Main Nav

Posted by bhelman on March 29, 2012
I'm not one to resend articles, but I'm going to make an exception here. I was listening to yesterday's episode of Security Now and Steve Gibson mentioned this article. A lot of times, these things are serious, but not really something I'd worry about in the short-term. This one has some serious potential though. I just thought I'd pass it along to this (and the wireless) list: "An Ars[technical] story from earlier this month reported that iPhones expose the unique identifiers of recently accessed wireless routers, which generated no shortage of reader outrage. What possible justification does Apple have for building this leakage capability into its entire line of wireless products when smartphones, laptops, and tablets from competitors don't? And how is it that Google, Wigle.net, and others get away with publishing the MAC addresses of millions of wireless access devices and their precise geographic location?" Here's the link: http://arstechnica.com/apple/news/2012/03/anatomy-of-an-iphone-leak.ars Cross-posted to the wireless list as well. -Brian

Comments

Let me take a wild guess here. I vaguely recall that when the iPhone first came out it caused meltdowns on several different networks. My guess is that this behavior may be a change that Apple made to mitigate the problem (which was likely with the network itself). By the time Android came on the scene, these networks had been fixed so the mitigation wasn't needed. However the behavior was already in the iOS code base and stayed there.

Personally I don't believe this is a particularly big deal. There are much worse privacy problems around.

                        -Jeff

--
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A
Cambridge, MA 02139-4307
617.253.0161 - Voice
_______________________________________________________________________


Posted by: jis5 on March 29, 2012

This exists in all Apple devices, not just iOS.

 

I disagree, but not because I think it’s a data security issue.  I think it’s a personal security issue.  Think about it.  You go into Starbucks and your iPhone/iPad broadcasts your home SSID.  Someone sitting there grabs that information using FireSheep and cross-references against Google or WiGLE.net .  Now they know your home address.  And they know you’re not there.

 

-Brian

 

Posted by: bhelman on March 29, 2012
Message from r-safian@northwestern.edu

 

I don’t want to get too far off track here, but, I am a little annoyed at what I view as the press presenting every computer security/privacy issue as “OMG the sky is falling…run for your lives”.  I’d really like to see a bit of moderation, and perhaps a reasonable assessment of the risk in these stories.  It’s that risk assessment piece where I think we can help.  I’ll pick a little on Brian, since he sent this out.  Do we have any indication of widespread use of this technique?  That’s important for consumers, and should be mentioned, instead of the usual FUD.  Oh, and in your Starbucks scenario, when you get to my house you’ll find George Zimmerman is watching the place…he’s got an itchy trigger finger.  Just because I am out, does not mean the place is empty.  Let’s try to feed something other than FUD to the press.

 

Posted by: listserv-anon on March 29, 2012

Roger,

 

I’m happy to be picked on in this situation.  When I sent this to my internal distribution, I said “I don’t send these out often, and when I do they are usually just ‘interesting’.  But this flaw has the potential to be abused with almost no technical knowledge.”  So, while I couldn’t classify this as Zero Day, I think do think it is worth knowing about.

 

From a technical standpoint, this is sloppy on Apple’s part.  I wouldn’t have reposted it had it not come from an extremely reliable technical site (we’re not talking about Fox News here).  Beside, “OMG the sky is falling” is what security is all about =)

 

-Brian

 

Posted by: bhelman on March 29, 2012
An interesting test to do is to see if this behavior persists beyond the DHCP lease lifetime given by the home router. I know many home routers are configured to give out leases of a day or more. From my standpoint it is reasonable for a device to attempt to see if it is still "home" if the lease is still valid. It would also be interesting to know if someone can mitigate their risk by cranking down their DHCP lease time on their home equipment...

                        -Jeff

Posted by: jis5 on March 29, 2012

That’s a good point.  Another suggestion that I may test – if you simply shut off your wireless and then re-enable it, does it flush that information?  Since we know wireless network information is retained in the configuration, I don’t have high hopes that this can be resolved so easily.

 

-Brian

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Schiller
Sent: Thursday, March 29, 2012 11:15 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Apple wifi implementation flaw

 

An interesting test to do is to see if this behavior persists beyond the DHCP lease lifetime given by the home router. I know many home routers are configured to give out leases of a day or more. From my standpoint it is reasonable for a device to attempt to see if it is still "home" if the lease is still valid. It would also be interesting to know if someone can mitigate their risk by cranking down their DHCP lease time on their home equipment...

 

                        -Jeff

 

Posted by: bhelman on March 29, 2012
Post a Comment

Research and Publications

Conferences and Events

Career Development

Focus Areas and Initiatives

Connect and Contribute

About EDUCAUSE

Close

 


Current Issue
March/April 2013
EDUCAUSE Review

Publications

Research

Close


Annual Conference
October 15–18, 2013
Save the date!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

See All Events

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center

Find or Post a Job

Leadership and Management Programs

EDUCAUSE Institute
Advanced Programs
Project Management

 

Fellowships and Awards

Fellowships
Awards Programs

Getting Involved

Mentoring
Volunteer
Speak at an Event

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

Advance Your Career

 

Close

Latest Topics

EDUCAUSE organizes its efforts around three IT Focus Areas

 

Enterprise and Infrastructure

Enterprise and
Infrastructure

Policy and Security

Policy and
Security

Teaching and Learning

Teaching and
Learning

 

Join These Programs If Your Focus Is

Close

From the Blogs
The Role of Campus Leadership in Ensuring IT Accessibility
by
Diana Oblinger

Find Others

Share Ideas

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

Create Your Profile

 

Close

2013 Strategic Priorities

  • Connected Learning
  • Enterprise IT
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.
 

Discover Membership