On iPhone, beware of that AT&T Wi-Fi hot spot

Researcher finds that iPhones will hop on dubious Wi-Fi networks if they are named AT&T hot spots.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Samy Kamkar has created a program that can be used to intercept Google Maps on a hijacked iPhone. Samy Kamkar

A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.

Samy Kamkar, who created a worm that garnered him a million friends on MySpace overnight in 2005, said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a "man-in-the-middle" attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name "attwifi."

Typically, an iPhone will look for a specific MAC address--the unique identifier for the router--to verify that the wireless network is a device a user agreed to join previously, according to Kamkar. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has "AT&T Wifi" attached, he said.

"The iPhone joins the network by name with no other form of authentication," he said.

Kamkar said he made this discovery recently when he was at a Starbucks and disconnected from the AT&T Wi-Fi network.

"I went into the settings to disconnect and the prompt was different from normal," he said. "I went home and had my computer pretend to be an AT&T hot spot just by the name and my iPhone continued to connect to it. I saw one or two other iPhones hop onto the network, too, going through my laptop computer. I could redirect them, steal credentials as they go to Web sites," among other stealth moves, if he had wanted to.

To prove that a hijack is possible, Kamkar wrote a program that displays messages and can make other modifications when someone is attempting to use the Google Maps program on an iPhone that has been intercepted. He will be releasing his hijacking program via his Twitter account: https://twitter.com/samykamkar.

Kamkar hasn't attempted the hijack on an iPod Touch, but plans to determine whether it has the same vulnerability.

iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.

Asked for comment an Apple spokeswoman said: "iPhone performs properly as a Wi-Fi device to automatically join known networks. Customers can also choose to select to 'Forget This Network' after using a hot spot so the iPhone doesn't join another network of the same name automatically."

Kamkar, an independent researcher based in Los Angeles, first made a name for himself by launching what was called the "Samy" worm on MySpace in order to see how quickly he could get friends on the social-networking site. The cross-site scripting (XSS) worm displayed the words "Samy is my hero" on a victim's profile and when others viewed the page they were infected.

He served three years of probation under a plea agreement reached in early 2007 for releasing the worm.