[iUsability-Pwned] critical iPhone 3.0 bug/feature
I recognized that iPhone SW version 3.0 connects immediately after finding a WLAN to a page outside to check for internet connectivity and enable automated hotspot authentication.
The new hotspot feature tries to access http://www.apple.com/library/test/success.html to determine if it can access the internet directly or not. If it can't access the page it assumes it's in a hotspot and the new hotspot feature kicks in (which doesn't work with http authentication).
http://discussions.apple.com/thread.jspa?threadID=2044951&start=15&tstart=0
In case a malicious attacker uses faked hotspot tools, like karmetasploit's scrip kmsapng your iPhone will get 0wned by walkin by. kmsapng creates hotspots based on the WLAN probe request ist sees. So it might be very likely named like your home network, the hotel hotspot you had been on yesterday, you mobile providers WLAN network name or "Free Internet" (be aware!).
This attack class is not new, any other browser might also react in the same fashion, in case you try to open any web page while being connected to a faked hot spot.
The interesting part about the iPhone SW 3.0 is that it immediately opens the browser once you try to associate with a network without internet connectivity.
Max Moser of remote exploit documented this potential risky feature in this nice movie.
As far I can tell this behavior enables an attacker to steal authentication cookies of iPhones, if not more.
advice: don't connect to networks you don't trust
further research of impact is pending
iUsability-Pwned from Max Moser on Vimeo.
[1] http://remote-exploit.blogspot.com/2009/07/iusability-pwned.html
