Want your passwords, identity and email stolen with that latte? That could happen if your iPhone connects to a phony Wi-Fi hot spot labeled “AT&T Wifi.” The problem: if your iPhone has ever been connected to”AT&T Wifi” (available in most Starbucks) and then later sees any other network labeled “AT&T Wifi” the phone will automatically connect. The hacker can then steal your passwords, direct you to phony sites, or worse. You can protect yourself by turning off Wi-Fi, or turn off automatic joining. via Cnet:
A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.
Samy Kamkar, who created a worm that garnered him a million friends on MySpace overnight in 2005, said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a “man-in-the-middle” attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name “attwifi.”
Typically, an iPhone will look for a specific MAC address–the unique identifier for the router–to verify that the wireless network is a device a user agreed to join previously. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has “AT&T Wifi” attached, Kamkar said.
“The iPhone joins the network by name with no other form of authentication,” he said.
iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.