Vulnerabilities / Threats

7/7/2009
03:11 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple's iPhone Vulnerable To Hotspot Hijacking

The new iPhone 3.0 software automatically launches the Safari browser in certain circumstances, a feature that makes the iPhone more usable and less secure.

Apple's attention to usability appears to have left its iPhone vulnerable to Wi-Fi hotspot hijacking.

In a blog post, Max Moser, co-founder of the remote-exploit.org security group, describes how a feature in Apple's iPhone 3.0 software aims to make the iPhone more user-friendly and ends up making it less secure.

Version 3.0 of the iPhone software, according to Moser, is designed to automatically open a browser when trying to join a Wi-Fi network.

An iPhone running the 3.0 software issues a DNS request for Apple's Web site and a request for a specific Web page. If its queries prove successful, it assumes network connectivity is okay. If it receives no response, it assumes there's no network available.

But if it receives a response from a site other than Apple's, it assumes the user is trying to access the network through a portal that requires authentication, as is often found at hotels or public Wi-Fi hotspots. To help users complete the authentication process, the iPhone software automatically opens Apple's Safari browser.

"It seems like Apple was thinking, 'Damn, that's annoying for the user...lets open up Safari automatically if this special case comes into place,'" Moser says.

That behavior, however, offers an opportunity for exploitation, as first noted by security researcher Lothar Gramelspacher.

Using penetration testing software called karmetasploit and the appropriate network hardware, an attacker can set up his or her own Wi-Fi hotspot. When an iPhone user tries to join this malicious Wi-Fi network, the attacker can capture iPhone cookies, account information, and perhaps more, depending on whether other vulnerabilities in Safari or other iPhone software can be exploited.

Moser has posted a video showing how the attack works.

It should be said that a malicious network represents a risk to any connecting device. The iPhone's automatic browser launch, however, does serve to magnify that risk.

Apple did not respond to a request for comment.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2607
PUBLISHED: 2018-05-21
jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cross-site scripting vulnerability in console notes (SECURITY-382). Jenkins allows plugins to annotate build logs, adding new content or changing the presentation of existing content while the build is running. Malicious Jenkins users...
CVE-2018-1108
PUBLISHED: 2018-05-21
kernel drivers before version 4.17-rc1 are vulnerable to a weakness in the Linux kernel's implementation of random seed data. Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated.
CVE-2018-11330
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. There is authenticated stored XSS because the character set for filenames is not properly restricted.
CVE-2018-11331
PUBLISHED: 2018-05-21
An issue was discovered in Pluck before 4.7.6. Remote PHP code execution is possible because the set of disallowed filetypes for uploads in missing some applicable ones such as .phtml and .htaccess.
CVE-2018-7687
PUBLISHED: 2018-05-21
The Micro Focus Client for OES before version 2 SP4 IR8a has a vulnerability that could allow a local attacker to elevate privileges via a buffer overflow in ncfsd.sys.