Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Your ATT iPhone will automatically try to connect to any wireless network named "attwifi". Any network-no matter who set it up or what their intentions. What could possibly go wrong?   (arstechnica.com ) divider line 41
    More: Scary, iPhones, Wi-Fi, wireless networks, SSL, iOS devices  
•       •       •

4224 clicks; posted to Geek » on 14 Jun 2013 at 7:30 AM (2 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



41 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2013-06-14 07:45:16 AM  
Yeah there's a similar thing with my Sprint Samsung Galaxy S4 where it has "smart wifi" and will try to auto-connect to wifi networks you've used in the past based on their name. You can turn that "feature" off though.
 
2013-06-14 07:49:38 AM  
Nobody at AT&T thought this cunning plan all the way through?  Nobody?  *LOL*
 
2013-06-14 07:59:05 AM  
No Security Anyway
 
2013-06-14 08:01:23 AM  
My Thunderbolt did that. I'd imagine most smartphones can. It's so that dumbasses who refuse to know how to use their devices (like your parents) can "set it and forget it". It's the same reason Windows desktop accounts used to run as administrator by default: to placate dumb users.
 
2013-06-14 08:02:22 AM  
I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.
 
2013-06-14 08:02:46 AM  
Walker: Yeah there's a similar thing with my Sprint Samsung Galaxy S4 where it has "smart wifi" and will try to auto-connect to wifi networks you've used in the past based on their name. You can turn that "feature" off though.

Heh, didn't the guy from Hak 5 demonstrate exploits with this as well.

IE, the phone sends out a packet saying hey, is wifi network foobarbaz around?

And the honeypot gets that packet and says "YES. I am network foobarbaz! Connect to ME!".
 
2013-06-14 08:35:01 AM  
Does the WiFi spec support something where an AP and a device exchange identifying keys to prevent connecting to a spoofing network, even on no wireless security mode?
The biggest problem is that open wifi is unencrypted, really. Then again, how would you get an open access point to give a client an encryption key without it being spied on over clear text?
 
2013-06-14 08:35:28 AM  

AverageAmericanGuy: I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.


Which is exactly as secure.
 
2013-06-14 08:37:51 AM  

AverageAmericanGuy: I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.


You don't see the need to connect to free public wi-fi provided by your service provider because there is free public wi-fi you can log into essentially everywhere?
 
2013-06-14 08:40:46 AM  

DerAppie: AverageAmericanGuy: I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.

You don't see the need to connect to free public wi-fi provided by your service provider because there is free public wi-fi you can log into essentially everywhere?


attwifi is that free Starbucks crap, isn't it? I'm not sharing my personal data with some corporation.
 
2013-06-14 08:42:21 AM  

AverageAmericanGuy: DerAppie: AverageAmericanGuy: I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.

You don't see the need to connect to free public wi-fi provided by your service provider because there is free public wi-fi you can log into essentially everywhere?

attwifi is that free Starbucks crap, isn't it? I'm not sharing my personal data with some corporation.


Nope, just with some other corporation offering "free" public wifi.
 
2013-06-14 08:43:33 AM  
The most effective way to prevent iPhones from connecting to networks without the user's knowledge is to turn off Wi-Fi whenever it's not needed.

People aren't already doing that to conserve battery?
 
2013-06-14 08:57:04 AM  

DerAppie: You don't see the need to connect to free public wi-fi provided by your service provider because there is free public wi-fi you can log into essentially everywhere?


It's a joke.... you ever notice the network called Free Public Wi-Fi that exists everywhere?
 
2013-06-14 09:04:46 AM  
This is pretty scary.  Imagine the STDs your phone could get.
 
2013-06-14 09:15:59 AM  

Arkanaut: The most effective way to prevent iPhones from connecting to networks without the user's knowledge is to turn off Wi-Fi whenever it's not needed.

People aren't already doing that to conserve battery?


Seems like a lot of extra crap for me to think about when my phone manages its battery life just fine without my interaction. I can't say I've noticed any difference in battery life by constantly turning wifi or bluetooth on/off manually.
 
2013-06-14 09:17:57 AM  

dukeblue219: DerAppie: You don't see the need to connect to free public wi-fi provided by your service provider because there is free public wi-fi you can log into essentially everywhere?

It's a joke.... you ever notice the network called Free Public Wi-Fi that exists everywhere?


Ah, different country so know. I wasn't aware of that one.
 
2013-06-14 09:20:40 AM  
For Android phones, at least for ICS and JB, you can toggle whether your phone automatically connects to "attwifi" via the wifi advanced settings panel (go to your wifi settings, press your menu key and then choose 'advanced').
 
2013-06-14 09:21:55 AM  
I don't see the problem. I was always told that Apple products were super secure and there was no way to hack them or infect them with a virus.
 
2013-06-14 09:53:51 AM  
I farking hate ATT WiFi. It's so annoying to be out and suddenly my phone is browsing the web slower than molasses despite being on LTE. It's such a pain to have to be constantly toggling WiFi on and off to avoid it when I'm out. They really need to add a setting to ignore them.
 
2013-06-14 10:12:31 AM  

Pichu0102: Does the WiFi spec support something where an AP and a device exchange identifying keys to prevent connecting to a spoofing network, even on no wireless security mode?
The biggest problem is that open wifi is unencrypted, really. Then again, how would you get an open access point to give a client an encryption key without it being spied on over clear text?


Yes. 802.1x supports mutual authentication and Vodafone uses EAP-SIM authentication for its Wifi services.

But security is hard.  Att don't care because:

A - It isn't their data subject to pilfering.
B - They already hold the security of your data in very low regard. ( See recent announcements)
 
2013-06-14 10:13:27 AM  
Sorry for the poor grammar. Fark sucks big donkey balls on the iPad anymore.
 
2013-06-14 11:01:47 AM  

Walker: Yeah there's a similar thing with my Sprint Samsung Galaxy S4 where it has "smart wifi" and will try to auto-connect to wifi networks you've used in the past based on their name. You can turn that "feature" off though.


that explains why my phone always wants to connect to "lynksys"
 
2013-06-14 11:12:57 AM  

AverageAmericanGuy: I don't understand the need to log in to that kind of thing when Free Public Wi-Fi is essentially everywhere.

attwifi is that free Starbucks crap, isn't it? I'm not sharing my personal data with some corporation.


Read what you just wrote.

Now read it again and think about what you just wrote.

Now don't you feel foolish?
 
2013-06-14 11:57:25 AM  

arcas: For Android phones, at least for ICS and JB, you can toggle whether your phone automatically connects to "attwifi" via the wifi advanced settings panel (go to your wifi settings, press your menu key and then choose 'advanced').


I'm using stock Android 4.2 and do not have that option under Wifi -> Advanced.  I would love to find out how to do that, though, because I typically keep wifi off in public so that my mobile data isn't interrupted every time I walk past a Starbucks.
 
2013-06-14 11:57:33 AM  
 
2013-06-14 12:00:36 PM  

darwinpolice: arcas: For Android phones, at least for ICS and JB, you can toggle whether your phone automatically connects to "attwifi" via the wifi advanced settings panel (go to your wifi settings, press your menu key and then choose 'advanced').

I'm using stock Android 4.2 and do not have that option under Wifi -> Advanced.  I would love to find out how to do that, though, because I typically keep wifi off in public so that my mobile data isn't interrupted every time I walk past a Starbucks.


Why would stock Jelly Bean have that option preset? Only AT&T phones are set to prefer the AT&T Hotspots over mobile data. Unless you have it connect to any open hotspot you are near, stock Android should not do that.
 
2013-06-14 12:34:14 PM  

Mad_Radhu: darwinpolice: arcas: For Android phones, at least for ICS and JB, you can toggle whether your phone automatically connects to "attwifi" via the wifi advanced settings panel (go to your wifi settings, press your menu key and then choose 'advanced').

I'm using stock Android 4.2 and do not have that option under Wifi -> Advanced.  I would love to find out how to do that, though, because I typically keep wifi off in public so that my mobile data isn't interrupted every time I walk past a Starbucks.

Why would stock Jelly Bean have that option preset? Only AT&T phones are set to prefer the AT&T Hotspots over mobile data. Unless you have it connect to any open hotspot you are near, stock Android should not do that.


Ahh, I misinterpreted.  I thought arcas was talking about a general setting and just using attwifi as a specific example.  I was thinking of a setting that allows you to specify which wifi networks your phone will auto-connect to.
 
2013-06-14 01:03:00 PM  
I hope someone in the jailbreak community makes a patch for this because I can't upgrade to a new iOS that Apple will likely release to fix this.

I bet that Apple didn't want to do this but AT&T insisted upon it to reduce their cellular consumption automatically in, well, hotspot areas of their cellular network.
 
2013-06-14 01:21:22 PM  
Seems like it should be very feasible for law enforcement to work with e-commerce sites, having phones in various places hacked so that dummy credit card numbers from simulated transactions can be harvested... and then work with the CC companies to determine the origin of attempts to use them.
 
2013-06-14 01:45:12 PM  
Been meaning to setup a VPN server at home and have my phone always connect through that. That way I can also route the traffic through Privoxy and adblock on my phone!

shiat's complicated though :(
 
2013-06-14 02:19:43 PM  

Myria: I hope someone in the jailbreak community makes a patch for this because I can't upgrade to a new iOS that Apple will likely release to fix this


It's not so much about patching. This is how SSID broadcast works. The difference is that if you're on AT&T, your phone will always recognize ATTWIFI as a valid network. That's a simple XML flag- if you're jail broken, you could go in there and change it yourself via SSH. The deeper problem is that all of our mobile devices broadcast a list of any network they've ever talked to. There's nothing to stop a node from responding, "Oh, that's me!"
 
2013-06-14 02:28:26 PM  

NateAsbestos: shiat's complicated though :(


Depending on your level of IT knowledge it can be.

Another option is to pay a VPN provider $5-10 a month.

But at home, a decent modern Linksys router with dd-wrt, Tomato, or other variant of those with OpenVPN is not too difficult to set up if you've ever done any kind of command line or system admin work. IMHO, the hardest part is having access to a system to generate the certificates. If you have a Mac you're already set. If you've got Windows you either need a Linux machine or access to one. (Sorry, I have never tried to generate certs on Windows - probably possible under Cygwin but that's a topic for another day)
 
2013-06-14 02:35:45 PM  
Windows has been doing this BS for years. If you have a preferred network set up (connect automatically) and the wifi tries to connect and fails Windows automatically will try to connect to the any open network.
 
2013-06-14 02:55:36 PM  

slykens1: Yes. 802.1x supports mutual authentication


You mean no. 802.1x does not allow an anonymous user to verify that he's reconnecting to the same network he used before. In general use it doesn't allow anonymous users at all. So it's simply not applicable to the kind of open networks asked about (also it technically doesn't run until after you've joined the WiFi network, but whether or not that poses a security risk to users depends on the behavior of their local supplicant and network stack).

The basic "problem" here is that WiFi is supposed to work this way -- if the SSID and security settings match, you're supposed to be able roam freely from one AP to another. Such a design allows you to install multiple APs to cover a large area and just connect them all to the same backend network segment to provide seamless coverage as users move around. Anything you do to "solve" this problem will break all sorts of WiFi networks designed for roaming use.

It would be nice if ATT didn't bake-in WiFi networks, but the basic "problem" exists for anyone who has every joined (and remembered) a network with a common SSID. And the solution is the same as it always has been -- use end-to-end encryption.
 
2013-06-14 03:37:42 PM  
Well, I could setup a router named attwifi and hide it in a busy public place. Obviously all web requests would be redirected to goatse, but that goes without saying.
 
2013-06-14 03:54:53 PM  

profplump: You mean no. 802.1x does not allow an anonymous user to verify that he's reconnecting to the same network he used before. In general use it doesn't allow anonymous users at all. So it's simply not applicable to the kind of open networks asked about (also it technically doesn't run until after you've joined the WiFi network, but whether or not that poses a security risk to users depends on the behavior of their local supplicant and network stack).


I missed his asking about it also working on open, anonymous networks. However, 802.1x could still allow the server to authenticate itself to the client and then accept any credentials in return - effectively authenticating the network to an anonymous user.

Anyway, the type of wifi network being discussed in the article is not being accessed by an anonymous user - your iPhone authenticates itself to the network to bypass the paywall on attwifi. There is no reasonable reason this is not set up to use 802.1x which would fix a lot of these problems.
 
2013-06-14 05:37:44 PM  

slykens1: which would fix a lot of these problems.


But not the fact that SSID works by request. So even if attwifi is fixed, someone could still make a honeypot WAP that my phone will connect to, unless I turn WiFi off.
 
2013-06-14 07:16:46 PM  

t3knomanser: Myria: I hope someone in the jailbreak community makes a patch for this because I can't upgrade to a new iOS that Apple will likely release to fix this

It's not so much about patching. This is how SSID broadcast works. The difference is that if you're on AT&T, your phone will always recognize ATTWIFI as a valid network. That's a simple XML flag- if you're jail broken, you could go in there and change it yourself via SSH. The deeper problem is that all of our mobile devices broadcast a list of any network they've ever talked to. There's nothing to stop a node from responding, "Oh, that's me!"


That's lame.  Unsecured (or even WEP) wireless should never be connected without the user selecting that network.  For the secured networks, it should only be allowed if the password the phone knows is correct - each side validates each other.

This is like security 101 here...
 
2013-06-14 10:38:49 PM  
Curious question.  If I have my wifi turned on and come home from work, my phone automatically joins my home network.  If all the McDonalds wifi networks are called attwifi, and I log onto one, will my phone join ANY of the attwifi McDonald networks it can hear?

Seems like that's what they're saying here...and seems like normal behavior.
 
2013-06-15 02:59:12 AM  

The6502Man: Curious question.  If I have my wifi turned on and come home from work, my phone automatically joins my home network.  If all the McDonalds wifi networks are called attwifi, and I log onto one, will my phone join ANY of the attwifi McDonald networks it can hear?

Seems like that's what they're saying here...and seems like normal behavior.


The problem is that for your home network you put it in and told it to remember the network. With the AT&T hotspots, the AT&T branded phones will connect automatically without you explicitly saying yes, I want to connect to that network. It doesn't ask you, and doesn't give you the option NOT to connect or to forget the network, and the only way to prevent it is to turn off WiFi, which is a PITA because you have to remember to turn it back on again when you get home. It's just really annoying, especially now that LTE makes the WiFi hotspots look painfully slow in comparison.
 
2013-06-15 09:09:38 AM  
Hah, you are all dumb - that's why I only use the secure 'FBI Van' Wi-Fi network that always seems to be available wherever I go.
 
Displayed 41 of 41 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report