Vulnerabilities / Threats
7/7/2009
03:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple's iPhone Vulnerable To Hotspot Hijacking

The new iPhone 3.0 software automatically launches the Safari browser in certain circumstances, a feature that makes the iPhone more usable and less secure.

Apple's attention to usability appears to have left its iPhone vulnerable to Wi-Fi hotspot hijacking.

In a blog post, Max Moser, co-founder of the remote-exploit.org security group, describes how a feature in Apple's iPhone 3.0 software aims to make the iPhone more user-friendly and ends up making it less secure.

Version 3.0 of the iPhone software, according to Moser, is designed to automatically open a browser when trying to join a Wi-Fi network.

An iPhone running the 3.0 software issues a DNS request for Apple's Web site and a request for a specific Web page. If its queries prove successful, it assumes network connectivity is okay. If it receives no response, it assumes there's no network available.

But if it receives a response from a site other than Apple's, it assumes the user is trying to access the network through a portal that requires authentication, as is often found at hotels or public Wi-Fi hotspots. To help users complete the authentication process, the iPhone software automatically opens Apple's Safari browser.

"It seems like Apple was thinking, 'Damn, that's annoying for the user...lets open up Safari automatically if this special case comes into place,'" Moser says.

That behavior, however, offers an opportunity for exploitation, as first noted by security researcher Lothar Gramelspacher.

Using penetration testing software called karmetasploit and the appropriate network hardware, an attacker can set up his or her own Wi-Fi hotspot. When an iPhone user tries to join this malicious Wi-Fi network, the attacker can capture iPhone cookies, account information, and perhaps more, depending on whether other vulnerabilities in Safari or other iPhone software can be exploited.

Moser has posted a video showing how the attack works.

It should be said that a malicious network represents a risk to any connecting device. The iPhone's automatic browser launch, however, does serve to magnify that risk.

Apple did not respond to a request for comment.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant