Typically, an iPhone will look for a specific MAC address–the unique identifier for the router–to verify that the wireless network is a device a user agreed to join previously. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has “AT&T Wifi” attached, Kamkar said.
“The iPhone joins the network by name with no other form of authentication,” he said.
Read the entire article on CNET Reports:
On iPhone, beware of that AT&T Wi-Fi hot spot
April 27, 2010 1:33 PM PDT — by Elinor Mills
Kamkar said he made this discovery recently when he was at a Starbucks and disconnected from the AT&T Wi-Fi network.
“I went into the settings to disconnect and the prompt was different from normal,” he said. “I went home and had my computer pretend to be an AT&T hot spot just by the name and my iPhone continued to connect to it. I saw one or two other iPhones hop onto the network, too, going through my laptop computer. I could redirect them, steal credentials as they go to Web sites,” among other stealth moves, if he had wanted to.
To prove that a hijack is possible, Kamkar wrote a program that displays messages and can make other modifications when someone is attempting to use the Google Maps program on an iPhone that has been intercepted. He will be releasing his hijacking program via his Twitter account: http://twitter.com/samykamkar.
Kamkar hasn’t attempted the hijack on an iPod Touch, but plans to determine whether it has the same vulnerability.
iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.
Asked for comment an Apple spokeswoman said: “iPhone performs properly as a Wi-Fi device to automatically join known networks. Customers can also choose to select to ‘Forget This Network’ after using a hot spot so the iPhone doesn’t join another network of the same name automatically.”
Kamkar, an independent researcher based in Los Angeles, first made a name for himself by launching what was called the “Samy” worm on MySpace in order to see how quickly he could get friends on the social-networking site. The cross-site scripting (XSS) worm displayed the words “Samy is my hero” on a victim’s profile and when others viewed the page they were infected.
He served three years of probation under a plea agreement reached in early 2007 for releasing the worm.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.