[Full-disclosure] [TEHTRI-Security] Security and iPhone iOS 4.3 Personal Hotspot feature




Gents,

Here is a tiny mail dealing with the new feature of the iPhone 4 with
iOS 4.3, which turns it into a Wireless Hotspot in order to share your
3G session through a WLAN.

We wanted to share a quick geeky and security overview of this awesome
functionality.

Basically, we only found one tiny vulnerability which is related to the
passphrase used to protect the wireless. And this can easily be patched
by Apple (maybe before the official update on march, 11).

== Security Advisory: TEHTRI-SA-2010-036 ==

Platform: iPhone 4
Operating System: iOS 4.3 (8F190)
Application: com.apple.wifi.hostapd
Impact for customers: Low (?)

Description:

The new iPhone option called “Personal Hotspot” uses a passphrase to
protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived
from this passphrase.

While processing those functions, the iPhone writes the passphrase in
clear text in the console of the iPhone device.

This area is readable by all local processes through the official Apple
API. Here is the list of things written in clear text through the
console: the Group Master Key, the Group Transient Key, the PSK, the
passphrase.

Example of clear text keys and passwords caught from on an iOS 4.3 device:

<---
Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484:
PSK (ASCII passphrase) - hexdump_ascii(len=10):

Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 66 61 63 65 74
73 31 34 36 37 facets1467
--->

More explanations are available here:

http://blog.tehtri-security.com/2011/03/about-iphone-ios43-personal-hotspot.html

Happy update this week for lucky owners of iPhone / http://apple.com/ios

Best regards,

Laurent Oudot, CEO TEHTRI-Security
Web: http://www.tehtri-security.com
twt: @tehtris

Join us for more hacking tricks and 0days:

- Asia - April 2011 -> SyScan Singapore Conference
Training "Advanced PHP Hacking" ( http://www.syscan.org )

- Europe - May 2011 -> HITB Amsterdam Conference
Training "Hunting Web Attackers" ( http://conference.hitb.org )



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [TEHTRI-Security] Security and iPhone iOS 4.3 Personal Hotspot feature
    ... passphrase used to protect the wireless. ... Platform: iPhone 4 ... Operating System: iOS 4.3 ... protect the WPA2 Personal wireless hotspot created. ...
    (Bugtraq)
  • APPLE-SA-2012-11-01-1 iOS 6.0.1
    ... Available for: iPhone 3GS and later, ... iPod touch and later, iPad 2 and later ... Maliciously crafted or compromised iOS applications may be ...
    (Bugtraq)
  • [telecom] APPLE-SA-2012-11-01-1 iOS 6.0.1
    ... Available for: iPhone 3GS and later, ... iPod touch and later, iPad 2 and later ... Maliciously crafted or compromised iOS applications may be ...
    (comp.dcom.telecom)
  • Re: iPhone event predictions
    ... I doubt that Apple would continue selling exactly the same 3GS model. ... the next two major releases of iOS, i.e. iOS 4 and iOS 5. ... The iPhone 4 also has twice as much RAM as the iPhone 3GS, ... I think it will depend on the body design. ...
    (uk.comp.sys.mac)
  • [telecom] APPLE-SA-2011-11-10-1 iOS 5.0.1 Software Update
    ... iOS 3.0 through 5.0 for iPhone 3GS, ... iOS 3.1 through 5.0 for iPod touch and later, ... A person with physical access to a locked iPad 2 may be able ...
    (comp.dcom.telecom)