Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Private I: The collision of automatic Wi-Fi connections and a security flaw

Glenn Fleishman | April 24, 2015
On Tuesday, researchers from Skycure disclosed at the RSA conference that a previously known iOS flaw related to automatic Wi-Fi network connection and a newly discovered SSL certificate handling error could cause an iPhone or iPad to crash and endlessly reboot as long as it remains within range of the network. (Skycure sells monitoring and mitigation systems.)

On Tuesday, researchers from Skycure disclosed at the RSA conference that a previously known iOS flaw related to automatic Wi-Fi network connection and a newly discovered SSL certificate handling error could cause an iPhone or iPad to crash and endlessly reboot as long as it remains within range of the network. (Skycure sells monitoring and mitigation systems.)

The problem of devices automatically joining Wi-Fi networks is longstanding, and the researchers highlighted a specific aspect of it that they first uncovered in 2013 and labeled it WiFiGate: mobile carriers in some markets preconfigure iPhones to connect automatically to certain Wi-Fi network names.

These network names are easily spoofable, allowing an iPhone (or Mac or any Wi-Fi-enabled device) to connect to what is often called an "evil twin" network. That network can attempt to deliver malware or redirect to look-alike pages among other activity.

But it's often hard to exploit iOS unless there's an active, unpatched problem, as is currently the case. The researchers reported this to Apple, didn't release the precise details of the validation crash, and iOS 8.3 appears to fix some, but not all, of the potential for exploitation.

Promiscuous Wi-Fi connections

Wi-Fi was developed so long ago that it carries with it a lot of cruft and difficulties. The first flavors of what is certified as Wi-Fi as an industry trade group were 802.11b and 802.11a, standardized in 1999. Some aspects of that 1999 technology remains.

Every Wi-Fi base station and network adapter, as in a mobile or laptop, has a unique factory-assigned address, just like every ethernet adapter. (On some devices, that number can be changed through software or firmware.) A base station's address is a BSSID, or basic service set identifier, and it has a unique BSSID for 2.4GHz and 5GHz networks if it supports both simultaneously or as an option at startup. These IDs are represented as a set of six hexadecimal (base 16) numbers separated by colons, like 00:19:E3:32:D3:6F.

But we don't, of course, connect to a base station by number. Instead, we use a name, the Service Set Identifier (SSID). In a network with multiple base stations, this is called an Extended SSID (ESSID), in which every base station has its own numeric address but they all share the network name.

When you select the network name, your computer or mobile will examine all the base stations associated with the name, and pick one, typically based on a combination of signal quality, signal strength, and throughput. Almost all devices freely roam, and disconnect and reconnect as you move among as set of base stations with the same name. On a Mac, hold down Option and click the Wi-Fi menu, and the BSSID appears along with other connection parameters for the base station to which you're currently connected.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.