Automatic Login to WiFi Networks Includes a New Safety Problem in iPhone OS 3.0

iPhone OS 3.0 has a bad “feature” which let karmetasploit attack you without user interaction. Be careful what you join.

All you will know that the Firmware 3.0 introduces a new feature that covers the auto-login to the WiFi HotSpot public, which also involves the automatic opening of the Safari. This beautiful novelty, however, could jeopardize our security. Let us look for the good functioning of this feature and understand what is the problem:

In an attempt to connect to a Wi-Fi network, the iPhone perform 2 steps:

  • Create a DNS query to the Apple site
  • Try to open an HTML file in the site itself

If the HotSpot prompts you for a password, Safari will open with a login form to be filled, otherwise, if the network is completely free and public, the iPhone will launch Safari and you can start surfing the www.

Because of this, theoretically, anyone could achieve misrepresentation of WiFi network with the name “FREE WiFi” rather than “Public WiFi” and, taking advantage of remote exploits that could draw from Safari valuable information stored in the cookies, such as logins for numerous websites.

So, just be careful when you choose to join a WiFi network.