Educause Security Discussion mailing list archives
Re: Apple wifi implementation flaw
From: Brian Helman <bhelman () SALEMSTATE EDU>
Date: Thu, 29 Mar 2012 15:17:05 +0000
That's a good point. Another suggestion that I may test - if you simply shut off your wireless and then re-enable it, does it flush that information? Since we know wireless network information is retained in the configuration, I don't have high hopes that this can be resolved so easily. -Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeffrey Schiller Sent: Thursday, March 29, 2012 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Apple wifi implementation flaw An interesting test to do is to see if this behavior persists beyond the DHCP lease lifetime given by the home router. I know many home routers are configured to give out leases of a day or more. From my standpoint it is reasonable for a device to attempt to see if it is still "home" if the lease is still valid. It would also be interesting to know if someone can mitigate their risk by cranking down their DHCP lease time on their home equipment... -Jeff On Thu, Mar 29, 2012 at 11:11 AM, Brian Helman <bhelman () salemstate edu<mailto:bhelman () salemstate edu>> wrote: Roger, I'm happy to be picked on in this situation. When I sent this to my internal distribution, I said "I don't send these out often, and when I do they are usually just 'interesting'. But this flaw has the potential to be abused with almost no technical knowledge." So, while I couldn't classify this as Zero Day, I think do think it is worth knowing about.
From a technical standpoint, this is sloppy on Apple's part. I wouldn't have reposted it had it not come from an extremely reliable technical site (we're not talking about Fox News here). Beside, "OMG the sky is falling" is what security is all about =)
-Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Roger A Safian Sent: Thursday, March 29, 2012 11:03 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Apple wifi implementation flaw I don't want to get too far off track here, but, I am a little annoyed at what I view as the press presenting every computer security/privacy issue as "OMG the sky is falling...run for your lives". I'd really like to see a bit of moderation, and perhaps a reasonable assessment of the risk in these stories. It's that risk assessment piece where I think we can help. I'll pick a little on Brian, since he sent this out. Do we have any indication of widespread use of this technique? That's important for consumers, and should be mentioned, instead of the usual FUD. Oh, and in your Starbucks scenario, when you get to my house you'll find George Zimmerman is watching the place...he's got an itchy trigger finger. Just because I am out, does not mean the place is empty. Let's try to feed something other than FUD to the press. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Brian Helman Sent: Thursday, March 29, 2012 9:45 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Apple wifi implementation flaw This exists in all Apple devices, not just iOS. I disagree, but not because I think it's a data security issue. I think it's a personal security issue. Think about it. You go into Starbucks and your iPhone/iPad broadcasts your home SSID. Someone sitting there grabs that information using FireSheep and cross-references against Google or WiGLE.net . Now they know your home address. And they know you're not there. -Brian From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]<mailto:[mailto:SECURITY () LISTSERV EDUCAUSE EDU]> On Behalf Of Jeffrey Schiller Sent: Thursday, March 29, 2012 10:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Apple wifi implementation flaw Let me take a wild guess here. I vaguely recall that when the iPhone first came out it caused meltdowns on several different networks. My guess is that this behavior may be a change that Apple made to mitigate the problem (which was likely with the network itself). By the time Android came on the scene, these networks had been fixed so the mitigation wasn't needed. However the behavior was already in the iOS code base and stayed there. Personally I don't believe this is a particularly big deal. There are much worse privacy problems around. -Jeff -- _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A Cambridge, MA 02139-4307 617.253.0161<tel:617.253.0161> - Voice jis () mit edu<mailto:jis () mit edu> http://jis.qyv.name _______________________________________________________________________ -- _______________________________________________________________________ Jeffrey I. Schiller Information Services and Technology Massachusetts Institute of Technology 77 Massachusetts Avenue Room E17-110A Cambridge, MA 02139-4307 617.253.0161 - Voice jis () mit edu<mailto:jis () mit edu> http://jis.qyv.name _______________________________________________________________________
Current thread:
- Apple wifi implementation flaw Brian Helman (Mar 29)
- Re: Apple wifi implementation flaw Jeffrey Schiller (Mar 29)
- Re: Apple wifi implementation flaw Brian Helman (Mar 29)
- Re: Apple wifi implementation flaw Roger A Safian (Mar 29)
- Re: Apple wifi implementation flaw Brian Helman (Mar 29)
- Re: Apple wifi implementation flaw Jeffrey Schiller (Mar 29)
- Re: Apple wifi implementation flaw Brian Helman (Mar 29)
- Re: Apple wifi implementation flaw Brian Helman (Mar 29)
- Re: Apple wifi implementation flaw Jeffrey Schiller (Mar 29)