Tuesday, January 5, 2016

The Danger of "Other" on the iPhone

This is what it looks like when your whole organization just got compromised because you sat down at StarBucks for second.

So there's a lot of different ways to configure your email on the iPhone. Some of them are more dangerous than others. It took us a long time to track this down - because on wireless penetration tests we'd often get passwords using SILICA, and I never got to ask how that happened to the user. Many users don't feel like letting a penetration tester rummage through their phone settings.

One of these options is not like the other! Ok it is. Wait.

Literally a year went by and every time we got a password I asked the testers "HOW IS THIS HAPPENING?!?".

Here is the testing methodology which gets you a password every time:

  • Start SILICA
  • Add "attwifi" in the AP window
  • Right click attwifi and select AP->Service Impersonation
  • Wait about 30 minutes or less
  • Enjoy your new password!

I couldn't figure out why this worked so well. But now I know: Many people use IMAPS (even with Gmail), and to set that up they go to "other" as many web pages suggest you do, and they input all their information and ostensibly it is secure. The following images show what you probably have:

So what happens then is you, the user of the iPhone, will connect to AT&T wifi, and when you check your mail a little popup message will appear. It will offer you the option to "Continue". If you click that very natural button, SILICA will steal your password. It's just that simple. If you have your email configured any other way, then it won't even give you that option. Instead, it fails silently and securely, without giving anyone your password.

One of the reasons companies buy SILICA is for repeatable testability. Everyone can follow that simple methodology and test all the executive team's phones. It either works or it doesn't. It took a while to figure out what was happening, but without this, I wouldn't have realized what a severe issue it was, since the phones around the office are configured securely! :)