Friday, May 31, 2013

iStupid: Setup & Basic Usage

iStupid, indescreet SSID tool (for the) unknown PNL (on) iOS devices, is a Python-based tool for Linux that allows deleting Wi-Fi network entries from the hidden PNL of iOS mobile devices. For more details see the original iStupid blog post, and it can be downloaded, as usual, from Tadddong's lab.

Setup & Requirements
iStupid directly runs in some of the most famous security Linux distributions, such as Kali Linux, BackTrack Linux (BT5R3), or MobiSec (v1.1) [0]. If you are interested on running iStupid on a different Linux system the main two requirements are Python 2.7.x and Scapy. The next two commands allow you to easily check the Python and Scapy versions (e.g. Kali):
# python -V
Python 2.7.3
# dpkg -l | grep -i scapy
ii  python-scapy    2.2.0-1    all    Packet generator/sniffer and network scanner/discovery

Before running iStupid you need to put your Wi-Fi network interface or card in monitor mode. You can use the well-known "airmon-ng start wlan0" command (from the aircrak-ng suite), or preferably use the following Linux commands, adjusting accordingly your network interface names (e.g. phy11, wlan0, and mon0):


To run iStupid (as root or using "sudo") you simply need to provide the SSID (or network name) of the Wi-Fi network to impersonate (through the "-s" option) and the local monitor mode Wi-Fi network interface (e.g. mon0):

In the example above, iStupid will emulate that a Wi-Fi network called "Taddong" is available, allowing you to delete it from iOS mobile devices. The default security type used for the network is OPEN, very common for public Wi-Fi networks and hotspots. However, the Wi-Fi network security type can be easily changed by specifying one of the different security options: OPEN (--open), WEP (--wep), WPA-Personal (--wpa), WPA2-Personal (--wpa2), WPA-Enterprise (--wpa-enterprise), or WPA2-Enterprise (--wpa2-enterprise). Example for a WPA2-Personal (or PSK) network:

Therefore, the first requirement to be able to remove a Wi-Fi network from iOS mobile devices is to know at least the name of the Wi-Fi network you connected to in the past, which was saved inside the hidden PNL. As a recommended practice, every time you connect to a new network you could take a screenshot of the Wi-Fi screen on iOS (by pressing both the Power and Home buttons simultaneously) in order to easily remember the network name:

The second requirement is to know the Wi-Fi network security type. A very common scenario for end users is to remember the SSID they connected to and (at most) if it was an open or a secure network. Unfortunately, if it was a secure network, iOS does not help the user to differentiate between the multiple security types, as all them are represented by a lock (see the image above).

For this reason, iStupid implements the "--loop" option. When used, iStupid will loop through the different security types, spending by default 30 seconds on each of them. This amount of time allows iOS to re-scan for new networks and identify the new security type, allowing you to manually remove the associated entry from the hidden PNL:

If you don't know the security type, this iStupid basic usage requires you to manually check if the network can be removed from the iOS mobile device, through the blue arrow button available at the right of the network name and the "Forget this network" option, every time the security type changes on the iStupid output. Once you see a new security type printed by iStupid (between curly braces), go to the iOS device, wait until it re-scans for networks (via the spinning wheel at the right of the "Choose a Network..." label), and try to remove the network from the hidden PNL:

The loop interval, that is, the amount of time iStupid spends on every security type, can be changed through the "-l" (or "--loop_interval") option. The next blog post in this series will demonstrate iStupid advanced usage through some additional command line switches (check the help with "iStupid -h"), like the one that tries to identify automatically the security type of the original Wi-Fi network.

Shameless plugI will be teaching the 6-day SANS SEC575 training, "SEC575: Mobile Device Security and Ethical Hacking", in Tokyo (October 21-26, 2013) and London (November 18-23, 2013).

[0] Mobisec v1.1 by default uses Python 2.6.5 and will complaint about not having the "argparse" module. You need to update it to Python 2.7.x in order for iStupid to work.


One of the tools I demonstrated during the last RootedCON 2013 conference in Madrid as part of my "Wi-Fi: Why iOS (Android, and others) Fail inexplicably?" talk was iStupid: indescreet SSID tool (for the) unknown PNL (on) iOS devices. Apple mobile devices, based on iOS (such as iPhone, iPad or iPad mini, and iPod Touch), do not provide capabilities to manage their Wi-Fi Preferred Network List (PNL). This deficiency is something I talked about on my "Wi-Fi (In)Security - All Your Air Are Belong To..." presentation in 2010, almost three years ago (back to iOS 2.x, 3.x, 4.x...), and the situation has not changed :(

Unfortunately, the existence of other vulnerabilities where mobile devices disclose their PNL in the air (specifically TAD-2013-001 for iOS devices; see note below) makes mandatory to have capabilities to manage the PNL (view, add, delete, and edit PNL entries) in order to be able to check and increase the security of Wi-Fi clients. Besides that, the PNL management capabilities should also allow the user (or security administrators) to easily define the connection priority order when multiple known Wi-Fi networks are available, plus allow defining if the client should automatically connect to known Wi-Fi networks, being able to disable or configure that behavior per network individually. Additionally, it would be very interesting for mobile vendors not to force the user to have to enable the Wi-Fi interface in order to be able to manage the PNL (and change or configure other Wi-Fi settings), as the device might temporarily be exposed unnecessarily until a secure Wi-Fi setup is completed.

iOS mobile devices allow to easily add entries to the hidden PNL: every time you connect to a new network. However, the user cannot remove entries from the hidden PNL unless the Wi-Fi network is in range. Only if the user is in the area of coverage of the original Wi-Fi network, by selecting the blue arrow button available at the right of the network name, the "Forget this network" option will be available, which allows removing the network from the hidden PNL... WTF! (Without Traveling Faraway... where the original network is really available).

Trying to overcome this limitation in iOS devices, we thought about developing an iOS app (mobile application) to be able to manage the PNL. However, as you can see on slide 12 of my RootedCON 2013 presentation, for non-jailbroken devices there is no iOS SDK public API (or library) that allows accessing the PNL. Therefore, iStupid is NOT an iOS app :( Please, do not confuse the iStupid security tool (Python-based) with the iStupid app (entertainment) available on the Apple Store since 2010.

As a result, the other alternative I came up with was to develop iStupid, indescreet SSID tool (for the) unknown PNL (on) iOS devices, a Python-based tool (for Linux) available in Taddong's lab starting today (v1.0). It generates Wi-Fi (802.11) beacons frames for one or multiple SSID's, so that a previously known Wi-Fi network is available here and now and, thus, can be easily removed from the hidden PNL of iOS mobile devices. The tool provides multiple configuration options for the advanced user (check the help with "iStupid -h"), such as selecting the Wi-Fi network SSID, channel, BSSID, beacon interval, 802.11 rates, security settings (Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise), and much more. Future versions of the tool might include an option to perform dictionary and brute force Wi-Fi network impersonation on the SSID, and potentially, support for other operating systems, such as Mac OS X (as there are lots of iOS mobile device owners that are Mac OS X users).

Mobile devices perform network identification, that is, they consider a currently available Wi-Fi network to be the same as a previously known Wi-Fi network, based on two factors: the SSID (or network name) and the Wi-Fi network security type.

During my initial testing I discovered that for iOS mobile devices it is not relevant if the network is based on WPA or WPA2, or if it uses TKIP or AES-CCMP. iOS allows the user to remove a WPA2 network from the PNL even if it appears as WPA, and viceversa.

The version I showed at RootedCON (v0.9) has been slightly improved by version 1.0 with additional capabilities that are detailed in the two upcoming Taddong's blog posts: "iStupid: Setup & Basic Usage", and "iStupid: Advanced Usage".

NOTE: I'm wondering if the recently published press release covering this PNL disclosure issue on modern mobile devices will finally help to motivate vendors to fix it? Am I holding my breath? No.