Your Mac, iPhone or iPad may have left the Apple store with a serious security risk

[SilentPanda]

http://www.troyhunt.com/2013/04/your-mac-iphone-or-ipad-may-have-left.html

Please note: This isn't a flaw in Apple devices. This would happen with any device treated this way. It's only common in Apple devices when demoed at the store before leaving.

In short, if you buy a device at an Apple store and they set it up/demo it for you before you leave, they often connect it to their internal wi-fi which has no password. Later, if you're roaming the streets, if you happen upon an access point named "Apple Demo" your iOS device or computer (please don't wander around with a Mac Pro!) will just connect to it since it's connected before even though it was a different point.

The article gives ways to fix the issue should your device have the issue.

 

[maflynn]

Excuse my ignorance but how is this a security risk when people use public wifi all that time?

 

[SilentPanda]

Excuse my ignorance but how is this a security risk when people use public wifi all that time?

Well that's a security risk too. People shouldn't do that either. The difference with this one, especially on iOS devices is that since you can't view stored network connections, I could set up a wi-fi "hacker network" next to a coffee shop called "Apple Demo". Your phone might connect to it while in your pocket even if you've denied it to connect to the coffee shop.

I could also drive by your house with a laptop and while your Mac is connected to your homes secure wi-fi, I could potentially change the connection to the laptop in my car without you knowing since it's already accepted "Apple Demo" as a trusted wi-fi spot.

Most security risks are situational and won't cause most of us trouble, but I figured this was worth noting even if it helps one of the users of the site.

 

[FreakinEurekan]

Apple fixed this issue in iOS6 and Mountain Lion so that "common name" SSIDs won't auto-join another network of the same name unless the BSSID (the specific access point ID) is the same.

http://support.apple.com/kb/HT4450

 

[SilentPanda]

Apple fixed this issue in iOS6 and Mountain Lion so that "common name" SSIDs won't auto-join another network of the same name unless the BSSID (the specific access point ID) is the same.

http://support.apple.com/kb/HT4450

That's nice to know! Unfortunately that might help, it might not. I didn't see a list of SSIDs so there's no way I know of to tell what's on the list. I wouldn't say it's fixed, just fixed under certain circumstances.

 

[Nermal]

That's nice to know! Unfortunately that might help, it might not. I didn't see a list of SSIDs so there's no way I know of to tell what's on the list. I wouldn't say it's fixed, just fixed under certain circumstances.

Right, it's not fully fixed, especially with a device like the Pineapple which will grab any network name whether it's a common one or something completely random. A list of "bad" names is irrelevant in that case.