General Is there a Serious Bug with Personal Hotspot?

[Cleverboy]

EDIT: DISREGARD this post. I believe my friend misunderstood a standard iOS 8/9 feature, and it looked odd enough to me that the feature I was aware of changed slightly. It's likely human error that exposed the hot spot, or at worst someone was a victim of being hacked (less likely.) I appreciate the feedback.

------------------------------

FIRST, let me make the caveat that this issue MAY NOT APPLY to everyone, and may be isolated to a set of specific conditions, but maybe whoever reads this can test it themselves to see if they can reproduce it in situations unlike mine (a carrier other than T-Mobile, and perhaps BETWEEN devices that aren't related, and have never been exposed to one another in any capacity... in particular devices that are not on the same iTunes or Home Sharing set-up or any related iCloud keychain settings.)

I have yet to do broader testing.

A friend just called me up last night, and in the midst of complaining about random issues with iOS, he dropped a pretty massive bomb. After putting his family on T-Mobile's JUMP! Upgrade program, his son returned from school having expended over 9GB of data during the course of the day.

Needless to say, he was shocked. On investigating the program, he found that the data was all being consumed by the "Personal Hotspot" feature (under Settings > Cellular > System Services > Personal Hotspot, it consumed the majority of the 9GB of used data.)

This screenshot is from the same area on MY phone, not his son's.

He had checked previously, but checked again and confirmed...
PERSONAL HOTSPOT - OFF

How could the Hotspot be consuming data if the service was explicitly shut off?

Then he saw it. When going into the "Settings > Wi-Fi..." on a SEPARATE iOS device, there it was. He could clearly see his son's phone being offered as a Personal Hotspot. Yet, the service was turned off. If he SELECTED that Hotspot with his other device, he connected and was able to use that Hotspot, even without entering a password (the password simply was not requested, even though it had been set BEFORE the setting was shut off.)

I thought there must have been a mistake. So, I tried it myself. I shut off the Personal Hotspot feature on BOTH my iPad and my iPhone, and then with the iPad's Cellular data turned off... I went into the Settings > Wi-Fi and waited. Sure enough, my iPhone appeared in the list of devices. I even tapped to "FORGET" the device, and it still showed up.

Odd, right? Worse, when I tapped it, three VERY DISTURBING things happened.

#1. The iPad connected to the Phone's Hotspot without asking for a password (set in the hotspot settings earlier before turning it off, and cleared from the iPad's memory).
#2. The normal BLUE indicator showing that a device (my iPad) has connected to MY "Personal Hotspot" service... activated.
#3.) The "Personal Hotspot" feature turns itself on.

After disconnecting, the Personal Hotspot turned itself back-off.

The main reason this is troublesome is that my Mac running OS X Yosemite respects the password without any trouble. But, iOS devices themselves don't seem to be adhering to that.

Is this a convenience feature or a serious bug?

My friend was VERY clear his son DID NOT enable the feature. And it was off when he checked it. He complained T-Mobile, and they insisted that his son must have given other kids the password... or something. But, nothing about these explanations made sense, except what we were able to see and test ourselves in albeit limited fashion.

Any thoughts? This issue appears to fit the profile of something that could fly right under the radar and not be caught. His whole family has updated to 9.0.1 and the behavior still occurred.

I'll likely test this with a few co-workers on different networks and accounts today.

 

[Cleverboy]

I noticed someone else (junkie999) posted something VERY similar (saw this in "similar threads" after posting). I'd searched earlier but hadn't found anything.

My friend was ONLY able to resolve it to his satisfaction by DISABLING "Bluetooth", which seemed an over-reaction to me at first, but then I couldn't disprove this as the only solution after attempting to understand why this was happening.

 

[Zimmy68]

What you are talking about is called Instant Hotspot and is designed to work exactly like you explained it.
It is a fantastic feature and there is nothing wrong with it.
It makes those of us with non cellular iPads very happy.
Instant Hotspot will only work if both devices are on bluetooth and the same iCloud account.
If personal hotspot is set to on (it doesn't need to be), you still need to know the wifi password.

I think this is a case of the son eating up the data and coming up with excuses.
If this was a common occurrence, it would be all over the news.

I think ole Dad needs to manage his son's data better.

 

[Cleverboy]

It makes those of us with non cellular iPads very happy. Instant Hotspot will only work if both devices are on bluetooth and the same iCloud account. If personal hotspot is set to on (it doesn't need to be), you still need to know the wifi password.

I love this feature too, but the last part of what you say doesn't appear to be true. His sons iPhone is completely new, and no password is being asked for at any time. I'm checking to verify whether there is a separate iCloud account and/or any family share relationship setup. Basically, I'm trying to determine whether there is a slip in handling here that creeped into a build.

I think this is a case of the son eating up the data and coming up with excuses.
If this was a common occurrence, it would be all over the news.

Not if it's an edge case. Possibly dealing with some of the new Wifi assist, multiple device calling, and related features. Moreover, if it is an issue, it's one that AFFECTS people while it requires a little savvy to identify where a potential break in security is.

I linked the related thread above, but I've yet to thoroughly read the person describing a similar problem where his data ballooned unexpected.

Worth a little due diligence here, I think.

 

[Phil A.]

The only reason I can think for this is a shared iCloud account logged in to both devices
I used the personal hotspot on my wife's phone at the weekend and I had to enter the password whereas with my phone I don't have to from another of my devices
My experience is it's working exactly as it should be

 

[Cleverboy]

Reading junkie999's post, my take away was that if there IS an issue, it may not have been what he thought it was.

In a school environment, it's possible other people will connect to your hotspot with other iOS devices by accident (if they in fact show up even with Personal Hotspot is turned off).

In office environments and random workplaces it's far less likely because people are more aware of it being a bad idea to use Internet provided by an unknown hotspot. Even if, or especially if that Internet seems free.

The challenge is that testing would need to:
1.) Involve two or more iOS devices
2.) With no shared accounts or relationships
3.) With Bluetooth and Wifi turned ON
4.) With Personal Hotspot set with a password but turned OFF
5.) On a carrier that allows Personal Hotspot

The question would then be, can the device with Wifi shut off, connect to the other device's Hotspot without entering a password.

That's the raw factors as I see them.

 

[Cleverboy]

Thanks, Phil.

 

[Zimmy68]

For Instant Hotspot to work, both phones would have to be signed onto the same iCloud account, which is easy to check.
And even brand new phones have wifi passwords already set up so if you turned it on accidentally, no one is going to be able to jump on.
All this is fairly easy to check, if you are able to go over there, make sure you are not on his wifi, see if you see his son's phone on your WiFi page.
Another unique thing about instant Hotspot, the phone shows up separate then the wifi SSID list.

WiFi assist is probably the culprit now that I read everything. I would make sure that is turned off.
You are going to see Apple switch that to off by default in the next update, guaranteed.

 

[Cleverboy]

WiFi assist is probably the culprit now that I read everything. I would make sure that is turned off. You are going to see Apple switch that to off by default in the next update, guaranteed.

Wifi Assist is definitely getting some scrutiny right now. If anyone also leaves Facebook or Youtube to auto-play videos on cellular, that might be problematic if they think they're on Wifi when they're not (though, in order to assign the data to the Personal Hotspot system service, it would need another layer of "whoops" somewhere.)

I'm reluctant to break all my linkages and configs just to test for him, but I'll likely check to see what happens when I disable my iCloud account on a device that I disconnect from cellular... THEN, "reset" my Network Settings so that after the device (my iPad) boots, it shouldn't know much about anything. Then see whether it can connect via the Bluetooth "Keep Alive" indicator when Personal Hotspot is turned off.

It's just such a pain in the butt to test that though...

 

[Cleverboy]

Part of the concern I have here is that "schools" are usually where Apple finds out about all sorts of terrible Wi-Fi specific problems, and the whole interrelationship of WI-FI - BLUETOOTH - CELLULAR is a funny one.

Like, when you connect to a Personal Hotspot on a device that is already on Wi-Fi, its not going to let you use that Wi-Fi, as the Hotspot is only approved for Internet from the cellular radio, so certain things happen automatically.

Recently, iOS 9 added the ability to do "Wi-Fi calling" from a DIFFERENT device other than your phone, where previously having Wi-Fi calling turned ON meant you could not receive calls on your iPad (in iOS 8, you either DID use Wi-Fi calling and couldn't receive calls on other iOS devices, or you DID NOT use Wi-Fi calling, and could receive calls on other iOS devices.)

But, I went and approved my iPad to make and receive calls through my iPhone even with Wi-Fi calling turned on. Apparently this needs to be approved by the cellular carrier, so I'm curious about the potential for unintended consequences with these increasingly complicated wireless radio mode-specific policy-driven relationships. Especially when exposed to a lot of wireless traffic.

We've seen "race conditions" where in certain situations things may not happen fast enough and a security hole is formed.

Speculation, but this would be the area for scrutiny. The risk is there.

 

[scaredpoet]

But, I went and approved my iPad to make and receive calls through my iPhone even with Wi-Fi calling turned on. Apparently this needs to be approved by the cellular carrier, so I'm curious about the potential for unintended consequences with these increasingly complicated wireless radio mode-specific policy-driven relationships. Especially when exposed to a lot of wireless traffic.

So there's a lot of jargon in this statement, but not a lot of meat. What unintended consequences are you concerned about? And what exactly constitutes "a lot of wireless traffic" when iOS devices almost exclusively communicate wirelessly?

I also was unable to replicate your problem with Mobile hotspot. When my devices have it turned off, the only devices that still show it are ones authenticated with my iCloud account. If I use someone else's iOS device, it doesn't show at all.

This is intended behavior, and well described and documented by Apple. WiFi calling is similarly associated.

Bottom line is, your friend's son isn't telling the whole story. He either got shoulder-surfed by another student at school, or he explicitly gave other students his iCloud username and password, probably to share apps or media, and lo and behold, those kids discovered they could also use up his cell data.

By the way: this also means there could be a bigger problem looming: Those other kids could also be able to make purchases on your friend's iCloud account, and credit card.

Your friend (and you) can lock that down right away, by changing the account password, and by turning on two-step verification. Though, if the kid's device is authorized as a two-step token, he'll still be able to give out his account details to other kids and the situation will continue. Don't let his/her device be authorized for two-step verification, and make sur eh knows he shouldn't be sharing his account details.

He should also turn on parental controls to lock things down appropriately.

Speculation, but this would be the area for scrutiny. The risk is there.

Speculation without proof does not in itself indicate risk. It's certainly a possibility, but we haven't seen what you described yet. Again, the most likely situation here is your friend's son gave out his iCloud account to his friends. Unfortunately when the user does dumb things, there's not a lot Apple or anyone can do to stop that.

 

[Cleverboy]

So there's a lot of jargon in this statement, but not a lot of meat. What unintended consequences are you concerned about? And what exactly constitutes "a lot of wireless traffic" when iOS devices almost exclusively communicate wirelessly?

In areas where there are an enormous amount of Wi-Fi connected devices (and Apple devices in particular) there have just been numerous stories of unexpected bugs and problems in the OS software.

http://serverfault.com/questions/113607/questions-about-overlapping-wifi-access-points

http://www.networkcomputing.com/wir...your-airplay-wireless-protocol/a/d-id/1233780

I've seen odd behaviors from my devices when eating at the mall or waiting in the airport for a flight.

There is a well documented issue with Windows and its "Free Public Wifi" feature that went rogue and became something of a self-generating problem, simply as a function of how collections of devices interacted with each other. So... that's the CONTEXT. "Issues that arise out of a lot of wireless traffic".
https://www.techdirt.com/blog/wirel...-public-wifi-you-always-see-at-airports.shtml

The "meat" is what I've been trying to check on. There may be none, but it might just be an overabundance of caution that doesn't pan out (stemming from all the features I mentioned.) For example, the recent issue with the iOS 9 lock screen and how you can again by-pass it and access contacts and photos. Also, there is an issue with doing app updates, where hitting the "Update" button, sometimes runs through the installation before it again shows an "Update" button for a moment before changing to "Open". This is what I think of as a "race condition", where the hope is that one task finishes before user actions are taken and other tasks complete... but if you see your app finish installing, and go to tap the "Open" only to find you've hit the reappearing "Update" button, you actually have to wait for a RE-INSTALL of the app. Which amounts to a rough edge in the UI. So... there are quirks that can sometimes cause deeper issues.

Wifi has been quirky. Personal Hotspots have been quirky. So, I was just giving my friend the benefit of the doubt that there may have been an unknown issue around authenticated Hotspot connections. I ran him through a brief spate of questions, but a few things did not match some of my previous observations on how the features worked.

I also was unable to replicate your problem with Mobile hotspot. When my devices have it turned off, the only devices that still show it are ones authenticated with my iCloud account. If I use someone else's iOS device, it doesn't show at all.

Thank you. I attempted to sign-out of iCloud, but its affectively put my iPad in a deletion coma.

He should also turn on parental controls to lock things down appropriately.

Agreed.

Speculation without proof does not in itself indicate risk. It's certainly a possibility, but we haven't seen what you described yet.

True. My problem is that initial attempts to de-couple my iPad from automatically connecting to my own iPhone's Personal Hotspot where unsuccessful short of signing out of iCloud and disconnecting and removing any associated media connected to it.

Again, the most likely situation here is your friend's son gave out his iCloud account to his friends. Unfortunately when the user does dumb things, there's not a lot Apple or anyone can do to stop that.

I'm still reluctant to pierce that veil of blame, but I definitely recommended he lock down that whole situation if he insists he's being leveled with. He is a very proud father, so while T-Mobile told him his son may have lost control of information, he felt assured it wasn't so. Best to just deal with the solution at this point I think.

The one thing I'm still wondering (and I'll probably just dig into this later today), is whether there is an unknown Personal Hotspot exploit out there, or (like the iCloud entry point Apple left exposed that allowed hackers to make unlimited password checks against any account), whether there is a way for people to hack into iOS hotspots in a way that involves Bluetooth to "wake up" or ping a sleeping Hotspot in order for it to be hacked for access.

I just Googled this. It sounds like this isn't really farfetched at ALL.

https://threatpost.com/crack-ios-mobile-hotspot-passwords-in-less-than-a-minute/101020/
http://www.cultofmac.com/232491/app...ords-in-ios-can-be-cracked-in-under-a-minute/

Not sure if its been addressed, or whether there is a way to detect this type of intrusion. But, occam's razor suggests I pretend I didn't read this and just continue to recommend he lock his son's phone down. But, I will say that keeping Bluetooth off as well would provide an extra layer of insurance that his hotspot isn't somehow woken up by someone who knows just enough to be dangerous.

 

[Cleverboy]

Ok. I think I found what I was looking for given that hacking is a thing, and often happens in high schools especially as a way to pass time, exert power and cause chaos. That said, knowing these things are apparently happening I think I've put together my additional recommendations for my friend. And this thread has been helpful in making me do a little research to confirm iOS isn't invulnerable to having hotspots hacked (even when Personal Hotspot is shut off, its not a reason to relax.)

First, iOS "hardening" checklist:
https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
The surface area for someone having their hotspot hacked is Bluetooth, Wifi and Personal Hotspot when you're not using them, turn them off, because you have the potential for being hacked.

Next, due to the ability to run brute force attacks on your access password, its recommended that users CHANGE the password from the default personal hotspot password that Apple gives you, as those are relatively easy to predict.
https://discussions.apple.com/thread/6816681?start=0&tstart=0

Additionally, the default SSID of your Hotspot is the name of the device, which is often "<Users>'s iPhone" should probably be changed by renaming the device in the About section to something harder to guess.

All that of course, after a wag of the finger if he hasn't given his son a separate iCloud account and locked down some of the features on school days.

 

[Cleverboy]

The good news, is that it seems doubtful that it was a bug. If it wasn't something simpler (like indiscretion,) more likely that his son was just hacked in some way. 9GB in a day sounds like someone was actually being particularly malicious about it too.

 

[Cleverboy]

Just FYI for anyone interested. This is a somewhat irksome and depressing video to watch, but the advice is solid.
The one thing I haven't been able to find, is whether and HOW iOS Bluetooth support can be hacked to cause the Personal Hotspot to temporarily enable itself. But, once its enabled it would seem any persistent connection is enough to keep it open until such connections have stopped.

http://www.howtoresolved.com/public/index.php/tube/3pcQPTZ2L0A/iphone-personal-hotspot-wifi-hacked

Oh, well. Security, security.

 

[I7guy]

Just FYI for anyone interested. This is a somewhat irksome and depressing video to watch, but the advice is solid.
The one thing I haven't been able to find, is whether and HOW iOS Bluetooth support can be hacked to cause the Personal Hotspot to temporarily enable itself. But, once its enabled it would seem any persistent connection is enough to keep it open until such connections have stopped.

http://www.howtoresolved.com/public/index.php/tube/3pcQPTZ2L0A/iphone-personal-hotspot-wifi-hacked

Oh, well. Security, security.

Am I missing something? Does the video apply to iOS 9 or just iOS 7 on the iPhone 4?

 

[Cleverboy]

Am I missing something? Does the video apply to iOS 9 or just iOS 7 on the iPhone 4?

Maybe that I'm just noting the video for interest and not trying to show the latest exploit currently running. Wifi brute force hacking is a thing that doesn't look like its gone away (though Apple has now strengthened the weaker default iOS 8 hotspot password,) and the latest Bluetooth hack for iOS9 can be Googled.

Again, this isn't to draw a map, but to give an example why it appears that users need to take proactive measures to limit their exposure to these things. Honestly, I've been leaving all my services on all the time and not giving it a second thought. I think I need to reconsider that stance.

The Apple discussion thread I posted earlier is from February this year. It sounds like its just good advice overall. But, naturally no one should follow it if they just don't see anything happening to them. I'm just looking at the situation I mentioned and giving my friend some options.

 

[I7guy]

Maybe that I'm just noting the video for interest and not trying to show the latest exploit currently running. Wifi brute force hacking is a thing that doesn't look like its gone away (though Apple has now strengthened the weaker default iOS 8 hotspot password,) and the latest Bluetooth hack for iOS9 can be Googled.

Again, this isn't to draw a map, but to give an example why it appears that users need to take proactive measures to limit their exposure to these things. Honestly, I've been leaving all my services on all the time and not giving it a second thought. I think I need to reconsider that stance.

The Apple discussion thread I posted earlier is from February this year. It sounds like its just good advice overall. But, naturally no one should follow it if they just don't see anything happening to them. I'm just looking at the situation I mentioned and giving my friend some options.

ios 9 seems to fix some security issues. Especially the iOS 8 Bluetooth hack, which I was unaware of before you brought it to public attention. Couldn't find anything about personal hotspot other than to change the password.

 

[Cleverboy]

ios 9 seems to fix some security issues. Especially the iOS 8 Bluetooth hack, which I was unaware of before you brought it to public attention. Couldn't find anything about personal hotspot other than to change the password.

Apple does a great job keeping up. Talking to relatives that are teachers or have kids in school I never realized how troublesome AirDrop was when not properly closed off for that type of environment.

Kids who are allowed to leave their Personal Hotspot on (which apparently wasn't the case here) are also vulnerable if their hotspot password is left the same and not made harder (which iOS 9 apparently has started doing for new users, though experts are recommending people make it stronger.) This discussion, aside from the initial detour, has given me a little more to think about when talking to friends & family with kids.

More than using Apple's tools, I think parents probably need to preach a "less is more" attitude when it comes to leaving wireless features operating at all times. I remember the first and only time my computer was ever hacked, it was by some teenager running AOLHell, back in the day. I let down my guard for a moment, and later I caught him using the initial account that had sent me the infected email. He was still online and extremely smug and talkative.

Left me with the conclusion that while there doesn't seem to have been a BUG here, there is only so much operating system vendors can do to shield us from determined attacks that prey on our comfort levels. I'm pretty sure iOS has open exploits we don't know about, and threats that seem less than likely. Always good to take a little extra precaution.