Apple and AT&T providing free Wi-Fi access to iPhone users and oops... to everyone else as well!

Apple and AT&T providing free Wi-Fi access to iPhone users and oops... to everyone else as well!

Summary: You have to love security through obscurity...A friend of mine on a private mailing list passed me a link to a story on macrumors.

SHARE:

AppleYou have to love security through obscurity...

A friend of mine on a private mailing list passed me a link to a story on macrumors.com, which was quite interesting.  Apparently, Apple and AT&T has decided to provide free wireless access to iPhone users at places like Starbucks.  I imagine this is one of those deals where you get associated, it forces you through a proxy, and any request is redirected to an AT&T wireless services page, where normally you'd pay $9.95 for a day of Internet access or something like that.

Well, the way they are determining if you should be free or not is by inspecting the user agent that your browser sends.  The user agent is an HTTP header that is sent by browsers so that web pages can modify their presentation and control to best suit the needs of their browser... it was NEVER intended to be an access control.  As the request to the proxy page to get setup for wireless leaves from your personal machine (from your browser and down through the TCP/IP stack and then out to their server), you can actually control what is sent and forge your own user agent to look like the user agent that is sent by the iPhone's Safari browser. 

This is actually quite simple to do and can be done with the Burp Suite of tools by Dafydd Stuttard.  I will not tell you the user agent that your iPhone uses, but I'm sure you can find it on the Internet, or simply setup your own web server and use Wireshark on it to capture an incoming request from your iPhone.  Once you've modified the user agent, you currently are able to get free access.  Apparently, you will also need to know the phone number of a legitimate iPhone, but this should be pretty easy for most people to get.

Actually, using the user agent to control access, authorization, and various other things related to security that should never involve the user agent is a pretty common mistake made by cell phone vendors.  My good friend, and co-worker at Ernst & Young's Advanced Security Center, Raghav Dube, has found numerous flaws like this, and I'm just waiting for him to put it all together into a presentation for Black Hat.

The original article from MacRumors.com is posted below:

A couple of readers have reported that AT&T hotspots are now offering free Wi-Fi access to iPhone users. Barnes and Noble, Starbucks and presumably AT&T's 71,000 other Wi-fi hotspot locations are now offering iPhone users a custom portal to access free Wi-Fi. A special iPhone formatted page asks for your mobile phone number. Once entered, you can access the Wi-Fi access for free.

MacRumors has been able to confirm this finding at a local Barnes and Noble.

AT&T recently partnered with Starbucks (displacing T-Mobile) to provide Wi-Fi access to Starbucks' 7000 stores nationwide. This partnership allowed existing AT&T broadband customers free access and AT&T promised that it would "soon extend the benefits of Wi-Fi at Starbucks to its wireless customers", but no official announcement has yet been made.

A list of AT&T's 71,000 hotspots can be found on AT&T's site, including Starbucks, Barnes & Noble, Airports, and McDonald's locations.

Update: MacRumors reader ntrigue confirms that AT&T's system is based on the iPhone's User Agent, which can easily be faked on laptops. He successfully accessed the free iPhone Wifi through his laptop (and a valid iPhone phone number)"... the image is provided below:

 Free AT&T Wi-Fi

Topics: iPhone, Mobility, Networking, AT&T, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Hey, it's no worse than MAC filtering :)

    Hey, it's no worse than MAC filtering which is universally used at for-fee hotspots :). The right sniffer and the right script can quickly change your MAC address to one that's already logged in. Just find a user on one end of the terminal, get the MAC address, then go to the other end where you're waiting for your airplane so that your MAC addresses aren't conflicting with each other on the same Access Point.

    George Ou
    http://www.ForMortals.com
    georgeou
    • True, but it's more entertaining

      True, it's no worse, but it's more entertaining I think since
      someone actually believed the user agent would be an
      effective control even after seeing how effective something
      like MAC filtering was.

      -Nate

      PS, good to see you reading my blog :)
      nmcfeters
      • So What's The Solution?

        It would be nice to see some solutions from that big brain of yours
        McFeter's :)

        It seems the best way to handle this would be to require AT&T users
        to login via their accounts (if everyone has one? I'm not on at&t). But
        then how do you handle authentication you would have to go back to
        mac address access control I suppose but that just makes it a bit
        harder to steal [well maybe a lot harder if there is just one AP per
        store] and a lot harder to implement. I really have no idea on the state
        of securing wifi access (I always assumed it was all MAC Address
        filtering myself).

        Is there a better way to do this?
        KStads
        • Putting the big brain to work...

          simple, just make it free. I mean, in the grand scheme of things, does AT&T really need to charge money for wireless service at Starbucks? Aren't they making enough money already?

          -Nate
          nmcfeters
          • big brain?

            <i>Aren't they making enough money already?</i>

            I absolutely love statements like this. So, should all businesses have an "enough money" threshold and begin giving away products/services once they meet that threshold? Maybe Apple is making "enough money" and they should give away anything related to digital content, phones, and music players to execute on the 'buy more macs' strategy. I think you should give Steve-o a buzz and instill your wisdom.

            Other than that, great post!
            barontick
    • Oh you guys are quite the tricksters ;)

      nt
      D T Schmitz
  • RE: Apple and AT

    If you want to see a User Agent string, I've actually got a diagnostic page on my website for testing my new app, which includes it. Just point your browser to www.netelligence.co.uk/Diag.aspx and it will give you (among other things) the user agent string.
    Chris@...
  • IP-over-DNS, IP-over-ICMP, OzymanDNS

    For all you tricksters out there some FYIs (that includes George and Nate):

    o [url=http://thomer.com/howtos/nstx.html]IP-over-DNS[/url]
    o [url=http://thomer.com/icmptx/]IP-over-ICMP[/url]
    o [url=http://dnstunnel.de/]OzymanDNS[/url]

    All very tricky!, but interesting, not to mention possibly illegal!

    What's that saying?... [i]"What you don't know won't hurt you."[/url]

    Yes, that's it. ;)
    D T Schmitz
    • If you like this

      You should check out some of the work done by Dan Kaminsky where he can basically tunnel anything over DNS. Including SSH over DNS, and even (what a crazy concept) DNS over DNS.

      -Nate
      nmcfeters
      • all laws are not created equally

        With a user name like dietrich it's possible they are from Germany where
        they have just passed ridiculously strict anti hacking laws where
        information like this could be deemed illegal if its determined that it is
        being disseminated for the purposes of bypassing authentication. But I'm
        not a lawyer and definitely not a german lawyer so that's just a guess.

        P.S. everyone knows video over DNS is the best tunneling option ;) more
        to the point you can basically tunnel anything over anything. (think
        about sending and receiving information in packet buffers that are
        normally random)
        KStads
  • I've just changed my FF3 browser's user agent string...

    ...to the iPhone string using directions found [url=http://www.scanmybrowser.com/change_ua.html]here[/url][1]

    When I go to google.com directly thereafter, it renders the page in the new Google Apps web format for the iPhone.

    ============================================================

    [b][1] Pass at your own risk! May be considered illegal.[/b]
    D T Schmitz
    • Yep

      That's how the user agent works... even if you are just doing regular browsing, Firefox and IE have different user agents, and from time to time will be rendered differently.

      Why would you think it would be illegal to change your user-agent?

      -Nate
      nmcfeters
      • P-A-Y-P-A-L

        nt
        D T Schmitz
  • RE: Apple and AT

    The same thing can be done to gain access to sites that a certain popular console with "waggle" uses for downloads, etc.

    If you use something for a purpose other than what it was originally intended, you will receive a result other than that which you expect.
    Sabz5150