Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS 11 Makes it Easy to Share Your Wi-Fi Password With Nearby Friends

almonde said:
Corporate wifi should be using radius type authentication not PSK.
Click to expand...

If it's a small business, implementing RADIUS is likely more work than they want to put into it. However I don't see how they can stop the end user from discovering the password... one might not be able to see it on one's phone, but if that user also has a laptop the password will also end up in that device's keychain.
 
GQB said:
You really didn't just say that...
Click to expand...

You know, for a home situation... that's not as bad an idea as you might think on the face of it. It's easy to manage and not susceptible to data corruption.

I wouldn't keep, say, my banking passwords on a piece of paper - but physical security trumps most everything else. If someone is in your home unsupervised, they could find that piece of paper... but they can also just reset your wifi router.
 
BlandUsername said:
LOL, really, You can pay for Cisco ISE then. the rest of us with real budget constraints will use Hidden SSID's and complex Passwords. Guess you never heard of Intermec Scanners and Other Items like that.
Click to expand...

You don't need to pay for Cisco at all. Run FreeRADIUS or the built-in Windows Server RADIUS service. Every AP supports RADIUS now. I used to run this at home back in the WEP 802.11b days.
 
  • Like
Reactions: Shirasaki
Keane16 said:
This is one my favourite little things in iOS 11.

Android and Windows Phone have\had methods of streamlining WiFi password sharing too. But none I've used have been this slick.
Click to expand...

I expect and hope that as more stuff like this gets discovered during the beta that people will stop complaining. It’s a free update. If you don’t like it, try another ecosystem. I’ve heard a lot of complaints about it looking the same overall. Personally, I don’t want to have to relearn how to use my phone every year because of huge UI/UX changes. But maybe that’s just me.
 
BlandUsername said:
LOL, really, You can pay for Cisco ISE then. the rest of us with real budget constraints will use Hidden SSID's and complex Passwords. Guess you never heard of Intermec Scanners and Other Items like that.
Click to expand...

Glad you're not in my 'server room fixing my tubes' if you are truly involved in corporate IT. Setting up an AP in your friends coffee shop doesn't count and neither does fixing your parents router.
 
  • Like
Reactions: dontwalkhand
How secure is this? Won't this potentially open up a new attack vector?
 
BaltimoreMediaBlog said:
After everyone realizes they will lose all their 32 bit free & other games, they will realize that IOS 11 is as Steve Jobs once said, "A Bag of Hurt."
Click to expand...

Yeah, I checked and out of the many dozens of apps on my phone, ONE of them wasn't ready to go, and I hadn't used that app in many many months. I think somehow society will live on.
 
  • Like
Reactions: ILikeAllOS, s1m, tooloud10 and 1 other person
BlandUsername said:
LOL, really, You can pay for Cisco ISE then. the rest of us with real budget constraints will use Hidden SSID's and complex Passwords. Guess you never heard of Intermec Scanners and Other Items like that.
Click to expand...
Hidden SSIDs are worthless. They provide zero security, and only cause problems for your real users. It doesn't matter how complex your password is, once you have it on a client device they can see it and share it.
 
  • Like
Reactions: CarlJ
joshwenke said:
What about corporate situations where we don't want our end users having or knowing the password? Is there any way as an IT administrator to disable this for our network?
Click to expand...

You have to confirm that you will share your password. So IT sends out a stern email that NO ONE is to approve such requests. Problem solved
 
  • Like
Reactions: Stella
PseudoRegister said:
Now if only my phone would share my WiFi password with the Airport Utility app that's on my phone. That would make re-starting the Airport easier, and reduce the quantity and volume of my curses.
Click to expand...
Agreed it'd be a nice addition, but: a) they're getting out of the WiFi router business; and, b) how often are you restarting your Airport?!? I restart mine perhaps once or twice a year. My cablemodem gets kicked much more often, but the Airport is rock solid.
[doublepost=1496858300][/doublepost]
joshwenke said:
What about corporate situations where we don't want our end users having or knowing the password? Is there any way as an IT administrator to disable this for our network?
Click to expand...
If you're using a simple password on your corporate network, rather than WPA2 Enterprise / RADIUS, you're doing IT wrong. Do you change, and redistribute, that single password every time an employee leaves the corporation?
 
This will go over well with the DoD and their subcontractors. They'll be happy to not have to go through that whole security clearance nonsense before letting an employee on the network.
 
BlandUsername said:
LOL, really, You can pay for Cisco ISE then. the rest of us with real budget constraints will use Hidden SSID's and complex Passwords. Guess you never heard of Intermec Scanners and Other Items like that.
Click to expand...
You can run RADIUS on a Raspberry Pi. Is $50 within your budget? And if your scanners can't do WPA2 Enterprise, then run them on a separate SSID and don't share that password outside the group that's setting up / administering the scanners. (If the passwords can be read out from the scanners by random people, then your security is hosed already.)
[doublepost=1496859069][/doublepost]
lockhartt said:
This will go over well with the DoD and their subcontractors. They'll be happy to not have to go through that whole security clearance nonsense before letting an employee on the network.
Click to expand...
How would any DoD subcontractor that's using WPA2 Personal and a single password company-wide (rather than using WPA2 Enterprise and per-user passwords administered by a RADIUS server) ever have gotten any security-related contract in the first place?
 
password sharing process between trusted device
Click to expand...

Unless they allow some way to manage trusted devices this is a security breach waiting to happen due to unauthorized propagation of access.

For comparison, Android has the option to sync WIFI passwords to Google cloud account and can only be restored to authenticated devices. If Apple implement it this way then there would be less fear of a security breach.
 
joshwenke said:
What about corporate situations where we don't want our end users having or knowing the password? Is there any way as an IT administrator to disable this for our network?
Click to expand...

Aren't those networks usually authenticated by individual usernames and passwords? My company only lets you join by entering you Windows login credentials (same one you use to log into your desktop) and a profile (giving the company access to the device) needs to be downloaded to the device in question.

Is that how yours work?
 
If I were designing something like this, I'd implement this sort of behavior: shared passwords would be stored with a specific attribute as such, encrypted (and signed), and only the original password holder could share (so 2nd gen, shared holders, couldn't "re-share").

So I share to you for convenience, you can't share with anyone else, and since it's a shared password type, it's held in a specific keychain container, that prevents viewing in clear text (the entry would indicate the network/who shared it/datetime stamp).
 
Apart from this method (that I assume uses Bluetooth, which I usually have turned off) iOS11 also brings QR code decoding to the stock camera app.

I've just generated one for my guest WiFi which I've printed out and stuck on my router. I pointed my iPhone's camera to it, and after a prompt it connected to that WiFi. Now all I need is for anyone I invite to have iOS11 installed (or Android, which I think has had this feature for ages). http://blog.qr4.nl/QR-Code-WiFi.aspx
 
jonnysods said:
So many new features. Kind of makes me want iOS11 now but I know I need to wait until the release date, can't have my devices wigging out on me.
Click to expand...

Even production releases can wig out your device. Not as likely, but it still can.
 
i hate phones said:
How would that be any different than verbally telling someone the password? They could then verbally tell someone else...

Unless you're thinking of a different scenario where people are now being granted access under the new system, where they wouldn't have been given the password under the old...
Click to expand...

Sure, that's always been possible, but it's a bit harder than this. Rather than verbally providing the password, you can type in the password yourself, which complicates spreading further by requiring them to have both iCloud password sync (whatever that's called) enabled and access to a Mac to view it in Keychain. Not as easy as just holding two phones in proximity to each other.

BlandUsername said:
LOL, really, You can pay for Cisco ISE then. the rest of us with real budget constraints will use Hidden SSID's and complex Passwords. Guess you never heard of Intermec Scanners and Other Items like that.
Click to expand...

Sorry, but a hidden SSID or complex password still won't help you out with the situations other people were complaining to me about above. :) It might help with this feature though, since it's not clear that it could work for SSIDs that are not visible--but in general it's not doing you much more good. As for RADIUS, you don't need anything too fancy for that. In a corporate environment, you're probably already using some sort of central authentication mechanism like AD. Both Windows and macOS servers can act as RADIUS servers, and there are other (including at least one FOSS) option as well.

What do Intermec scanners have to do with this? Do they require PSK wifi? If so, you can create a separate SSID (enterprise APs should support this) and, sure, use PSK for that, maybe with MAC address filtering or something to at least try to mitigate potential problems.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back