My failed attempt to hack the AT&T free iPhone WiFi

You may remember that AT&T began offering free wifi for iPhone users earlier this year. Shortly thereafter they pulled the service. Why? Because someone discovered the security applied to the system was extremely weak: simply changing the User Agent of your browser to make it look like you were using an iPhone browser allowed you to gain free WiFi access on your laptop. This could easily be done using the Firefox User Agent Switcher extension, or by simply firing up Safari, enabling Developer mode (Safari->Preferences->Advanced->Show Develop menu), and selecting the iPhone User Agent (Develop->User Agent->Mobile Safari 1.1.3 - iPhone).

With the new service, you connect your iPhone to the wireless network, launch the browser, and get redirected to a page that displays a single field requesting you to enter your iPhone phone number. After submitting your phone number, you receive a (free) text message containing a URL. Loading this URL from your iPhone grants you free wifi access to the Internet.

When I tried the User Agent hack mentioned above from my laptop, I expected to at least get the box prompting me for my iPhone phone number. But to my surprise, all I got was a mobile-formatted page with options to purchase service.

So I suspected they were checking the MAC address of the computer connected to the router and checking if it looked like an iPhone MAC address. Luckily, spoofing the MAC address of my wifi card is easy on OSX:

sudo ifconfig en1 lladdr 00:21:E9:52:6A:E3

BAM! Now as far as the AT&T router can tell, my requests are coming from my iPhone. This time when I connected, I got the form asking me for my iPhone phone number. I submitted the number and a few seconds later received an SMS with a link.

I hoped that simply typing this URL in my laptop browser and visiting it would grant me free wifi access, but unfortunately it did not. Instead, it gave me an error saying that page doesn't exist.

A commenter on the original LifeHacker post describing the User Agent hack left this comment about the new security features applied by AT&T:

AT&T has locked out non iPhones by using an encrypted log on tied to each iphone number. The key is transmitted to the iPhone over the AT&T cell network a minute before login.

By using the AT&T network to transmit the key, they have definitely made it more difficult to gain free access from your laptop. I'm sure it's still possible (perhaps by sniffing the wifi traffic between the iPhone and the router after a successful connection), but I'm not sure it's worth the time and effort.

I heard that an official AT&T tethering option for the iPhone will be coming soon, so that might make this a moot point (assuming they make it a free option). Still, it seems only fair that existing iPhone users should be able to access the free wifi via their laptops. Transmitting a password via SMS seems like a safe way to guarantee the person connecting to the wifi actually has an iPhone.

DD-WRT has come a long way!

I just finished installing DD-WRT on a Linksys WRT54GL router for the office and all I can say is wow. I remember when replacing the firmware on a Linksys router was like doing surgery in the dark with a butcher knife and a wrench. Now I just download the DD-WRT firmware, use the Upgrade Firmware section of the Linksys configuration page on my router, and BAM! I have DD-WRT installed. The extra features provided by DD-WRT are invaluable and make the router's usefulness increase exponentially. I've got to install this on a router at home.

Quick Wireless Security using SSH Tunneling

I'm a little paranoid when it comes to wireless security. Even if I'm on an encrypted wireless network, I won't access any of my bank accounts or login to any website that requires a password without securing my traffic with an additional layer of security using SSH tunneling.

SSH tunneling can also be used to circumvent network-based restrictions in the workplace or on a free public wifi hotspot, giving you the freedom to browse whatever websites you want. If implemented on an OS networking level, you can even use the tunnel for your email and other applications. However the focus of this post is on using SSH tunneling to secure your web traffic.

Here is a quick list of what you'll need:

Firefox or Internet Explorer (this technique also works with Opera and Safari, although I don't cover those here)
Putty (Windows); The terminal (Linux or OS X)
SwitchProxy Tool (nice-to-have Firefox Plugin)
Access to an *nix-based computer. This will probably be the most difficult to obtain and if you're not familiar with Linux or OS X I recommend you ask a friend if they wouldn't mind giving you an account on their Linux computer. You can try to find a free shell that allows port forwarding, but they are rare.

Setting up the SSH Tunnel

Windows

Since Windows doesn't have an SSH client built in, you will need to use the wonderful SSH client application called Putty. After you've downloaded and launched Putty, you should be presented with the main screen. Fill in the Host Name (or IP address) field with that of your Linux computer and be sure to select SSH from the Connection type.

On the left column of options, select Connection -> SSH -> Tunnels. Enter 9000 in the Source port field, select Dynamic from the option at the bottom, and then click Add. Your screen should now look something like this:

Note: If you don't see the Dynamic option in Putty, make sure you have the latest version.

Now go ahead and click the Open button to connect to and login to your Linux computer. Once you have successfully logged in, the tunnel will be open and you can proceed to configure your web browser to use the tunnel.

Linux/OS X

Since you're using a *nix based system, your computer already has everything it needs to setup an SSH tunnel. Simply access the terminal (Applications -> Utilities -> Terminal.app on OS X) and connect to the remote Linux computer as follows:

ssh -l -D 9000

After logging into the remote computer, the dynamic SSH tunnel will be opened and we can continue to configuring the web browser.

Configuring the Web Browser to use the SSH Tunnel

Firefox with SwitchProxy Tool plugin (the method I use)

Download and install the SwitchProxy Tool plugin. After installing the plugin, open its configuration window (Tools -> Add-ons -> SwitchProxy Tool -> Preferences on OS X). This will open the basic configuration window for the plugin. Click Manage Proxies and then Add. Choose Standard for the proxy configuration type and click Next. Fill in the fields as shown below.

After saving the connection, you should be able to use the plugin to easily switch between browsing through the SSH tunnel and browsing without it. I have it configured to show in the Firefox Status Bar, as I find that to be the easiest method of toggling between the two:

Firefox without SwitchProxy Tool

Although SwitchProxy Tool to easily switch my proxy settings, I will also explain how to configure the browser without the plugin.

Open the Firefox Preferences (Firefox -> Preferences on OS X) and click the Advanced icon at the top. In the connection section, click the Settings... button. Choose Manual proxy configuration and fill in the SOCKS Host and Port fields as shown below.

Internet Explorer

From the Internet Explorer menu, choose Tools -> Internet Options. Select the Connections tab and then click the LAN Settings button. Enable the Use proxy server for your LAN option and click Advanced.

In the Servers section, make sure all the fields are empty except for the Socks field. Type localhost in the Socks Proxy address field and 9000 in the Port field. Your screen should look something like this:

Click the OK button all the way back to your browser. You should now be browsing the Internet securely through the SSH tunnel! An easy way to confirm this is to disconnect from the Linux computer by closing Putty and checking if you can still browse the web. Since the browser has been configured to use the tunnel, you won't be able to browse the web if that tunnel is closed.

If you wish to revert back to browsing the web normally, simply uncheck the Use proxy server for your LAN option in LAN Settings.

Don't use Wireless-G!

First a short history of wireless technologies:

The wireless technology standard is known as 802.11 with different versions appending a letter to the standard. The first version that became popular, and is still the most widely used standard, is known as 802.11b. It allows wireless transfer rates at 11Mbps. Common wired Ethernet networks (such as a home or office network) use CAT5 cables, which allow transmission speeds of 100Mbps (also known as Fast Ethernet). The next obvious step for wireless technology was to obtain faster speed. So 802.11a was born. It allowed transmission of speeds up to 54Mbps. Great. But the only problem was, it wasn't compatible with 802.11b! So all those wireless cards everyone owned, including the ones built into laptops, wouldn’t work with networks using 802.11a. That's the reason 802.11a never really caught on. Then 802.11g was developed. It allowed for transmission speeds of up to 54Mbps, but it was also compatible with 802.11b! Wireless networks that ran 802.11g hardware would still allow users with the older, and slower, 802.11b network cards to access the wireless network. Everyone was happy.

Now here is where my ranting comes in:

First of all, broadband connections (DSL and Cable Modem) installed in your home or office never reach even close to 11Mbps speeds! So if you have a Wireless-G router and a Wireless-G network card in your laptop, your access to the internet will be exactly the same as it would with Wireless-B! The bottleneck lies in your connection to the internet, not your wireless hardware! So what's Wireless-G good for? Well, let’s say you want to transfer files from your wireless laptop to your PC in the next room. In this case, there is no bottleneck. Wireless-G will allow for MUCH faster transfer speeds because the maximum speed on your home network is probably 100Mbps. Using an 11Mbps Wireless-B network connection to transfer files over a 100Mbps wired connection (home/office network) would obviously slow you down quite a bit. But how often do you transfer files between your laptop and your PC? And how often are those files really big? When I need to transfer really big files, I just connect my laptop to my wired network, which gives me full 100Mbps speeds.

OK, by now you might be wondering what the big deal is and why I'm so much against Wireless-G. Let me explain: All of the new wireless routers sold today allow you to put the router in one of three different modes. Wireless B, Wireless G, and Mixed. The latter, as you may have guessed, allows network cards of both types (Wireless-B and Wireless-G) to access the wireless network. It doesn't discriminate. If you choose Wireless-G, then only Wireless-G connections will be allowed. The same goes for Wireless-B. Choosing the Mixed mode however, can cause problems. Why? Because the router has to figure out which mode you're using to connect. If it's wrong, or if it gets confused, you can suddenly be dropped from the network for no apparent reason.

I have seen this behavior on both Windows and Linux platforms, with a wide range of network cards. What a headache! And for what? Extra speed that rarely gets used? Now you might see why I strongly suggest changing your wireless router's mode to Wireless-B. That way, it has the most compatibility with wireless cards and is least likely to drop users from the network. It also means fewer things to worry about if you're already having issues getting your wireless network to work properly.