Apple IOS "Hidden Preferred Network List" advisory

Abstract:

IOS users are unable to edit or delete SSIDs of WLANs they no longer wish to connect to, unless the user is within range of the WLAN.

Affected Products:

IOS 5.0 (released 12 October 2011) -  We delayed this release as we had hoped that Apple Inc would have fixed the problem in IOS5, but it obviously is not important enough given the fix is not difficult.

IOS 4.3.5 (used on iPhone and iPad) and all previous releases of Apple’s IOS to date.

– Not confirmed on iPod Touch as we don’t have one.

CVE Number:

CVE-2011-4003 assigned 5th October.

Exploitation-Technique:

Remote

Exposure Severity:

Medium - High

Report-Timeline:

Reported to Apple Inc Security staff by Steve Armstrong from Logically Secure (stevearmstrong@logicallysecure.com, @Nebulator)

Initial report to Apple         :  0120 BST 1  June 2011.

Initial Response from Apple         : 1339 BST 1  June 2011 (Apple tracking ID 154209479).

Further push for action         : 1346 BST 12 September 2011.

Response from Apple         : 2129 BST 19 September 2011  (See end of this advisory).

Publication scheduled for         : 0110 BST 6  October 2011 - delayed following the passing of Steve Jobs (RIP).

Published         : 0030 BST 18 October 2011 

Introduction:

Apple IOS is the operating system installed on iPhone and iPad devices.  It controls all interaction between the user, the hardware and the communication environment they occupy (Vendor Homepage: http://www.apple.com/iphone/ios/).

Summary of Problem:

Users are not able to list the networks stored in their WLAN history. In desktop operating systems this is often called a Preferred Network List (as seen in Apple's OSX and Microsoft's Windows operating systems).  Therefore, users are not able to edit and prune this list as appropriate.  As the device will automatically connect to an SSID in this list, an attacker can create an environment where the device will connect to a WLAN against the user's wishes simply because it has connected to a WLAN with that SSID before.

References:

/index.php?cID=171

Details:

Apple mobile device IOS ‘Hidden Preferred Network List’ exposure, details:

When a user sees an SSID for a WLAN on their device, they can choose to connect to that WLAN or to ignore it.  If they do not connect there is no link between their system and the access point’s ESS, and therefore is no reduction in the device's security nor is any user activity placed at risk.

If the user connects to a WLAN with no encryption or authentication for example a coffee shop WLAN with an SSID of ‘My_HotSpot_ISP’ (as an example SSID) they have made a conscious decision based upon a number of factors including:

    Their assessment of the operating environment.
    The perceived legitimacy of the SSID in the location it is seen at.
    The need for the user to conduct WiFi speed data activity

Although this choice may be ill-informed and somewhat basic, the user is able to make a choice, and express that choice through the selection and clicking on the appropriate part of the connect request dialogue box.  Later, while connected, if the user decides that they no longer wish to remain connected to the ‘My_HotSpot_ISP’  WLAN they can get their device to stop the connection and cease future reconnections by, in the ‘Settings -> WiFi’ section, selecting the blue arrow beside the WLAN to be disconnected from and then clicking the ‘Forget this Network’ button at the top of the IP address options.

If, however, the SSID is no longer visible or beaconing, the WLAN disappears from the ‘Wi-Fi Networks’  page.  This also removes the blue button that allows a user to ‘Forget this Network’.  Therefore, the user can only choose to not connect to a WLAN when then can see the WLAN in question.

The problem gets worse.  An attacker, running a WLAN sniffing program such as airodump-ng (from the aircrack-ng suit of tools), is able to observe other wireless;  sniffing the raw 802.11 protocol frames with the likes of airodump-ng reveals the probes that are transmitted by devices as they ‘shout out’ to see if SSIDs they have previously connected to are in the local area.  This probing is conducted by many devices, operating systems and Wi-Fi utilizing products.

The problem with iPhone and iPad devices is that they continue to probe for SSIDs that they cannot see, without the user's permission, knowledge or ability to stop it.  This probing reveals the SSID of the WLAN the device would like to connect to which attackers are able to monitor and then provide SSIDs to match those sought by clients.  These SSIDs can be connected to the attacker's ‘evil’ servers and other systems that the attacker controls.

On a Microsoft Windows system the user is aware of the SSIDs probed for as they are in the Preferred Network List (part of the network control applet) which is both visible, editable with entire entries being erasable (permissions permitting) by the user.

On an Apple MAC running OS X (for example Snow Leopard 10.6.7), the user can look in the advanced settings of the Network Preferences part of the System Preferences.  This allows them to view, edit and critically delete SSIDs for which the user no longer wants or authorizes his system to connect to.

On iPhones and iPads running their IOS (for example IOS 4.3.5) there is no software, applet, tool or area for the user to review, edit or delete WLAN SSIDs for networks the user does not want to connect to.

Finally, and most critically in both IOS4 and IOS5, at the bottom of the ‚”Wi-Fi Network”‚ page and below the ‘Ask to Join Networks’ slider there is a comment that ‘Known networks will be joined automatically.   Thus a user cannot remove an SSID that is not beaconing or in range when the user uses the Wi-Fi applet, but if the device comes into range it will automatically connect.

With users regularly connecting to unencrypted WLANs that require no authentication, such as those found in a typical coffee shop, they will quickly have obvious and insecure SSIDs in their ‘Hidden Preferred Network List’, the SSIDs of which will be probed for on a regular basis.  Thus an attacker is able to see what SSIDs the user has connected to before and can make his “evil” network match this disclosed SSID using information gleaned from an unencrypted SSID probe, with no-authentication necessary.  By doing this the attacker is able to get the device to ”join automatically”, exposing the client to man-in-the-middle (MITM), operating system level and device driver level attacks.

We believe this ‘Hidden Preferred Network List’ vulnerability should be removed by allowing the user to review, edit and delete entries without requiring that the device being range of the SSID to be edited (without out the use of WiFi protocol analysers or hacking tools).

Response from Apple Security:

At the second contact apple did respond as follows:

 "As indicated in our previous correspondence, we do not consider this to be a security exposure.  There are two important features you may use should you inadvertently join an untrustworthy network:

1. If you are still in range of the network, you may clear the association using the "Forget This Network" button in the Settings application.

2. Wireless network associations are cleared by a network settings reset.  This will remove any untrustworthy network associations that may be present.

To reset network settings, open the Settings app, tap "General", then "Reset", followed by "Reset Network Settings".  "

Comment on Apple's advice:

Solution 1 is obvious and not part of the problem (given we included this as background material in the exposure email to them).

Solution 2 actually wipes all networks; so you get to wipe your own, parents', friends' and work wireless settings just because Apple have neglected to give you a list of the SSIDs that are trusted on your iPhone/iPad.