Comment Re:Wait, what? Even in offline mode? (Score 2) 117
More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box [e.g. attwifi, for 34% of users]), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.
Hmm...
There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network,
34% of users can't tell their iPhones not to connect to a hotspot named attwifi. That sounds like the ability to force connection to a WiFi network to me.
... nor can it even easily be used in conjunction with this attack for the vast majority of users.
I'll grant you that, 66% is the vast majority. However
Is it a potential problem? Absolutely, but only for a small subset of users.
... 34% is not a small subset.
The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit.
This I can agree with. It's what lead to the inaccuracy in the summary in the first place.
For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.
You're right, 66% does constitute "most cases"; 34% of all iPhones sold in the last 3.5 years (that is to say, realistically, damn near 34% of all iPhones currently in use) still seems like a pretty large victim pool, though.
So yes, perhaps the severity of the flaw was a bit overblown by the team that discovered it, but I think you're trying to let out a bit too much of the air.
