A friend of mine on a private mailing list passed me a link to a story on macrumors.com, which was quite interesting. Apparently, Apple and AT&T has decided to provide free wireless access to iPhone users at places like Starbucks. I imagine this is one of those deals where you get associated, it forces you through a proxy, and any request is redirected to an AT&T wireless services page, where normally you'd pay $9.95 for a day of Internet access or something like that.
Well, the way they are determining if you should be free or not is by inspecting the user agent that your browser sends. The user agent is an HTTP header that is sent by browsers so that web pages can modify their presentation and control to best suit the needs of their browser... it was NEVER intended to be an access control. As the request to the proxy page to get setup for wireless leaves from your personal machine (from your browser and down through the TCP/IP stack and then out to their server), you can actually control what is sent and forge your own user agent to look like the user agent that is sent by the iPhone's Safari browser.
This is actually quite simple to do and can be done with the Burp Suite of tools by Dafydd Stuttard. I will not tell you the user agent that your iPhone uses, but I'm sure you can find it on the Internet, or simply setup your own web server and use Wireshark on it to capture an incoming request from your iPhone. Once you've modified the user agent, you currently are able to get free access. Apparently, you will also need to know the phone number of a legitimate iPhone, but this should be pretty easy for most people to get.
Actually, using the user agent to control access, authorization, and various other things related to security that should never involve the user agent is a pretty common mistake made by cell phone vendors. My good friend, and co-worker at Ernst & Young's Advanced Security Center, Raghav Dube, has found numerous flaws like this, and I'm just waiting for him to put it all together into a presentation for Black Hat.
The original article from MacRumors.com is posted below:
A couple of readers have reported that AT&T hotspots are now offering free Wi-Fi access to iPhone users. Barnes and Noble, Starbucks and presumably AT&T's 71,000 other Wi-fi hotspot locations are now offering iPhone users a custom portal to access free Wi-Fi. A special iPhone formatted page asks for your mobile phone number. Once entered, you can access the Wi-Fi access for free.
MacRumors has been able to confirm this finding at a local Barnes and Noble.
AT&T recently partnered with Starbucks (displacing T-Mobile) to provide Wi-Fi access to Starbucks' 7000 stores nationwide. This partnership allowed existing AT&T broadband customers free access and AT&T promised that it would "soon extend the benefits of Wi-Fi at Starbucks to its wireless customers", but no official announcement has yet been made.
A list of AT&T's 71,000 hotspots can be found on AT&T's site, including Starbucks, Barnes & Noble, Airports, and McDonald's locations.
Update: MacRumors reader ntrigue confirms that AT&T's system is based on the iPhone's User Agent, which can easily be faked on laptops. He successfully accessed the free iPhone Wifi through his laptop (and a valid iPhone phone number)"... the image is provided below: