Apple's iOS 8 fixes enterprise Wi-Fi authentication hijacking issue

A weakness in Apple's Wi-Fi implementation could give hackers access to enterprise wireless networks, researchers said

Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.

"An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods," Apple said in its security advisory for iOS 8.

The vulnerability stems from Apple's implementation of the WPA2-Enterprise security protocol that's widely used on corporate wireless networks because it allows clients to have unique access credentials instead of using a preshared password like in the case of WPA2-Personal, the wireless security protocol used on home networks.

WPA2-Enterprise supports multiple authentication schemes, with the most common being the PEAP (Protected Extensible Authentication Protocol), which combines the Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) with the TLS (Transport Layer Security) encryption protocol.

At the Defcon hacking conference in 2012, security researcher Moxie Marlinspike launched a cloud-based service for cracking captured MS-CHAPv2 handshakes in under a day, raising security concerns for virtual private networks that use the PPTP (Point-to-Point Tunneling Protocol) and wireless networks that use WPA2-Enterprise.

The Wi-Fi Alliance and other wireless network experts responded at the time that despite MS-CHAPv2's weakness to brute force attacks, wireless networks using WPA2-Enterprise with PEAP authentication are not at risk because capturing MS-CHAPv2 handshakes from such networks would first require breaking the TLS encryption.

However, researchers from the University of Hasselt (UHasselt) in Belgium found that Apple devices running iOS and Mac OS X also support an older and insecure WPA2-Enterprise authentication method called LEAP (Lightweight Extensible Authentication Protocol) that doesn't use TLS and relies on MS-CHAPv1. According to them, this exposes Apple devices to a dumb-down authentication hijacking attack even if the wireless network is configured to use PEAP.

In a research paper presented in July at the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, the UHasselt researchers explained that MS-CHAPv2 server-to-client challenges can easily be converted into MS-CHAPv1 challenges. Similarly, MS-CHAPv1 challenge responses can be converted to MSCHAPv2 responses.

An attacker could set up a rogue wireless network with the same name (SSID) as the real enterprise network they wish to target, but requiring LEAP authentication instead of PEAP. When two wireless networks have the same SSID, devices will automatically attempt to connect to the network that has a stronger signal, a behavior that attackers can exploit in a so-called evil twin attack.

Read more: iPhone 6 buyers must be wary of new security exposure: ThreatMetrix

When an Apple device attempts to connect to the attacker's access point, the attacker can initiate a connection to the real access point using a separate wireless client. He can then take the PEAP MS-CHAPv2 challenge issued by the legitimate access point, convert it to a LEAP MS-CHAPv1 challenge and relay it to the Apple device through the rogue access point.

The Apple device will use its stored authentication credentials to generate a valid MS-CHAPv1 response and send it back to the rogue access point. The attacker can capture this response, convert it into MS-CHAPv2 and use it to authenticate on the real access point.

The attacker essentially hijacks the identity of the Apple device and gains access to the corporate network without having a valid user name and password, the UHasselt researchers said in a separate document with answers to frequently asked questions.

Upgrading to iOS 8 will fix the problem for iPhones, iPads and iPods that support the new OS version, but Mac OS X devices are also vulnerable to this attack. The researchers tested the attack successfully on Mac OS X 10.8.2, but believe all current versions of Max OS X are affected because they share the same wireless implementation as iOS.

The research paper describes several possible mitigations, including the use of different TLS-based WPA2-Enterprise authentication methods that also require the validation of client-side certificates -- for example EAP-TLS. This would prevent the attacker from impersonating a client, but would require separate TLS certificates for all authorized devices to be installed on the access point. Another solution would be to use a wireless intrusion prevention system to scan for LEAP requests, which would indicate the presence of a rogue access point.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesApplesecurityAccess control and authenticationencryptionUniversity of HasseltExploits / vulnerabilities

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?