# Exploit Title: iOS 8 devices may auto-associate with untrusted access points with a downgraded security type
# Date: 06-30-2015
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# WebPage: https://CTRLu.net/
# Vendor Homepage: https://www.apple.com/
# Vendor Advisory: https://support.apple.com/en-us/HT204941
# Software Link: https://support.apple.com/downloads/ios
# Version: iOS 8.0 - 8.4
# Recommended to update to Version 8.4 or above
# Tested on: iOS 8 Beta 5 (12A4345d)
# CVE : CVE-2015-3728
# APPLE : APPLE-SA-2015-06-30-1

iOS 8 devices may auto-associate with untrusted access points with a downgraded security type

1. Description

The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi-Fi access points to trigger an automatic association, with an arbitrary security type, by operating with a recognized ESSID within an 802.11 network's coverage area. An insufficient comparison issue existed in WiFi manager's evaluation of known access point advertisements. This issue was addressed through improved matching of security parameters.
Note: Impact is to WPA/WPA2, Enterprise authentication does not appear to be affected.

2. Impact

iOS devices may auto-associate with untrusted access points advertising a known ESSID but with a downgraded security type.
If an WPA/WPA2 ESSID is configured for automatic association the device will automatically join an Open ESSID of the same name.

3. Solution:

The vendor has issued a fix (8.4).

The vendor's advisory is available at:
https://support.apple.com/kb/HT204941

4. Timeline:

* Bug report filed with apple 09-09-2014
* Vendor advisory released 06-30-2015

Menu