> More concretely, the Wi-Fi vulnerabilities presented in this research affect many devices in the Android ecosystem. For example, two of the vulnerabilities (#1, #2) affect most of Samsung’s flagship devices, including the Galaxy S8, Galaxy S7 Edge and Galaxy S7. Of the two, one vulnerability is also known to affect Google devices such as the Nexus 6P, and some models of Chromebooks. As for Apple’s ecosystem, while this research deals primarily with iPhones, other devices including Apple TV and iWatch are similarly affected ...
> We’d also like to note that until hardware host isolation mechanisms are implemented across the Android ecosystem, every exploitable Wi-Fi firmware vulnerability directly results in complete host takeover. In our previous research we identified the lack of host isolation mechanisms on two of the most prominent SoC platforms; Qualcomm’s Snapdragon 810 and Samsung’s Exynos 8890. We are not aware of any advances in this regard, as of yet.
So this is off topic, but does anyone else hate that swiping left/right in blogger navigates to other blog articles? I don’t know often people use that for real — I’m almost always directly linked to just one article in particular. But what’s worse is that it’s so sensitive without enough visual confirmation and ability to stop it. I find it naturally happens while scrolling on my iPhone without any intention, and then I lose my place and have no idea where I ended up. Just feels like a gigantic amount of UX flaws for a purpose that’s likely rarely used.
Yes, it's the most annoying thing I've seen on the web since <marquee>. Scrolling long fragments of code always takes me to another page when I'm reading. Who thought it was a good idea?!
The iOS 11 leaving the Wi-Fi on but unassociated creates a privacy vulnerability because the chipset will broadcast all of it's known SSIDs. Plus, whatever vulnerabilities remain in the chipset. This is terrible. When Wi-Fi is "off" it should be off.
Ugh!!! For those who aren't aware, see "Wi-Fi told me everything about you" [1].
So what's the workaround? I have to go into Settings and turn it off there? Will that actually turn it off? We've already established that turning off wifi on Android may or may not actually turn it off [2].
Yes, turning it off in Control Center means it will not join new networks. In Settings, it actually explains this below the still-on Wi-Fi switch, which you can turn off.
When wifi is on it will look for an AP just like everything else does, and when it is off it does not broadcast at all. How difficult is this for you to understand? If you are talking about the control center 'disconnect from current wifi' option, well, get over it. Being unassociated with an AP is NOT the same as being turned off, and it never has been.
The point is, when I want to turn Wifi off, and use the common UI to do so, it should be off - and not just "in a state where it won't associate with AP's" .. this is Apple treating their users like idiots and putting us all at risk as a result of it - and, you have to ask why they do this? The reason is so that they can still harvest data while you're not associated with the AP - covertly, even - so that their location accessory 'feature' gets more data points..
From Apple directly:
"For the best experience on your iOS device, try to keep Wi-Fi and Bluetooth turned on."
The reason is because Apple are using WiFi for purposes other than those of the average user - data harvesting.
WTF is 'common UI' even supposed to mean in this context? Apple is not treating their users like idiots, they are doing what the users usually want when they flip wireless settings via the control center. This may differ than what you expect, but I am sure you will eventually get over it. The number of people who used the control center to flip wifi/bluetooth for privacy purposes is so vanishingly small as to be a null set, especially when compared to the number of people who simply use the toggle to disconnect from a mediocre wifi connection so that they can use cellular data instead.
Yes. Changing privacy and security-implication behavior around without good cause for edge-case "usability" is silly.
What happens, if say, a Syrian is killed by their government because they were able to use their gossiping device to locate them? All that iOS 11 privacy work becomes moot if there's a SIGINT fail.
Google promises 3 years only if you buy the device on release day. Our Nexus device at the office got ~18 months.
But yep, the mid/low end devices are often basically abandoned soon after release, or get 1-2 midlife updates so that December OTA has April's security patch level etc.
Or those smart enough to root their device to run a "post market OS" such as LineageOS or postmarketOS. Though the caveat of rooting your device could arguably be less security.
I wouldn't expect any 'normal' user to go though any of this. This is for Android enthusiasts that can get access to good hardware on the cheap and run the latest software.
It isn't at all ideal; it is a hack around the problem of terrible software support in the embedded computer industry. Once you got LineageOS on your phone, you can use OTA updates.
I know, and I very much dislike that as well. That is one of the reasons why I got a Fairphone 2, with long term support.
I also bought a Xiaomi for my partner (cause the FP2 would be an old SoC for the same price it cost 2 years ago) with specs which otherwise would've cost us more than double. I expect the device to last 1,5 years. Hopefully by that time the FP3 is on the horizon.
Yeah but knowing Samsung no phones will get the fixes besides the current flagship and MAYBE the previous one, all too expensive for most people in 2nd world.
And yet the standard advice when anyone buys a Windows computer is to wipe it and install a fresh copy directly from Microsoft to remove all the crap your OEM put on it.
Is is really so strange that the advice for older phones would be similar?
It'll still be vulnerable to a degree then. Android itself will have patches, but the SoC won't because Lineage don't have source code for that, only the binary blobs.
Don't get me wrong, Lineage is great, but fully secure it isn't.
According to Apple, 11.0.1 contains the same security content as 11. I think Apple sent a second email to their product security mailing list to add these vulnerabilities.
The bug is fixed precisely because of the research in the article, coupled with responsible disclosure and Apple's ability and willingness to fix it. It's not clickbait, it's the system working well.
> In the next blog post, we’ll use our firmware debugger in order to continue our exploration of the Wi-Fi chip present on the iPhone 7. We’ll perform a deep dive into the firmware, discover multiple vulnerabilities and develop an over-the-air exploit for one of them, allowing us to gain full control over the Wi-Fi SoC.
ahhh cliffhanger! Looking forward to the next post!
"Lastly, we require complete control over all aspects of our Wi-Fi router."
Perhaps this is something users of Apple's WiFi-only/Ethernet-deficient devices might want.
He provides a useful hint on how to construct a router that allows complete control, utilizing a general purpose computer and two AR9271-driven USB WiFi adapters.
AFAIK this driver is available for both Linux and BSD.
"In my own lab setup, the role of the Wi-Fi router is fulfilled by my ThinkPad laptop, running Ubuntu 16.04. I've connected two SoftMAC TL-WN722N dongles, one for each interface (internal and external). The internal network's access-point is broadcast using hostapd, and the external interface connects to the internet using wpa_supplicant."
"Note that it's imperative that the dongle used to broadcast the internal network's access-point is a SoftMAC device (and not FullMAC) -- this will ensure that the MLME and MAC layers are processed by the host's software (i.e., by the Linux Kernel and hostapd), allowing us to easily control the data transmitted over those layers."
> As for Apple’s ecosystem, while this research deals primarily with iPhones, other devices including Apple TV and iWatch are similarly affected by our findings.
The "correct" name for it is Apple Watch, just FYI.
Or "[Apple logo]Watch", in all their marketing materials. Which seems to have been transcribed as "AppleWatch" in the official closed captioning of the latest Apple keynote.
Meh, iWatch and iMessage are surefire ways to get people to think of the right product. Technically incorrect terms, but they'll get the message right.
The service is iMessage, but the client is "Messages" on both iOS and macOS. The client was previously called "iMessage", leading people to assume that the marque "iMessage" is no longer part of Apple's branding. But no; extensions you install inside Messages are still called "iMessage extensions", and so forth.
Actually, both clients have been named “Messages” as long as they’ve supported iMessage.
The iOS client has been “Messages” since iPhone OS 3.0; before that it was called “Text” and had “SMS” written inside the chat bubble in the icon. iMessage wasn’t introduced until iOS 5.0.
The macOS client was originally “iChat”, then “iChat AV”, then “iChat” again; in this era it supported multiple protocols including AIM and Jabber. In OS X 10.8, the client was renamed to “Messages” and gained iMessage support in addition to the older protocols. Support for the older protocols was removed in the just-released macOS 10.13.
Oh… you're right. During the betas, sending messages through Google Talk gave me an error [1], and I removed the account. But I guess it's still supposed to work, at least in the release version.
[1] With a delightful/odd error message: "The targeted service Potato has been discontinued".
Yeah. I think it's perfectly correct to still refer to it to "iMessage". While the client anyone is using is likely just called "Messages", it specifically uses what is referred to as "iMessage", among other possible ways (e.g. SMS, or Jabber on macOS).
Exactly. Project zero consists of some of the best security experts in the world. They also strictly practice responsible disclosure. I can't imagine why anybody would be mad to get such a great review and test for free, from such a great team.
Project Zero discloses the vulnerabilities to the affected 90 days before releasing to the public. It's probable that Apple was notified and patched this because of Project Zero. Once it's been patched or 90 days are up, then Project Zero discloses to the public.
> Sounds like the corporation's problem, willingly ignoring security updates.
A properly vetted update requires both compatibility testing and security testing. It would be irresponsible to push an OS update without verifying that it will not damage productivity or bring down defenses.
Businesses that provide or allow iOS devices need to be ready when new OSes are released to the public, which can easily be done since Apple offers regularly-updated betas for months in advance. This is particularly important because even managed devices cannot be prevented from upgrading to new OSes unless all traffic is routed through controlled networks that block access to Apple update servers.
At least Apple has a simple way to disable Wifi right from the control center. Oh wait, they removed that in iOS 11. Now clicking the Wifi icon doesn't actually turn off Wifi. I guess no one will ever find similar issues w/that release </sarcasm>
Not really. This controversy is similar to people complaining about the loss of PC power buttons in 1997.
The previous behavior was turning off the radio, which is often not the intent of the user. They replaced it with turning off joining networks, which is more often user intent.
With the proliferation of personal connected devices like smart watches and cars, and point to point WiFi services like airdrop, users often want or need to have the radio on to utilize those services. At the same time, users may not want to join WiFi networks due to poor performance (ie one-bar WiFi), ineligibility for use (I’m at a Hilton for a conference, but am not eligible for free WiFi because I’m not staying there), or some other reason.
The previous behavior also duplicated the behavior of the “airplane mode” button in some scenarios.
IMO the iOS 11 behavior adds value in most cases and has two easy workarounds (airplane mode or system preferences) for people who want the radio off.
The new behavior is fine. The problem is that they changed the behavior without changing the UI to show what it was doing, and didn't really tell anybody about the change. (A support article doesn't count. People don't read those things.)
I'd be a lot happier with the new behavior if the icons indicated it somehow. If they really wanted to go crazy, they could label the damned things!
Arguably the icons in Control Centre do reflect that. The WiFi icon has three states - blue (on), grey (not connected) and with a strike-through (totally off). However you use airplane mode to activate the latter, not the toggle.
I'm with you; I mean "really turn this all the way off" when I turn off WiFi or Bluetooth.
But if you read between the lines, I think what happened here is that Apple did some analysis of their support database and figured out that a huge number of support issues came down to WiFi or Bluetooth being turned off. Like, if someone doesn't really understand how AirDrop works (probably most iPhone users, honestly) and they try to use it with WiFi turned off. Or if they turn off Bluetooth because they heard it was a security issue, then their phone doesn't connect to their car the way it should.
The reality is that most iPhone users don't really understand all this stuff, and so don't fully appreciate the tradeoffs of having WiFi and Bluetooth turned off.
It's a bit more inconvenient, but at least we can still use Settings to really actually turn them off.
I want to turn Wifi OFF because I want it off - I don't want to use Wifi, and therefore I don't want the Wifi using my batter life, and I also don't want any chance of Wifi broadcasting/receiving anything when I want it off.
This is just Apple treating their users like idiots. They're leaving the Wifi powered on for their own nefarious purposes - such as harvesting more Wifi SSID's when the user doesn't expect it, and using that harvested info to improve Location accuracy - also when the user is unaware that its happening, unless they dig deep, deep into the SysPrefs ..
From Apple: "For the best experience on your iOS device, try to keep Wi-Fi and Bluetooth turned on."
This is newspeak for "we need you to leave Wifi on so we can continue to harvest the SSID's of the networks around you, save the data, and report it later to improve our Location accuracy database" ..
Read it again. The Wi-fi button in Control Center disables wi-fi communication with access points and other devices (with the exception of special iCloud crap like Handoff and whatnot). It further states you can still hard shut off Wi-fi and Bluetooth by flipping the switch in the Settings app.
Does it make a whole lot of sense? No. Has Apple removed the ability to "truly" shut these wireless interfaces off? No.
Google is using their security research as a marketing weapon against Apple. From the article itself, Android is arguably more vulnerable as measured by percent of users running a device whose OEM has not distributed an update.
Anything iPhone 5 or lower will not - 10.3.3 fixed one of the issues, but 2 more exist.
I do wish they would at least put out a 10.3.4 to fix the security issues, but I understand not putting the resources into a phone from 2012; I'm happy to at least have gotten 10.3.3 considering my Nexus 5 stopped getting updates last year and it was release in 2013.
> but I understand not putting the resources into a phone from 2012
I don't, but I have more sympathy for a company who quit supporting a phone from 2012 than a hypothetic [1] company who quit supporting a phone from 2015.
[1] Tho certainly a plethora examples would fit here.
It also includes the 5c, which was launched in 2013. The 8 gig version of it was sold by Apple as the budget option until September of 2015, a mere two years ago. Some retailers still carry them to this day.
> We’d also like to note that until hardware host isolation mechanisms are implemented across the Android ecosystem, every exploitable Wi-Fi firmware vulnerability directly results in complete host takeover. In our previous research we identified the lack of host isolation mechanisms on two of the most prominent SoC platforms; Qualcomm’s Snapdragon 810 and Samsung’s Exynos 8890. We are not aware of any advances in this regard, as of yet.