Exploring an open WiFi detection vulnerability as a malware attack vector on iOS devices

This paper presents a vulnerability on devices running Apple iOS, and can be traced back to iOS 3. First discovered in 2009 on iOS, and again in 2011 on Mac OS X, the vulnerability exists in a feature which seeks to help the device user maintain internet connectivity when attached to open WiFi networks protected by a captive portal. Since many modern applications rely on an internet connection, to alert a user when the connection requires user input to proceed, vulnerable OSs periodically check for a connection to the Apple URL http://www.apple.com/library/test/success.html. When the response returned from the connection check is abnormal, a UIWebView instance is opened, allowing the user to accept a terms of service, or otherwise satisfy the Captive Portal or Paywall terms. This behavior allows an adversary a small window of opportunity to launch an attack, which can manifest as an ARP Poisoning Attack, DNS Poisoning Attack, or a Man-in-the-Middle Attack redirecting the requesting iOS device to a malicious location. We have confirmed this vulnerability continues to exist in both iOS 4 and iOS 5. Further we have compared both native as well as jailbroken devices, and successfully launched a BeEF hook to both with equal results. The danger of this vulnerability lies in the fact that no user intervention is requiredfor exploitation beyond initially joining the network, which is a common and generally accepted user activity.