iOS 11’s Misleading Settings Leave Your iPhone Seriously Vulnerable to Attack

By

Up until recently, if you wanted to turn off Wi-Fi or Bluetooth, it was pretty simple: Just swipe up to open the Control Center, tap the icons, and off they would go. It was a pretty easy and intuitive system that saved you the trouble of finding wherever it is you keep your Settings app and flicking the switches off manually. In iOS 11, Apple’s most recent update to your iPhone’s software, you can technically do the same: Swipe up on the (now new and improved) Control Center, give the icons a tap, and your Bluetooth and Wi-Fi connections will disappear. The whole process seems practically identical. That is, until a couple of minutes later, when they automatically turn back on.

Despite all appearances, this isn’t a glitch or a bug, but rather a textbook example of how corporate goals can outrank what’s best for users, leading to terrible, shitty design. I, like a lot of other early adopters out there, reported the issue frequently when I was beta-testing iOS 11, foolishly thinking that it was just some oversight on Apple’s part. However, since iOS 11’s release last month, it’s become painfully obvious that Apple views this change as a net positive for users.

This is seriously problematic for a number of reasons that span far beyond mere inconvenience. The change means that the majority of iPhone users will likely have Bluetooth and Wi-Fi turned on at all times. (Okay, yes, technically you can go into Settings and turn them on and off manually, but that’s an absolute pain in the ass and very few people are really going to do that each and every time they move from one connection to another.) And while that may not sound like that big of deal — especially if it means less time hitting buttons on your phone — it most definitely is. Having Wi-Fi and Bluetooth enabled at all times is a huge security risk.

With these settings on, it’s shockingly easy for someone with malicious intent to connect to your device. If you’re an AT&T customer, your iPhone is preprogrammed to automatically connect to any Wi-Fi network named “attwifi,” regardless of whether it is the real “attwifi” network, or a spoof made by someone else entirely. Though, the issue affects more than just AT&T customers. The average iPhone set up to automatically connect to any network that has an identical name to any of the hundreds of other Wi-Fi networks you’ve joined in the past. This feature leaves users who fail to fully shut off their Wi-Fi settings in an incredibly vulnerable place.

If someone wanted to hack your phone, all they would have to do is follow you to some location where you’re using Wi-Fi, set up their own network with the same name using a Wi-Fi Pineapple or some other easily available form of technology, and wait for your phone connect. From there, a hacker could easily carry out a number of potential attacks.

“Attackers who are able to connect to the devices may be able to eavesdrop, exfiltrate files, or access internet connectivity through the victim device,” explained Alex Heid, a white hat hacker. “Furthermore, attackers may be able to leverage exploits against the Wi-Fi hardware or Bluetooth hardware in order to gain an elevated level of unauthorized access.”

By doing away with the easiest available safeguard, Apple is opening scores of users up to these kinds of attacks. Reading Apple’s description of the change, you get the sense that the update happened because they wanted to make it easier for users to stay connected to a variety of other Apple products. But having a slightly more streamlined pairing process with your Apple Pencil doesn’t exactly seem worth all of these risks. Especially when there’s no way to revert back to the way things were.

iOS 11 Leaves Your iPhone Seriously Vulnerable to Attack