Apple's iOS 8 fixes enterprise Wi-Fi authentication hijacking issue

A weakness in Apple's Wi-Fi implementation could give hackers access to enterprise wireless networks, researchers said

Apple's iOS 8 addresses a serious weakness that could allow attackers to hijack the wireless network authentication of Apple devices and gain access to enterprise networks.

"An attacker could have impersonated a WiFi access point, offered to authenticate with LEAP, broken the MS-CHAPv1 hash, and used the derived credentials to authenticate to the intended access point even if that access point supported stronger authentication methods," Apple said in its security advisory for iOS 8.

The vulnerability stems from Apple's implementation of the WPA2-Enterprise security protocol that's widely used on corporate wireless networks because it allows clients to have unique access credentials instead of using a preshared password like in the case of WPA2-Personal, the wireless security protocol used on home networks.

WPA2-Enterprise supports multiple authentication schemes, with the most common being the PEAP (Protected Extensible Authentication Protocol), which combines the Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAPv2) with the TLS (Transport Layer Security) encryption protocol.

At the Defcon hacking conference in 2012, security researcher Moxie Marlinspike launched a cloud-based service for cracking captured MS-CHAPv2 handshakes in under a day, raising security concerns for virtual private networks that use the PPTP (Point-to-Point Tunneling Protocol) and wireless networks that use WPA2-Enterprise.

The Wi-Fi Alliance and other wireless network experts responded at the time that despite MS-CHAPv2's weakness to brute force attacks, wireless networks using WPA2-Enterprise with PEAP authentication are not at risk because capturing MS-CHAPv2 handshakes from such networks would first require breaking the TLS encryption.

However, researchers from the University of Hasselt (UHasselt) in Belgium found that Apple devices running iOS and Mac OS X also support an older and insecure WPA2-Enterprise authentication method called LEAP (Lightweight Extensible Authentication Protocol) that doesn't use TLS and relies on MS-CHAPv1. According to them, this exposes Apple devices to a dumb-down authentication hijacking attack even if the wireless network is configured to use PEAP.

In a research paper presented in July at the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, the UHasselt researchers explained that MS-CHAPv2 server-to-client challenges can easily be converted into MS-CHAPv1 challenges. Similarly, MS-CHAPv1 challenge responses can be converted to MSCHAPv2 responses.

An attacker could set up a rogue wireless network with the same name (SSID) as the real enterprise network they wish to target, but requiring LEAP authentication instead of PEAP. When two wireless networks have the same SSID, devices will automatically attempt to connect to the network that has a stronger signal, a behavior that attackers can exploit in a so-called evil twin attack.

Read more: iPhone 6 buyers must be wary of new security exposure: ThreatMetrix

When an Apple device attempts to connect to the attacker's access point, the attacker can initiate a connection to the real access point using a separate wireless client. He can then take the PEAP MS-CHAPv2 challenge issued by the legitimate access point, convert it to a LEAP MS-CHAPv1 challenge and relay it to the Apple device through the rogue access point.

The Apple device will use its stored authentication credentials to generate a valid MS-CHAPv1 response and send it back to the rogue access point. The attacker can capture this response, convert it into MS-CHAPv2 and use it to authenticate on the real access point.

The attacker essentially hijacks the identity of the Apple device and gains access to the corporate network without having a valid user name and password, the UHasselt researchers said in a separate document with answers to frequently asked questions.

Upgrading to iOS 8 will fix the problem for iPhones, iPads and iPods that support the new OS version, but Mac OS X devices are also vulnerable to this attack. The researchers tested the attack successfully on Mac OS X 10.8.2, but believe all current versions of Max OS X are affected because they share the same wireless implementation as iOS.

The research paper describes several possible mitigations, including the use of different TLS-based WPA2-Enterprise authentication methods that also require the validation of client-side certificates -- for example EAP-TLS. This would prevent the attacker from impersonating a client, but would require separate TLS certificates for all authorized devices to be installed on the access point. Another solution would be to use a wireless intrusion prevention system to scan for LEAP requests, which would indicate the presence of a rogue access point.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags patchesApplesecurityAccess control and authenticationencryptionUniversity of HasseltExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?