Site icon Sophos News

Update your iPhone to stop free Wi-Fi networks stealing your logins!

If you’re an Apple user, you should have been notified of the latest updates to iOS and OS X.

Official updates are available for the most recent three OS X versions via the App Store or as standalone installers:

You definitely want this OS X update, because of the security holes it fixes.

In the El Capitan update, for example, Apple has patched six bugs listed as “a local user may be able to execute arbitrary code with kernel privileges”, which means that any malware or other untrusted code that reached your Mac could have acquired unlimited powers – without popping up any password prompts.

Additionally, a libxslt bug that could be triggered via your browser is listed as “visiting a maliciously crafted website may lead to arbitrary code execution.”

It’s the usual story that remote code execution (RCE) and elevation of privilege (EoP) bugs should never be seen in isolation, because the two can be combined to provide total remote compromise.

But that’s not what this article is really about!

The most interesting bug of the lot is this one, fixed in the iOS 9.2.1 update:

WEBSHEET

Available for: iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later

Impact: A malicious captive portal may be able to access 
the user's cookies

Description: An issue existed that allowed some captive 
portals to read or write cookies. The issue was addressed 
through an isolated cookie store for all captive portals.

CVE-2016-1730 : Adi Sharabani and Yair Amit of SKYCURE

The Skycure researchers have now described the hole they found, and it’s both interesting and important at the same time.

CAPTIVE PORTALS

You know how your iPhone tries to detect when a Wi-Fi hotspot is trying to redirect you to a login page, known as a “captive portal”, and then displays the captive portal in a special pop-over browser window?

Greatly simplified, iOS does this by fetching the URL…

http://www.apple.com/library/test/success.html

…and waiting for the captive portal to redirect the request to its own sign-up page.

Usually, instead of seeing Apple’s real “success.html” page, which just contains one word, Success, you see the login page served up by the captive portal.

That page is whatever mix of HTML, stylesheets, JavaScript, images and so forth that the hotspot provider wishes to present.

This means you can interact with the captive portal, including signing up and agreeing to terms and conditions if necessary, in order to deactivate the captive portal and activate regular access to the internet.

SHARED COOKIES

The Skycure researchers noticed that iOS incorrectly shared web cookies already set in mobile Safari with the captive portal page, as well as sharing new cookies set in the captive portal back with mobile Safari.

That could allow a malicious captive portal to pull off numerous tricks:

A LONG FIX

Believe it or not, Skycure states that “we reported this issue to Apple on June 3, 2013. This is the longest it has taken Apple to fix a security issue reported by us.”

Given the potential severity of this bug, it’s to Skycure’s credit that the company kept faith with Apple and didn’t go public until the fix was finally ready:

It is important to note that the fix was more complicated than one would imagine. However, as always, Apple was very receptive and responsive to ensure the security of iOS users.

And, in conclusion, Skycure notes:

Starting with iOS 9.2.1, iOS employs an isolated Cookie Store for all Captive Portals. As with almost any update for iOS, we recommend users and organizations upgrade to the latest iOS version promptly.

We agree – head to Settings | General | Software Update to make sure you’re patched.

Patch early, patch often!

Image of iPhone and Wi-fi logo courtesy of Shutterstock.

Exit mobile version