Apple has fixed its dangerous and embarrassing Wi-Fi issue. iOS 14.7 has added “improved checks,” Apple says, to prevent its devices “joining a malicious Wi-Fi network [that] may end in a denial of service or arbitrary code execution.” But be warned, iOS 14.7 doesn’t cause you to safe from Wi-Fi attacks. faraway from it.
Apple’s devices are generally safer and safer than the alternatives. Generally. But that does not mean your iPhone, iPad, and Mac are secure. we have seen many iPhone vulnerabilities patched in recent months with emergency fixes, and just in the week, we saw a stark warning about “ very malicious “ malware now attacking Macs.
Apple’s recent Wi-Fi security issue was a crafted SSID bug, where the mixture of characters can trick the iPhone into processing the SSID as code, locking up its Wi-Fi function as a result. there is a debate on whether this might be wont to attack the device itself, but, either way, it is a specific vulnerability Apple has fixed in iOS 14.7.
We’ve seen similar issues before with so-called text bombs, where crafted text strings can overwhelm an Apple device, triggering unexpected behaviors. Those attacks usually require an easy reset, albeit we’ve seen examples where the text can never be processed in your chat history- which means deleting and reinstalling the messaging app. Pre the fix, the newest Wi-Fi issue also required a reset.
The risk from these bugs is that when you force a tool into an unusual state, you’ll often follow up with another exploit to attack the device, for instance, planting seemingly benign code that then downloads and installs nastier malware.
While the newest flaw was technical, you were only in danger if you left your Wi-Fi settings open. Absent that, you’d got to manually choose a Wi-Fi network with an odd name. you’ll have assumed you’d be unlikely to fall for such an attack, but many of you’ll still have your Wi-Fi settings dangerously open. And while this particular flaw aimed to trick your phone, most Wi-Fi attacks simply aim to trick you.
Connectivity attacks on mobile devices can have multiple purposes. the only is clearly just to intercept your traffic. that does not help where that traffic is encrypted-but it is often compromising with plain text and web queries. Sometimes a security agency won’t need the traffic, just a tool identifier and known location-which protesters turned up at this location on this date, or where was this lawyer at this time?
As an extension of this, we’ve seen examples where knocking individuals “off comms” is effective to an adversary at specific times. If I can crash a protest group’s WhatsApp accounts, I can frustrate their planning. Or if I can create a blackspot while making it seem as if devices are connected, I can keep those targets dark.
Other attacks specialize in planting malware on the device once it’s joined, perhaps engaging in some sort of UI with the device as a part of the network login process that really attacks the device itself, with no filtering in situ.
But where these risks involve Wi-Fi connectivity, it starts with one stupidly simple vulnerability that’s right there on your iPhone and one piece of sage advice that you simply must not ignore. Change the setting and follow the recommendation and you will not need to worry about being compromised this way.
Let’s start with the recommendation. Don’t use public Wi-Fi hotspots, and if you actually need to, confirm you employ a reputable VPN. It’s still as simple as that.
Sometimes a hotspot could be a malicious network with a generic name, “public free Wi-Fi” or similar. But bad actors also can mimic popular or specific SSIDs, the names of the hotel or restaurant or airport you’re in, for instance. “Criminals can conduct an ‘evil twin attack’ by creating their own malicious network with an identical name,” the FBI warns, you’ll then “mistakenly hook up with the criminal’s network instead.”
You shouldn’t join public Wi-Fi networks even manually, but you ought to absolutely, categorically, stop your phone auto-joining such networks without you even realizing which it’s very likely found out by default to try to do at the instant.
“I’d avoid auto-joining any public network,” security researcher Sean Wright has warned. “Since they’re public and open, it makes spoofing all of them too easy.” Your iPhone “sends out probes for hotspots it’s looking to attach to, so [an attacker] can stand-up hotspots with those SSIDs.” It takes nothing quite a telephone. “I was during a hotel lobby, I set up my ‘free’ hotspot and had five devices connect in minutes.”
Bad actors can mimic the precise name of a well-liked hotspot, tricking you into manually connecting even where auto-joining is disabled. Worse, they will mimic popular SSIDs, hoping you’ve used those networks before and your iPhone is about to hitch when it sees them. “I once saw a Starbucks and a Subway Wi-Fi access point, flying from Newark to Vegas at 35,000 feet,” Cyjax CISO Ian Thornton-Trump told me.
The easiest option is to stay cellular when you’re out and about when you’re far away from home or work or other known “friendly” locations. While it’s perfectly possible to spoof a cell network, that gets into the realm of specialist, expensive interception.
Protecting yourself is straightforward, though, and if you modify these settings, Wi-Fi issues like the foremost recent iPhone warning can’t compromise you.
In your iPhone’s settings, click on Wi-Fi then confirm that “Ask to hitch Networks” and “Auto-Join Hotspots” are both set to “Ask”/ “Ask to hitch .”
If you do not have multiple networks stored by your device beyond home and work, you’ll set “Ask to hitch Networks” to “Off” or “Notify” to avoid having to click once you are reception or work, on the other hand, you want to click on the blue-circled “i” next to the other networks you hook up with and disable auto-join. you should not auto-join your local coffee shop’s Wi-Fi, however convenient it may be.
As for this latest bug and resultant fix, Thornton-Trump features a broader warning. “I contend that this is often not a security problem,” he tells me. “I believe it’s legacy code from 5, 10, or 15 years ago which just can’t withstand the present generation of reverse engineering and malicious hacking… Vendors seem to be during a constant battle to secure and therefore the tempo of that battle has increased considerably.”
“Although this bug has been fixed,” agrees ESET’s Jake Moore, “like all exploits, the very nature of them means they continue to be unknown until they’re located, and thus, exercising caution to all or any connectivity must be administered. Public Wi-Fi is usually considered safe with the utilization of a VPN but this might not always protect you against rogue Wi-Fi, so it is vital to see first or persist with 4G/5G if unsure .”
Protecting yourself from most Wi-Fi compromises is as easy because of the steps above. Until such a time as hotspot certification and anti-spoofing becomes universal, the trade-off between security and convenience means you would like to remain cautious.
— -