Re: Apple wifi implementation flaw

[Brian Helman <bhelman () SALEMSTATE EDU>]

That's a good point.  Another suggestion that I may test - if you simply shut off your wireless and then re-enable it, 
does it flush that information?  Since we know wireless network information is retained in the configuration, I don't 
have high hopes that this can be resolved so easily.

-Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey 
Schiller
Sent: Thursday, March 29, 2012 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Apple wifi implementation flaw

An interesting test to do is to see if this behavior persists beyond the DHCP lease lifetime given by the home router. 
I know many home routers are configured to give out leases of a day or more. From my standpoint it is reasonable for a 
device to attempt to see if it is still "home" if the lease is still valid. It would also be interesting to know if 
someone can mitigate their risk by cranking down their DHCP lease time on their home equipment...

                        -Jeff

On Thu, Mar 29, 2012 at 11:11 AM, Brian Helman <bhelman () salemstate edu<mailto:bhelman () salemstate edu>> wrote:
Roger,

I'm happy to be picked on in this situation.  When I sent this to my internal distribution, I said "I don't send these 
out often, and when I do they are usually just 'interesting'.  But this flaw has the potential to be abused with almost 
no technical knowledge."  So, while I couldn't classify this as Zero Day, I think do think it is worth knowing about.

> From a technical standpoint, this is sloppy on Apple's part.  I wouldn't have reposted it had it not come from an 
> extremely reliable technical site (we're not talking about Fox News here).  Beside, "OMG the sky is falling" is what 
> security is all about =)

-Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Roger A Safian
Sent: Thursday, March 29, 2012 11:03 AM

To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Apple wifi implementation flaw


I don't want to get too far off track here, but, I am a little annoyed at what I view as the press presenting every 
computer security/privacy issue as "OMG the sky is falling...run for your lives".  I'd really like to see a bit of 
moderation, and perhaps a reasonable assessment of the risk in these stories.  It's that risk assessment piece where I 
think we can help.  I'll pick a little on Brian, since he sent this out.  Do we have any indication of widespread use 
of this technique?  That's important for consumers, and should be mentioned, instead of the usual FUD.  Oh, and in your 
Starbucks scenario, when you get to my house you'll find George Zimmerman is watching the place...he's got an itchy 
trigger finger.  Just because I am out, does not mean the place is empty.  Let's try to feed something other than FUD 
to the press.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Brian Helman
Sent: Thursday, March 29, 2012 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Apple wifi implementation flaw

This exists in all Apple devices, not just iOS.

I disagree, but not because I think it's a data security issue.  I think it's a personal security issue.  Think about 
it.  You go into Starbucks and your iPhone/iPad broadcasts your home SSID.  Someone sitting there grabs that 
information using FireSheep and cross-references against Google or WiGLE.net .  Now they know your home address.  And 
they know you're not there.

-Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE 
EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Jeffrey Schiller
Sent: Thursday, March 29, 2012 10:33 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Apple wifi implementation flaw

Let me take a wild guess here. I vaguely recall that when the iPhone first came out it caused meltdowns on several 
different networks. My guess is that this behavior may be a change that Apple made to mitigate the problem (which was 
likely with the network itself). By the time Android came on the scene, these networks had been fixed so the mitigation 
wasn't needed. However the behavior was already in the iOS code base and stayed there.

Personally I don't believe this is a particularly big deal. There are much worse privacy problems around.

                        -Jeff

--
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A
Cambridge, MA 02139-4307
617.253.0161<tel:617.253.0161> - Voice
jis () mit edu<mailto:jis () mit edu>
http://jis.qyv.name
_______________________________________________________________________





--
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu<mailto:jis () mit edu>
http://jis.qyv.name
_______________________________________________________________________