Gents, Here is a tiny mail dealing with the new feature of the iPhone 4 with iOS 4.3, which turns it into a Wireless Hotspot in order to share your 3G session through a WLAN. We wanted to share a quick geeky and security overview of this awesome functionality. Basically, we only found one tiny vulnerability which is related to the passphrase used to protect the wireless. And this can easily be patched by Apple (maybe before the official update on march, 11). == Security Advisory: TEHTRI-SA-2010-036 == Platform: iPhone 4 Operating System: iOS 4.3 (8F190) Application: com.apple.wifi.hostapd Impact for customers: Low (?) Description: The new iPhone option called “Personal Hotspot” uses a passphrase to protect the WPA2 Personal wireless hotspot created. A WPA PSK is derived from this passphrase. While processing those functions, the iPhone writes the passphrase in clear text in the console of the iPhone device. This area is readable by all local processes through the official Apple API. Here is the list of things written in clear text through the console: the Group Master Key, the Group Transient Key, the PSK, the passphrase. Example of clear text keys and passwords caught from on an iOS 4.3 device: <--- Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 1299338601.357484: PSK (ASCII passphrase) - hexdump_ascii(len=10): Mar 5 01:23:24 unknown com.apple.wifi.hostapd[79] : 66 61 63 65 74 73 31 34 36 37 facets1467 ---> More explanations are available here: http://blog.tehtri-security.com/2011/03/about-iphone-ios43-personal-hotspot.html Happy update this week for lucky owners of iPhone / http://apple.com/ios Best regards, Laurent Oudot, CEO TEHTRI-Security Web: http://www.tehtri-security.com twt: @tehtris Join us for more hacking tricks and 0days: - Asia - April 2011 -> SyScan Singapore Conference Training "Advanced PHP Hacking" ( http://www.syscan.org ) - Europe - May 2011 -> HITB Amsterdam Conference Training "Hunting Web Attackers" ( http://conference.hitb.org )
