Blog

iPhone Security Tip: Never Memorize Wireless Networks

By Rich

Update: See Update To The iPhone Security Tip. Encrypted networks are safe to remember.

The other day I was wandering around San Francisco on a work trip, and I freaked out when I noticed the WiFi indicator on my iPhone was showing an active connection to some random network. I never have my phone set to connect to unknown networks, so I quickly jumped into the settings to see what the heck was going on.

Turns out I was connected to “tsunami” which is a common default name on Cisco wireless gear. Like the Cisco gear in our community center, which just a week or so before I was playing with. And that got me thinking.

Many of you probably connect to wireless networks with common names- like Linksys, 2WIRExx, tsunami, or whatever. In other words, either default networks, or names (like those used at conferences and airports) that are in common use or easy to find. But when you remember those on your iPhone (or computer for that sake), it only remembers the network ID (SSID), not that actual network!

Your iPhone doesn’t know the difference between “tsunami” in your community center, “tsunami” in an office building, and “tsunami” running on some bad guy’s laptop to see what naive fools will connect to it. When you trust a network you’re just trusting a name anyone can use, not something really unique to that network. Your iPhone will then connect to any network using that name.

Why is that bad? Go read this article I wrote at Dark Reading. An attacker can set up his or her laptop to broadcast that name, then perform a man in the middle attack to anyone who connects. They can sniff and modify any traffic going to your iPhone. Why is this more serious on an iPhone than your laptop? Because you walk around with your phone all the time, often checking things like email in the background.

Another problem with the iPhone is that its VPN doesn’t automatically reconnect if the connection drops. Thus, even if you connect via a secure VPN, you might find your connection got dropped and your phone happily continues, sending all your traffic unencrypted.

Here are my best practices for iPhone wireless security:

  1. Turn on “Ask to join networks”.
  2. If you have a home wireless network, use an obscure name with some random numbers in it. This reduces the odds you’ll ever hit another one with the same name unless someone specifically targets you.
  3. On your home network, don’t broadcast the SSID (sure, easy to figure out, but we’re just trying to reduce our risks).
  4. If you need to connect to a public wireless network, use a VPN to protect your traffic. In the VPN settings, after you configure your connection, turn on the “Send all traffic” option.
  5. When you’re done with the network, click on the “Forget this network” button in your WiFi settings.

On my phone I only have it set to connect at home (a weird name), and I use AT&T EDGE when I’m out of my house. I have a VPN server set up at home for those rare occasions I connect from a conference network.

The good news is that your iPhone doesn’t send out “probes” for known networks. This would be an easy way for a bad guy to know even those obscure SSIDs you use at home. Good move on Apple’s part- now I just want them to make the VPN connections persistent.

No Related Posts
Comments

I am planning on getting the iphone when it comes out. I would like to know a few things about it. What are the pros and cons of getting it? Anything would be helpful!

CG

By Jack Johnson


I haven’‘t found it yet- very annoying.

By rmogull


Is there a way I can get a list of networks that the iPhone has memorized.  It is entirely possible that I’‘ve memorized a network and then forgotten to hit forget before disconnecting (or just losing the connection).

By Brian Zuzga


Hey, I know which John this is now from the 1x discussion!

Yes, I agree with how difficult 1x is to configure and the risks that would still exist from malicious open and spoofing APs!

It would be pretty nifty if Apple could embed a set of unique digital certificates, signed, in the iPhone, and that developers could leverage those identity certificates to provide layered security options.

Like: don’‘t connect to any AP that doesn’‘t use 1x. Or, if I haven’‘t connected to an AP with this BSSID, warn me. And so on.

By Glenn Fleishman


I hope 1X support becomes more common in devices as that will perhaps encourage more networks to use it, but there is still a problem with getting it configured. There are a lot of options hidden under that name!

With T-Mobile though it was never well documented how to use their 802.1X connection without their connection software (although it is possible). And the 1X SSID was always hidden. I had heard that they were concerned about the potential for support issues if they made it more widely known (think about how many different wireless managers there are for XP alone!).

Korea Telecom was more aggressive, only allowing internet connections over 1X, and only using their special connection manager software. The open SSID only allowed downloading of the software, for Windows XP. They seem to be switching to the more conventional open + captive portal login page now though, perhaps to allow non-Windows devices to use their network too, or perhaps just to make it easier for roaming customers.

Unless there is some kind of 802.11 level security though, it is relatively simple to set up a malicious open AP that devices will attach to as long as the SSID matches. Then it can try to attack the device over the local Wi-Fi connection. Luckily this kind of attack is likely to remain rare. Wi-Fi’s limited range limits the commercial value of any attack (unlike attacks against PCs over the internet where you can hit many millions of devices from thousands of miles away).

It is also harder to set up a spoof hotspot that steals usernames & passwords, as long as users pay attention to any certificate warnings and the URL of the login page. Not getting a certificate warning is not sufficient as the spoof hotspot may have an SSL certificate for its own domain, and the captive portal simply redirects you to an SSL login page in that domain. This is something that Devicescape’s connection software tries to detect: for most networks we not only need a valid certificate, but also the action URL for the form must be in the domain we expected.

By John


John, good point on the iPhone. Of course, there will be 802.1X support with iPhone 2.0 in a few weeks. And one expects third-party supplicants and EAP-TLS, and so forth. So that might shortly be viable.

T-Mobile and iBahn upgraded all their hotspots to 802.1X capability in 2003 or 2004! They expected 802.1X-to-hotspot would be a big deal. But VPNs apparently won out.

By Glenn Fleishman


Having a common name for your home network shouldn’‘t be a problem as long as you are running with WPA (or at least WEP) enabled. A device shouldn’‘t connect to another network of the same name, but with security disabled. And, if you try to connect to another secured network with the same SSID, the keys shouldn’‘t match (assuming you use a strong passphrase), so you won’‘t be able to complete the connection.

When it comes to public access networks, the issue gets a little more complex as the only connection security they have is an SSL protected login page, which doesn’‘t protect the user at all. And, as you say, the iPhone does have a habit of jumping on to Wi-Fi whenever it can. I notice it a lot on my commute - the bus will stop at a red light outside a hotspot and the iPhone will connect.

Glenn’s suggestion of 802.1X is good from a security perspective, but limits the devices that can use the network (for example, the iPhone cannot currently connect to a 1X protected network). It also makes the process of getting connected more complex, which will likely become a barrier for some potential customers, and increase the support burden, which impacts the staff at the venue as well as the network operator.

As ever with Wi-Fi, it is a difficult trade off between ease of use and security. The iPhone’s ability to automatically find and use Wi-Fi networks helps to make it one of the simplest dual mode mobile phones to use, but it does make it more vulnerable to potentially malicious spoof hotspots. Hopefully Apple did their job in the device, and it is well protected against remote attacks over its Wi-Fi connection.

By John


Hi Rich,

Thanks for this thoughtful article. I saw that you’‘d written it via Twitter. I’‘ve linked to it from the Check for Updates Web pages for two of the Take Control ebooks (iPhone and Wi-Fi Security), so that should help bring this article to the attention of more people who might find it interesting or useful.

cheers, -Tonya Engst

By Tonya Engst


[...] iPhone Security Tip: Never Memorize Wireless Networks | securosis.com [...]

By Interesting Bits - April 29th


This is a great piece of advice. It’s incredibly irritating to me that promiscuous network connections aren’‘t paired with any kind of method of confirming the identity of the remote network.

Every access point broadcasts an SSID with a BSSID, which is the MAC address of the access point (when in infrastructure mode). The BSSID isn’‘t cryptographically signed, so there’s no way to prevent a BSSID from being spoofed, too, and, in fact, you could set up a malicious AP to spoof many BSSIDs for each SSID in pairs.

So while your iPhone or Win XP box or Mac can record the SSID/BSSID pair, this doesn’‘t help with intranetwork roaming, where the BSSID changes as you walk around a network and the SSID does not (in an airport, say, or even a home with two access points expanding network coverage).

With 802.1X, there’s a four-way handshake inside a tunneled SSL/TLS session (or the equivalent) which, when implemented correctly, ensures not just an encrypted session, but also an encrypted authentication process, and a lack of interest on the part of your 802.1X supplicant in connecting to an AP that claims to be the right one but which lacks a CA-signed certificate or a cert that matches one preinstalled on your system.

All that’s to say is that it’s a crying shame there’s no underlay on open networks—hotspots plus gateways—that would allow a signing component. One firm told me that you could run 802.1X in an open mode, distributing a guest/guest login password pair, so that there was no restriction on who joined, but that the whole secured connection process would be invoked. It couldn’‘t be spoofed (with a CA-signed cert), and it would allow each local user to have a unique master key under WPA/WPA2, too.

By Glenn Fleishman


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.