CVE-2015-3728

Vulnerability

The WiFi Connectivity feature in Apple iOS before version 8.4 allows a remote Wi-Fi access point to trigger an automatic association with an arbitrary security type, provided the access point operates with an ESSID that the device recognizes [1]. This means an attacker can set up a rogue access point that spoofs a previously trusted network name (e.g., a home or corporate SSID) and the device will connect even if the security type (e.g., no encryption, WEP, WPA) differs from the original trusted network [1]. The issue exists in the device's automatic association logic, which does not verify that the security parameters match the stored network configuration [1].

Exploitation

An attacker needs to be within radio range of the target device and operate an 802.11 access point with an ESSID that the device has previously associated with [1]. No prior authentication or user interaction is required beyond the device being in range and having Wi-Fi enabled, as the device will automatically attempt to associate with the recognized ESSID [1]. The attacker can configure the rogue access point with any security type (open, WEP, WPA, etc.), and the device will complete the association without warning the user [1].

Impact

Successful exploitation allows the attacker to force the target device to connect to their malicious access point [1]. This positions the attacker to perform man-in-the-middle attacks on the device's network traffic, potentially intercepting, modifying, or redirecting data transmitted over Wi-Fi [1]. The attacker may also gather information about the device's network activity or deliver malicious content, leading to information disclosure or further compromise [1].

Mitigation

Apple addressed this issue in iOS 8.4, released on June 30, 2015 [1]. Users should update their devices to iOS 8.4 or later via Settings > General > Software Update [1]. No workaround is available for unpatched versions; users on impacted versions (iOS before 8.4) should upgrade immediately [1].