I Know the Name Of Your Wi-Fi Network

Introduction

I know the name of your Wi-Fi network. Or at least I would if you were still running a macOS version from earlier than a few weeks ago. You have upgraded, right? If you haven't, you should probably do that soon. You might be wondering what the big deal is, or if this information was meant to be really all that restricted on macOS to begin with. To answer the latter question, the com.apple.developer.networking.wifi-info entitlement exists, which does seem to be an attempt to restrict access information about a user's Wi-Fi networks. But why should access to this information be restricted?

Wardriving

Wardriving is a term used to describe the act of driving around and recording the coordinates of each Wi-Fi network encountered. A common use for such information is to be a supplement to GPS technology. A smartphone with a weak or unreliable GPS signal can look at the Wi-Fi networks it sees around it and look those up in a wardriving database to better determine where exactly it is. This is more reliably done based off of the BSSID of the network rather than the network name (more formally called the SSID), as the former is usually non-configurable and tied to the hardware of the access point.

The ipconfig Command

Those with even a passing knowledge of working with the Command Prompt in Windows will know about the ipconfig command. If you then moved to Linux, you may recall having to learn that the equivalent over there is the ifconfig command (or now, really, the ip command). You may also know that the ifconfig command also exists on FreeBSD, which Darwin/XNU (the OS and kernel underpinning Apple's operating systems) is based, in part, on. In fact, if you use the ifconfig command in a macOS terminal, you will get ouput that is similar to if you were to use it on macOS's other Unix-y cousins.

You might, then, be surprised to know that an ipconfig command also exists on macOS. You might also, then, be further surprised to discover that this ipconfig command on macOS is open-source. And herein lies a part of the OS that Apple probably forgot about. This command could be used to get the name of the then-currently-connected Wi-Fi network without the need for the aforementioned entitlement. Thankfully, BSSID's were redacted. However, given a unique-enough network name (and given that network is acurately included in a wardriving database), this could have been used for user tracking.

The Fix

It's rare that I can point to the actual code that Apple wrote to fix something, but this time I can. To explain how the ipconfig command works briefly: it sends Mach messages to a MIG server (check out my article here to learn more about MIG) which then responds with the information relevant to the given command invocation. The vulnerable routine in question, ipconfig_get_summary, now performs an entitlement check on the caller (specifically it looks for the com.apple.IPConfiguration.get-information entitlement). If the caller does not have the entitlement, information is not returned. And while the ipconfig command itself has this entitlement, SSID's are now also redacted by default.

Conclusion

This was a very simple information leakage vulnerability that was very simple for Apple to patch. There was no CVE given, with Apple instead choosing to thank me, among others, under the Additional recognition section of their security notes. I was also awarded no money for this, and was told I was not the first to report this. So congratulations to whoever did report it first. Thank you to those who have read this. If you liked it and want to stay informed and see whatever I post next, remember to watch this space.