iOS 5 connects without user action to attwifi when in range

RichardF · Jan 11, 2012

Today I was standing within WiFi range of an at&t store, took my phone to check something and by doing doing so woke it up. It proceeds to connect automatically with a prompt or a warning to the at&t store's wifi.

I have since reproduced this: iOS 5 will automatically connect to any router broadcasting an attwifi SSID.

WTF?

Man in the middle, packets-sniffing etc. Come-on Apple!

I filed a bug report.

Googled it. This problem is known but I had never heard of it until I experienced it today and then researched it.

Does iOS 5 send email accounts passwords in the clear?

Menel · Jan 11, 2012

Don't like it? Toggle, it off.

Otherwise, its convenient for the rest of us.

Starbucks, FedEx stores also and others. Super slick around town.

Small White Car · Jan 11, 2012

So what I'm getting from this is that you think AT&T plans to screw you over with their wifi network but have somehow decided to not screw you over using their 3G network?

Why would they limit their evil schemes to just one of their networks?

RichardF · Jan 11, 2012

no-no-no: the point here is that anyone setting their SSID to attwifi will get iOS to connect to the router.

There is no way to know whether the phone is actually connecting to a real att router.

----------

Menel said:
Don't like it? Toggle, it off.

Otherwise, its convenient for the rest of us.

Starbucks, FedEx stores also and others. Super slick around town.

Toggle what off? WiFi?

I have Ask to Join Networks set to Off.
I only want it to join the networks I have joined manually and personally: my office and my home. Not any other I have not connected to previously and without even asking me.

Small White Car · Jan 11, 2012

RichardF said:
I have Ask to Join Networks set to Off.

Oh, well that's your problem. If you have it set to off it'll join anything. This has nothing to do with it being AT&T or not. It'll join hotels or neighbors or whatever it sees.

The iPhone only has two wifi modes:

1) Ask with a pop-up when anything new is seen.

2) Join anything it can.

The one you describe (only join known, ignore un-known) is not an option. I wish it were, but it's not. This is an iPhone thing, not an AT&T things.

astrorider · Jan 11, 2012

RichardF said:
Today I was standing within WiFi range of an at&t store, took my phone to check something and by doing doing so woke it up. It proceeds to connect automatically with a prompt or a warning to the at&t store's wifi.

I have since reproduced this: iOS 5 will automatically connect to any router broadcasting an attwifi SSID.

WTF?

Man in the middle, packets-sniffing etc. Come-on Apple!

I filed a bug report.

Googled it. This problem is known but I had never heard of it until I experienced it today and then researched it.

Does iOS 5 send email accounts passwords in the clear?

Settings->Wi-Fi->attwifi->Forget this Network

To check your email passwords go to Settings -> Mail, Contacts, Calendars->Accounts->Your Account->Advanced->SMTP->Server and make sure SSL is turned on

RichardF · Jan 11, 2012

astrorider said:
Settings->Wi-Fi->attwifi->Forget this Network

That option isn't there when connected a SSID named attwifi. It's replaced by a toggle: Auto-Join.
The problem is that you don't get the chance to disable joining attwifi until you have connected to it at least once and you can only do it WHILE connected to it.
Of course that first time, the phone will connect to attwifi, regardless whether it's a real at&t WiFi network or just a router with a SSID set to attwifi.

Reseting Network settings did correct the behavior.

astrorider said:
To check your email passwords go to Settings -> Mail, Contacts, Calendars->Accounts->Your Account->Advanced->SMTP->Server and make sure SSL is turned on

I have SSL set to ON for all my email accounts.
With SSL on, no reason to worry you think? Even if the phone connected to some random dude's network set to attwifi ?

----------

Small White Car said:
Oh, well that's your problem. If you have it set to off it'll join anything. This has nothing to do with it being AT&T or not. It'll join hotels or neighbors or whatever it sees.

The iPhone only has two wifi modes:

1) Ask with a pop-up when anything new is seen.

2) Join anything it can.

The one you describe (only join known, ignore un-known) is not an option. I wish it were, but it's not. This is an iPhone thing, not an AT&T things.

Wrong. If set to Off it will only join known SSIDs. In other words, networks you have connected to manually before. Nothing else.

Well except with this bug, it joins attwifi.
This doesn't happen with any other SSID while roaming Manhattan all day with hundreds of WiFi networks all around.

Go to Settings > Wi-Fi and read what's written below the Ask to Join Networks toggle.

RichardF · Jan 11, 2012

Perhaps this article will convey more efficiently what I have been to trying to say:

http://news.cnet.com/8301-27080_3-20003455-245.html

Small White Car · Jan 11, 2012

RichardF said:
Wrong. If set to Off it will only join known SSIDs. In other words, networks you have connected to manually before. Nothing else.

Well except with this bug, it joins attwifi.
This doesn't happen with any other SSID while roaming Manhattan all day with hundreds of WiFi networks all around.

Go to Settings > Wi-Fi and read what's written below the Ask to Join Networks toggle.

Then apparently the bug extends to other networks because I have had this happen with random networks in public...usually ones with no internet connected to them, which is pretty annoying when it happens.

I'm glad to see that's wrong and I'm experiencing a bug and not the expected behavior. I always thought that was stupid, at least I know it's not intentional now.

RITZFit · Jan 11, 2012

The same thing happened to me at a Starbucks. Surprised me too since I also have "Ask to join networks" turned off". Before the last update, I've never experienced such a thing (my original iphone never did that before either).

AstralMelody · Jan 11, 2012

My iPhone does this sometimes, but it seems to be only G networks?

FSMBP · Jan 12, 2012

Small White Car said:
Oh, well that's your problem. If you have it set to off it'll join anything. This has nothing to do with it being AT&T or not. It'll join hotels or neighbors or whatever it sees.

The iPhone only has two wifi modes:

1) Ask with a pop-up when anything new is seen.

2) Join anything it can.

The one you describe (only join known, ignore un-known) is not an option. I wish it were, but it's not. This is an iPhone thing, not an AT&T things.

No, you're wrong. See attached picture. If you have it set to off - it says you have to manually set networks. It should never automatically join unknown networks.

Small White Car · Jan 12, 2012

FSMBP said:
No, you're wrong. See attached picture. If you have it set to off - it says you have to manually set networks. It should never automatically join unknown networks.

And as I said, sometimes it does. It's nice that it SAYS it won't, but I'm just telling you what I've experienced.

Whether it's a bug or something, ok, I believe you when you say that's not normal. But it can happen so I feel it's fair to warn people.

mkrishnan · Jan 12, 2012

For the OP: So, had you ever joined an AT&T wifi network either from that phone or from a previous phone whose backup was restored to that phone? If you did this, automatically connecting to that network is the correct behavior, irrespective of the manual/auto setting, unless you manually "forget" the network. If it still does it after that, that's a bug, I agree.

(according to the C|Net article, the bug only affects you if you've ever joined the AT&T wifi network, anywhere, already in the past, but not if you have a "clean" phone that's never done an AT&T connection. Anyways, from the description there's definitely a security flaw there.)

FSMBP said:
No, you're wrong. See attached picture. If you have it set to off - it says you have to manually set networks. It should never automatically join unknown networks.

Small White Car said:
And as I said, sometimes it does. It's nice that it SAYS it won't, but I'm just telling you what I've experienced.

That's odd. I have not experienced what SWC is describing (joining completely unknown networks automatically, when this is turned off, and the networks are not broadcasting an SSID that matches a "known" network, including AT&T's network which is apparently presumptively considered known). I haven't played with creating a network called attwifi to see if my phone will join it automatically. I would agree that that's a bug, if it happens.

The other nuisance aspect of this is that, the way the iPhone is designed, it sometimes catches signal from a known network I'm passing (like if I'm walking on the sidewalk outside the hospital), and then when it loses that signal, it disrupts everything that it was doing via cellular data. Automatically joining these presumptively known networks (the ones that are part of the AT&T hotspot system) would just make that worse.

Small White Car · Jan 12, 2012

My guess is that there are large companies out there (like, say, hotels) that may set all their equipment nation-wide to exactly the same settings. So maybe my phone joins a Hampton Inn network in Orlando because I gave the ok to a Hampton Inn in San Diego a month ago.

I dunno, just a guess, I never really looked into it. I'll try and notice when it happens in the future and see if I can make any sort of determinations like that.

FSMBP · Jan 12, 2012

Small White Car said:
And as I said, sometimes it does. It's nice that it SAYS it won't, but I'm just telling you what I've experienced.

Whether it's a bug or something, ok, I believe you when you say that's not normal. But it can happen so I feel it's fair to warn people.

Gotcha.

mkrishnan · Jan 12, 2012

Small White Car said:
My guess is that there are large companies out there (like, say, hotels) that may set all their equipment nation-wide to exactly the same settings. So maybe my phone joins a Hampton Inn network in Orlando because I gave the ok to a Hampton Inn in San Diego a month ago.

I dunno, just a guess, I never really looked into it. I'll try and notice when it happens in the future and see if I can make any sort of determinations like that.

The C|Net article says that the iPhone generally remembers networks by MAC ID and not by name, but I think I've seen what you describe.

I'm confused about how to test this, also. If it does remember MAC IDs, and I say change my router's name to "ATTWIFI" won't it still connect because it knows the router by MAC?

edk99 · Jan 12, 2012

I can't find the article but I remember reading about a press release from ATT a while back that said if you have an iPhone it will *automatically* connect to att wi-fi hotspots at starbucks, att stores and so on.

So their must be some special code or somefunctionality that detects att wi-fi hotspots and connects to them regardless of what your wi-fi setting is if your wi-fi is on.

WordMasterRice · Jan 12, 2012

mkrishnan said:
The C|Net article says that the iPhone generally remembers networks by MAC ID and not by name, but I think I've seen what you describe.

I'm confused about how to test this, also. If it does remember MAC IDs, and I say change my router's name to "ATTWIFI" won't it still connect because it knows the router by MAC?

This is not true. I've setup a few multi-location WIFI networks and the iPhone will pick them up automatically if the SSID, encryption type and encryption key are all the same. My family uses the same settings at everyone's house so phones/laptops/tablets just work.

RichardF · Jan 12, 2012

mkrishnan said:
For the OP: So, had you ever joined an AT&T wifi network either from that phone or from a previous phone whose backup was restored to that phone? If you did this, automatically connecting to that network is the correct behavior, irrespective of the manual/auto setting, unless you manually "forget" the network. If it still does it after that, that's a bug, I agree.

No I had not. I never connect to any networks other than mine at home or at the office.

This apparently expands the circumstances in which this problem occurs.

Note: the iOS is intended to behave like Mac OS in this regards. If that option is off then it should not connect to any other network other than the known/ trusted ones when not within range (the ones you have joined in the past manually).

----------

edk99 said:
I can't find the article but I remember reading about a press release from ATT a while back that said if you have an iPhone it will *automatically* connect to att wi-fi hotspots at starbucks, att stores and so on.

So their must be some special code or somefunctionality that detects att wi-fi hotspots and connects to them regardless of what your wi-fi setting is if your wi-fi is on.

This is so bad. I cannot believe Apple let this one be.
Anyone can then take advantage of this by posing as one of those networks.

takeshi74 · Jan 12, 2012

RichardF said:
iOS 5 will automatically connect to any router broadcasting an attwifi SSID.

Not in all cases. I noticed my at&t BB doing this and pulled out my 4s. My 4s did no such thing.

RichardF · Jan 12, 2012

mkrishnan said:
The C|Net article says that the iPhone generally remembers networks by MAC ID and not by name...

excepts when the SSID is attwifi. The article says iOS then doesn't check/ ignores the MAC ID.

----------

takeshi74 said:
No, it will not. I noticed my at&t BB doing this and pulled out my 4s. My 4s did no such thing.

You have to wake the iPhone up. It won't if the screen is off/ locked.

What are your iOS settings? Ask to Join Network is on or off. Mine is off.

What version of iOS are you running?

I am on 5.0.1

Then how do we explain my iPhone joining attwifi last night without me having ever joined manually in the past and without prompting?

Have you read the CNet article. The guy quoted set his router's SSID to attwifi and the phone joined it.

I am going to fool around with the SSID on my router at the office right now to test. Will be back with findings.

----------

WordMasterRice said:
This is not true. I've setup a few multi-location WIFI networks and the iPhone will pick them up automatically if the SSID, encryption type and encryption key are all the same. My family uses the same settings at everyone's house so phones/laptops/tablets just work.

Thank you for this. It's very insightful.

RichardF · Jan 12, 2012

Alright, here are my findings.

I was able to reproduce the problem at the office and find-out more.

Changed the SSID to attwifi on my Verizon Westell wireless router and turned off wireless security (WEP/ WPA/ WPA2 off).

The phone was sleeping. Hit the home button, entered my pin, waited and sure enough it picked the attwifi and connected to it!

Now under Settings > Wi-Fi
attwifi was listed with a check mark (because it's connected to it). I hit the right-pointing blue arrow and unlike any other WiFi network, the option to "Forget this Network" was not there, instead the option was replaced with an "Auto-Join" on/off toggle. I set it to off.

Additional comments on Mac OS and iOS behavior when joining a known router (as per MAC ID) but for which the SSID/ WiFi security was modified:

Upon connecting manually to my router after resetting the SSID to what it is usually, I was prompted to re-enter the WPA key even though it is saved in the keychain in Mac OS and known to iOS (joined in the past).
Both remembered the SSID but still asked for the WPA key. That's good. This created another keychain item even though the SSID and WPA key were identical. I deleted the older item in the keychain.

In iOS I don't know what it did in the background.
I ended up resetting Network Settings: Settings > General > Reset > Reset Network Settings for good measure.

I don't remember the phone doing the same thing at an Apple Store. I was in one recently.
What's the SSID Apple stores use again? I'll do the same test here with it.

scaredpoet · Jan 12, 2012

To answer this question:

RichardF said:
Does iOS 5 send email accounts passwords in the clear?

That depends on you, and how you're set up your e-mail accounts. iOS since version 1 has had the capability to interact with e-mail accounts using SSL/TLS. But if you make a decision in your settings not to, then that's on you.

Xenomorph · Jan 12, 2012

This has bothered me in the past. It is a nasty security issue.

It's sad so many people downvoted the OP, and that so many people don't understand the issue. It has nothing to do with forgetting the network, or telling your phone to prompt when WiFi is in range.

I unboxed a phone, wiped it and restored iOS, and the phone auto-connected to an "attwifi" network the first time one was in range. No prompts, no authentication, and no security.

There is no way to make it forget the network, you can only tell it to stop auto-joining, but only if you are in range.

iOS 5 connects without user action to attwifi when in range

macrumors 6502a

Suspended

macrumors G4

macrumors 6502a

macrumors G4

macrumors 6502a

macrumors 6502a

macrumors 6502a

macrumors G4

macrumors 65816

macrumors newbie

macrumors 68030

Attachments

macrumors G4

Moderator emeritus

macrumors G4

macrumors 68030

Moderator emeritus

macrumors 6502a

macrumors 6502a

macrumors 6502a

macrumors 601

macrumors 6502a

macrumors 6502a

macrumors 604

macrumors 65816

Our Staff