>>the local area. This probing is conducted by many devices, operating systems and Wi-Fi utilizing products.
>>The problem with iPhone and iPad devices is that they continue to probe for SSIDs that they cannot see, without the users permission, knowledge or ability to stop it.
>>This probing reveals the SSID of the LAN the device would like to connect to which attackers are able to monitor and then provide SSIDs to match those sought by clients.
>>These SSIDs can be connected to the attackers 'evil' servers and other systems that the attacker controls.
>>On a Microsoft Windows system the user is aware of the SSIDs probed for as they are in the Preferred Network List (part of the network control applet) which is both
>>visible, editable with entire entries being erasable (permissions permitting) by the user.
>>On an Apple MAC running OS X (I am using 10.6.7), the user can look in the advanced settings of the Network Preferences part of the System Preferences. This allows
>> them to view, edit and critically delete SSIDs for which the user no longer wants or authorizes his system to connect to.
>>On iPhones and iPads running their IOS (I am using 4.3.3) there is no software, applet, tool or area for the user to review, edit or delete WLAN SSIDs for networks the
>>user does not want to connect to.
>>Finally, and most critically, at the bottom of the 'Wi-Fi Network' page and below the 'Ask to Join Networks' slider there is a comment that 'Known networks will be joined
>>automatically. Thus a user cannot remove an SSID that is not beaconing or in range when the user uses the Wi-Fi applet, but if the device comes into range it will
>>With users regularly connecting to unencrypted WLANs that require no authentication eg a coffee shop, they will quickly have obvious and insecure SSIDs in their
>> 'Hidden Preferred Network List', the SSIDs of which will be probed for on a regular basis. Thus an attacker is able to see what SSIDs the user has connected to before
>>and can make his 'evil' network match this disclosed SSID for an unencrypted no-authentication necessary probed for SSID. By doing this the attacker is able to get the
>>device to 'join automatically', exposing the client to monkey-in-the-middle (MITM), operating system level and device driver level attacks.
>>We believe this 'Hidden Preferred Network List' vulnerability should be removed by allowing the user to review, edit and delete entries without requiring that the
>> device being range of the SSID to be edited (without out the use of WiFi protocol analysers or hacking tools).
>>This vulnerability is being notified to Apple Inc before any public release, as per the timeline at the start of this notification. However, we will issue this publicly is Apple
>> Inc either ignore the issue (don't respond) or state they will not fix the issue in a reasonable time period (determined by us).
>>Given the user interest and speed of fix provided by Apple Inc for the iPhone tracking database issue, we do not believe this is requires a long or protracted gestation
> The response from Apple was:
> Follow-up: 154209479
>>>Thank you for contacting the Apple Product Security team. We take every report of a potential security problem very seriously.
>>>This message is being sent to you by a security analyst who has reviewed your note. After examining your report, we feel that this is a scenario that, while not a
>>>security issue, is something we'd like to see improved in the future.
>>>We do consider this as something that we'd like to see addressed.
>>>If you have any questions or concerns please feel free to let us know.
>>>Apple Product Security
> So it's not a security issue and there is no update/fix it yet - maybe in IOS 5?
> Steve Armstrong
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Robin Wood
> Sent: 01 August 2011 15:06
> To: wifisec (at) securityfocus (dot) com [email concealed]
> Subject: Ghost ESSIDs in iPhone
> I've been playing with some wifi stuff and, blame Vivek, I've been using my iPhone as a victim. At some point I manually added a new ESSID called fred. Since I did that whenever I turn wifi on on the phone it probes for fred but I can't find anywhere in the iPhone setup where I can edit or delete fred, it seems to be a ghost network that it is doomed to probe for forever but never connect to.
> I could set up an AP with this ESSID and maybe then it will appear and I can delete it but a normal user wouldn't think to do that and could end up probing for networks they know nothing about or have forgotten about.
> Has anyone else noticed this?
> The information contained in this e-Mail and any subsequent correspondence is private and is intended solely for the intended recipient(s). The information in this communication may be confidential and/or legally privileged. Nothing in this e-mail is intended to conclude a contract on behalf of Logically Secure Ltd or make Logically Secure Ltd subject to any other legally binding commitments, unless the e-mail contains an express statement to the contrary or incorporates a formal Purchase Order. For persons other than the intended recipient any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on such information is prohibited and may be unlawful. Registered in England and Wales No: 05967368. Registered Office: Festival House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH
[ reply ]
Copyright 2010, SecurityFocus