So, Apple has fixed its dangerous and embarrassing Wi-Fi issue. iOS 14.7 has added “improved checks,” Apple says, to stop its devices “joining a malicious Wi-Fi network [that] may result in a denial of service or arbitrary code execution.” But be warned, iOS 14.7 doesn’t make you safe from Wi-Fi attacks. Far from it.
Apple’s devices are generally safer and more secure than the alternatives. Generally. But that doesn’t mean your iPhone, iPad and Mac are secure. We’ve seen plenty of iPhone vulnerabilities patched in recent months with emergency fixes, and just this week we saw a stark warning about “very malicious” malware now attacking Macs.
Apple’s recent Wi-Fi security issue was a crafted SSID bug, where the combination of characters can trick the iPhone into processing the SSID as code, locking up its Wi-Fi function as a result. There’s a debate as to whether this could be used to attack the device itself, but, either way, it’s a specific vulnerability Apple has fixed in iOS 14.7.
We’ve seen similar issues before with so-called text-bombs, where crafted text strings can overwhelm an Apple device, triggering unexpected behaviours. Those attacks usually require a simple reset, albeit we have seen examples where the text can never be processed in your chat history—and that means deleting and reinstalling the messaging app. Pre the fix, the latest Wi-Fi issue also required a reset.
The risk from all these bugs is that once you force a device into an unusual state, you can often follow-up with another exploit to attack the device, for example planting seemingly benign code that then downloads and installs nastier malware.
While the latest flaw was technical, you were only at risk if you left your Wi-Fi settings open. Absent that, you would need to manually choose a Wi-Fi network with an odd name. You may have assumed you would be unlikely to fall for such an attack, but many of you will still have your Wi-Fi settings dangerously open. And while this particular flaw aimed to trick your phone, most Wi-Fi attacks simply aim to trick you.
Connectivity attacks on mobile devices can have multiple purposes. The simplest is clearly just to intercept your traffic. That doesn’t help where that traffic is encrypted—but it can be compromising with plain text and web queries. Sometimes a security agency might not need the traffic, just a device identifier and a known location—which protesters turned up at this location on this date, or where was this lawyer at this time?
As an extension of this, we have seen examples where knocking individuals “off comms” at specific times is valuable to an adversary. If I can crash a protest group’s WhatsApp accounts, I can frustrate their planning. Or if I can create a blackspot while making it seem as though devices are connected, I can keep those targets dark.
Other attacks focus on planting malware on the device once it has joined, perhaps engaging in some form of UI with the device as part of the network login process that actually attacks the device itself, with no filtering in place.
But where these risks involve Wi-Fi connectivity, it starts with one stupidly simple vulnerability that’s right there on your iPhone, and one piece of sage advice that you must not ignore. Change the setting and follow the advice and you won’t have to worry about being compromised in this way.
Let’s start with the advice. Don’t use public Wi-Fi hotspots, and if you really have to, make sure you use a reputable VPN. It’s still as simple as that.
Sometimes a hotspot might be a malicious network with a generic name, “public free Wi-Fi” or similar. But bad actors can also mimic popular or specific SSIDs, the names of the hotel or restaurant or airport you’re in, for example. “Criminals can conduct an ‘evil twin attack’ by creating their own malicious network with a similar name,” the FBI warns, you may then “mistakenly connect to the criminal’s network instead.”
You shouldn’t join public Wi-Fi networks even manually, but you should absolutely, categorically, stop your phone auto-joining such networks without you even realizing—which it is very likely set up by default to do at the moment.
“I’d avoid auto-joining any public network,” security researcher Sean Wright has warned. “Since they are public and open, it makes spoofing them all too easy.” Your iPhone “sends out probes for hotspots it is looking to connect to, so [an attacker] can stand-up hotspots with those SSIDs.” It takes nothing more than a cell phone. “I was in a hotel lobby, I setup my ‘free’ hotspot and had five devices connect in minutes.”
Bad actors can mimic the exact name of a popular hotspot, tricking you into manually connecting even where auto-joining is disabled. Worse, they can mimic popular SSIDs, hoping you’ve used those networks before and your iPhone is set to join when it sees them. “I once saw a Starbucks and a Subway Wi-Fi access point, flying from Newark to Vegas at 35,000 feet,” Cyjax CISO Ian Thornton-Trump told me.
The easiest option is to stick to cellular when you’re out and about, when you’re away from home or work or other known “friendly” locations. While it’s perfectly possible to spoof a cell network, that gets into the realm of specialist, expensive interception.
Protecting yourself is easy, though, and if you change these settings then Wi-Fi issues such as the most recent iPhone warning can’t compromise you.
In your iPhone’s settings, click on Wi-Fi and then make sure that “Ask to Join Networks” and “Auto-Join Hotspots” are both set to “Ask”/ “Ask to Join.”
If you don’t have multiple networks stored by your device beyond home and work, you can set “Ask to Join Networks” to “Off” or “Notify” to avoid having to click when you are at home or work, but then you must click on the blue-circled “i” next to any other networks you connect to, and disable auto-join. You shouldn’t auto-join your local coffee shop’s Wi-Fi, however convenient that might be.
As for this latest bug and resultant fix, Cyjax CISO Ian Thornton-Trump has a broader warning. “My contention is that this is not a security problem,” he tells me. “I believe it’s legacy code from 5, 10 or 15 years ago which just can’t withstand the current generation of reverse engineering and malicious hacking… Vendors seem to be in a constant battle to secure and the tempo of that battle has increased considerably.”
“Although this bug has been fixed,” agrees ESET’s Jake Moore, “like all exploits, the very nature of them mean they remain unknown until they are located and therefore, exercising caution to all connectivity must be carried out. Public Wi-Fi is often considered safe with the use of a VPN but this may not always protect you against rogue Wi-Fi, so it’s important to check first or stick with 4G/5G if in doubt.”
Protecting yourself from almost all Wi-Fi compromises is as easy as the steps above. Until such a time as hotspot certification and anti-spoofing becomes universal, the trade-off between security and convenience means you need to stay cautious.