Monday, November 29, 2010

Is iPhone identifiable on WiFi network?

Your iPhone is very "loud", disclosing not only its own identity (as an iPhone), but also your identity as well. I thought I'd list the various things it discloses.

Robert Graham's iPhone


When your iPhone connects to the wifi, it starts broadcasting a name like "Robert Graham's iPhone".

This name is created the first time you run iTunes. It takes your current account name on your computer XXX, then builds the name "XXX's iPhone" for the phone. This is often a person's full name or first name, though sometimes I see things like "Administrator's iPhone".

This name appears in many places. The first thing your phone needs is a network address, which it gets from the WiFi access-point via something called "DHCP". The owner of the access-point can pull up the "DHCP Table" at any point in order to see who is connected. They will see your iPhone in that list.

Apple also sends out your name in what's called "mDNS" packets every couple of minutes. Even though DHCP only makes your name visible at the start of the connection, mDNS will notify everyone on the local network every few minutes thereafter.

You can change this name. You can either hide your name, changing it to something like "Apollo's iPhone", or you can remove iPhone completely from the name, like naming it "Zeus". If you do that, it will be much harder figuring out whether the device is an iPhone or the owner's name. Security professionals regularly do this with our computers in order to hide our identities.

00:23:6C:a9:01:f7


Every device has a unique 6-byte number (the "MAC address") burned into the hardware, such as the example shown above displayed in hex. The first three numbers (00:23:6C in the above example) are assigned to the manufacturer.

This MAC address is contained in every packet your iPhone sends on the WiFi network. Anybody can grab the vendor portion of the address and look it up in order to find the vendor of the device. In this case, they'll get the following information:
00-23-6C   (hex)  Apple, Inc
00236C     (base 16)  Apple, Inc
    1 Infinite Loop
    Cupertino CA 95014
    UNITED STATES

This doesn't tell people whether you have an iPhone, iPad, or MacBook. All it tells them is that you have an Apple device. However, if they look around the bar or airport, and don't see anybody with an Apple notebook computer, chances are good it's an iPhone.

MAC addresses are actually assigned to the radio, not the device as a whole. The iPhone has multiple radios, and therefore multiple MAC addresses. Another radio is Bluetooth, which usually has a MAC address the same as a the WiFi, just incremented by one. Therefore, if the WiFi MAC address is "00:23:6C:a9:01:f7", then the Bluetooth MAC address will be "00:23:6C:a9:01:f8".

Therefore, people can see which Apple devices are iPhones by looking to see if they also have Bluetooth turned on. You should make sure that Bluetooth is turned off if you don't need it -- it's a security risk and it drains power.

The mobile phone radio also has a unique hardware address, but that is assigned using different standards than the MAC addresses of WiFi and Bluetooth. I'm not sure if there is a correlation between them.

If you have a jailbroken iPhone, you can change the MAC address. Open up a terminal and type the following command:
ifconfig en0 lladdr 00:11:22:33:44:55
I've used "00:11:22:33:44:55" as an example new MAC address, but you can choose anything.

User-Agent

Every time a web browser sends a web request, it includes a "user-agent" field that tells the web site what kind of device it is. That way, the server can tailor the web pages for the device. For the iPhone, this looks like:
User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1A543a Safari/419.3

Anybody eavesdropping on the local WiFi can use this information in order to figure out that your device is an iPhone.

Even if you don't open your web browser, other applications on your iPhone send invisible requests in the background. A good example is the wispr request I've blogged about before.

You can't change your User-Agent string, as far as I know.

Other apps


Every app that you use on an iPhone introduces its own security weaknesses. A lot of Twitter apps will send your password in the clear, allowing anybody eavesdropping on the network to capture it and log in as you.

Even when an application doesn't disclose your password, they usually disclose your username. If you access Facebook or Google from your iPhone, I'll get the name you use for those accounts.

Conclusion


I saw this question appear in the search terms that direct to this blog (the wispr is the #5 hit, so I thought I'd answer this.

The basic answer is that the iPhone is so noisy that it's impossible NOT to tell that your iPhone has connected to the WiFi. Every little bit, from the name to the MAC address to the User-Agent identifies it as an iPhone, or at least, an Apple product. You can change some of these, but not all of them.

On the other hand, it's quite easy to pretend to be an iPhone. You can change the MAC address of your laptop to match an Apple MAC address. You can change then name of your laptop to be "Apollo's iPhone". You can have it generate "wispr" requests. You can download an addon for Firefox that spoofs the iPhone's User-Agent string.

5 comments:

sudopeople said...

There is a way to change your user agent string on an iPhone. You must be jailbroken and have SBSettings installed.

There is an SBSettings Toggle called User Agent Faker (UAFaker) that allows you to go from the default "iPhone blah blah" to "Mozilla/Firefox" UA. That's your only option as far as I know.

Another interesting thing of note: changing your user agent will also hugely affect how pages are rendered by web servers. Typically, you'll no longer get "mobile" or "iPhone" versions of popular sites - which is actually the reason I use it occasionally; "mobile" sites often offer a lot less functionality.

xnih said...

While you mention that they can look at the DHCP Table to determine if it is an iPhone, based on the hostname, DHCP fingerprinting can also be used to identify it as a device running the iOS. You won't be able to tell if it is specifically an iPhone, iPad, or iTouch, as they all fingerprint the same, but still more accurate this way than just using the MAC as you'll pick up OS X systems in that list.

mokum von Amsterdam said...

Information I personally like best is:

11:49:28.402355 IP 10.x.x.x.x.mdns > 224.0.0.251.mdns: 0*- [0q] 15/0/0 (Cache flush) SRV mokums-iPhone.local.:22 0 0, (Cache flush) TXT "", PTR _ssh._tcp.local., PTR mokumM-bM-^@M-^Ys iPhone._ssh._tcp.local., TXT "model=Device", (Cache flush) SRV mokums-iPhone.local.:22 0 0, (Cache flush) TXT "", PTR _sftp-ssh._tcp.local., PTR mokumM-bM-^@M-^Ys iPhone._sftp-ssh._tcp.local., (Cache flush) SRV mokums-iPhone.local.:548 0 0, (Cache flush) TXT "", PTR _afpovertcp._tcp.local., PTR mokumM-bM-^@M-^Ys iPhone._afpovertcp._tcp.local., (Cache flush) A 10.x.x.x, (Cache flush) PTR mokums-iPhone.local. (432)

Just in case one likes to attempt the 'alpine' route ;)

bestsecurity said...

I’m really lucky and so glad that after surfing the web for a long time I have found out this information.

http://best-security.net/

Joel Meliks said...

I feel the lack of Information Security Training is the main cause for most of the attacks to occur. A well trained security professional will know how to defend the networks, hack the own network ethically and uncover the hidden vulnerabilities. I came across one such training in Ethical Hacking by EC-Council. I came to know about it by seeing the posting of the latest Certified Ethical Hacker (CEH) courseware launch by EC-Council mentioned in CCURE.

EC-Council has released the much awaited Version 7 of its Certified Ethical Hacker.
Check here https://eccouncil.org/cehv7.aspx

They are offering FREE CEHv7 Seats for the Launch Class

Read :CEH V7 is coming, move away QEH, CPTS, CREST, and others" Check the posting (http://www.cccure.org/)

Keep watching their tweets http://twitter.com/eccouncil