Friday, May 31, 2013


One of the tools I demonstrated during the last RootedCON 2013 conference in Madrid as part of my "Wi-Fi: Why iOS (Android, and others) Fail inexplicably?" talk was iStupid: indescreet SSID tool (for the) unknown PNL (on) iOS devices. Apple mobile devices, based on iOS (such as iPhone, iPad or iPad mini, and iPod Touch), do not provide capabilities to manage their Wi-Fi Preferred Network List (PNL). This deficiency is something I talked about on my "Wi-Fi (In)Security - All Your Air Are Belong To..." presentation in 2010, almost three years ago (back to iOS 2.x, 3.x, 4.x...), and the situation has not changed :(

Unfortunately, the existence of other vulnerabilities where mobile devices disclose their PNL in the air (specifically TAD-2013-001 for iOS devices; see note below) makes mandatory to have capabilities to manage the PNL (view, add, delete, and edit PNL entries) in order to be able to check and increase the security of Wi-Fi clients. Besides that, the PNL management capabilities should also allow the user (or security administrators) to easily define the connection priority order when multiple known Wi-Fi networks are available, plus allow defining if the client should automatically connect to known Wi-Fi networks, being able to disable or configure that behavior per network individually. Additionally, it would be very interesting for mobile vendors not to force the user to have to enable the Wi-Fi interface in order to be able to manage the PNL (and change or configure other Wi-Fi settings), as the device might temporarily be exposed unnecessarily until a secure Wi-Fi setup is completed.

iOS mobile devices allow to easily add entries to the hidden PNL: every time you connect to a new network. However, the user cannot remove entries from the hidden PNL unless the Wi-Fi network is in range. Only if the user is in the area of coverage of the original Wi-Fi network, by selecting the blue arrow button available at the right of the network name, the "Forget this network" option will be available, which allows removing the network from the hidden PNL... WTF! (Without Traveling Faraway... where the original network is really available).

Trying to overcome this limitation in iOS devices, we thought about developing an iOS app (mobile application) to be able to manage the PNL. However, as you can see on slide 12 of my RootedCON 2013 presentation, for non-jailbroken devices there is no iOS SDK public API (or library) that allows accessing the PNL. Therefore, iStupid is NOT an iOS app :( Please, do not confuse the iStupid security tool (Python-based) with the iStupid app (entertainment) available on the Apple Store since 2010.

As a result, the other alternative I came up with was to develop iStupid, indescreet SSID tool (for the) unknown PNL (on) iOS devices, a Python-based tool (for Linux) available in Taddong's lab starting today (v1.0). It generates Wi-Fi (802.11) beacons frames for one or multiple SSID's, so that a previously known Wi-Fi network is available here and now and, thus, can be easily removed from the hidden PNL of iOS mobile devices. The tool provides multiple configuration options for the advanced user (check the help with "iStupid -h"), such as selecting the Wi-Fi network SSID, channel, BSSID, beacon interval, 802.11 rates, security settings (Open, WEP, WPA(2)-Personal & WPA(2)-Enterprise), and much more. Future versions of the tool might include an option to perform dictionary and brute force Wi-Fi network impersonation on the SSID, and potentially, support for other operating systems, such as Mac OS X (as there are lots of iOS mobile device owners that are Mac OS X users).

Mobile devices perform network identification, that is, they consider a currently available Wi-Fi network to be the same as a previously known Wi-Fi network, based on two factors: the SSID (or network name) and the Wi-Fi network security type.

During my initial testing I discovered that for iOS mobile devices it is not relevant if the network is based on WPA or WPA2, or if it uses TKIP or AES-CCMP. iOS allows the user to remove a WPA2 network from the PNL even if it appears as WPA, and viceversa.

The version I showed at RootedCON (v0.9) has been slightly improved by version 1.0 with additional capabilities that are detailed in the two upcoming Taddong's blog posts: "iStupid: Setup & Basic Usage", and "iStupid: Advanced Usage".

NOTE: I'm wondering if the recently published press release covering this PNL disclosure issue on modern mobile devices will finally help to motivate vendors to fix it? Am I holding my breath? No.

No comments:

Post a Comment