Get the top HN stories in your inbox every day.
seraphsf
I know something about this. I built and ran a service for carriers to help with “WiFi offload”.
It’s intended as a consumer-friendly way to increase capacity in dense areas (like a sports stadium or mall) where the carrier’s cell towers don’t have enough capacity.
Wifi offloading is not new. AT&T helped invent these standards back in ~2009 when their network was getting crushed by massive increases in traffic as iPhone usage took off.
WiFi offload networks are configured as “Managed Networks” which are lower priority than any user-selected networks. You can disable them by turning off “auto-join”. (Also these WiFi offload networks are secure; you can’t spoof them).
However it appears that the original poster’s carrier (presumably Xfinity Mobile or Spectrum Mobile) has done something new - they’ve disabled the user’s ability to turn off “auto-join” on iOS. Some overzealous team is trying to lower their cellular costs. That’s because both Comcast and Spectrum rent capacity on Verizon Wireless towers, but their MVNO cellular service is not profitable unless their customers are using the cable company’s own WiFi fairly often.
However this (disabling “auto-join”) is a dumb move. It’s obviously problematic for users whose neighbors are broadcasting the [Xfinity WiFi or Spectrum Mobile?] SSID.
To my knowledge, no major carrier does this. If you’re on AT&T, T-Mobile, or Verizon, the “managed offload networks” can be easily disabled. And the major carriers are using higher-quality commercial WiFi networks for offload, not random home cable modems.
mihaaly
Friendly remark.
Recently the term "consumer-friendly" became the synomym of "we shove it down your throat whether you like it or not!". If you wish to communicate some real user-friendly feature better find some other phrase. Reading "consumer-friendly" statements of providers makes me turn away and never look back.
See the above example. Hijacking the device we use for our daily operations, very important one with sensitive data, already in risk from multitude of origins, hijacking it remotely into some unknown channels along hidden organisational incentives is a very offensive and frightening move. The technology is not new and it is OPTIONAL for very long time. Shoving it down the throat is bad. Very bad.
(I am pretty disappointed with the population of the world that accepts anything from service providers for mostly marginal or never missed gains, accepting the elimination of choice. Providers feel they can get away with anything and became increasingly hostile.)
jsty
If the use case is as described (connecting to WiFi APs owned and controlled by the network in deadspots / hotspots - e.g. stadiums and large buildings - and not end-user APs in homes), it's not clear to me that this poses any significant threat above and beyond connecting to the same operator's cell towers. If you don't trust them to run a WiFi network, probably shouldn't trust their cell network either.
Having phones automatically and uncontrollably route via random 3rd party APs is a bad decision, but I didn't read GP as advocating for this.
blincoln
The knowledge and equipment to hack WiFi-related systems is a lot easier to obtain on most of the world than the cellular equivalent.
In the US, at least, tampering with cell service risks getting the FCC involved, so very few people do it compared to WiFi hacking.
I'm very curious, for example, if the devices that connect to these APs are vulnerable to the WiFi client isolation bypass that was disclosed about a week ago.[1] That seems a lot scarier when there are potentially thousands of random people's personal phones connecting to the same WiFi infrastructure instead of a bunch of more or less trusted corporate devices in an office.
JohnFen
> If you don't trust them to run a WiFi network
WiFi APs are not secure enough unless you're using another layer of security on top (a VPN, for instance). It's not a matter of trusting them to properly run a WiFi network. It's a question of if there's an additional layer of security on top. Is there?
TheHappyOddish
Whilst I agree with what you're saying in premise, I think if you told most consumers "hey, when you have bad reception like at a stadium, your provider will connect you over WiFi instead of 4G", they simply wouldn't care and more importantly wouldn't want to know.
This probably is "consumer-friendly" in the sense of "provides the outcome desired for most consumers".
mihaaly
Sensibly and originally the consumer-friendly term is desirable, also the obvious and default behaviour from providers selling products to users.
Unluckily it is over and misused for things forced through regardless of wanted or not - but benefitial for the provider for sure -, being a routine misdirection (basicly bullshit) text.
tengwar2
To amplify this: a recognised problem with GSM/GPRS was that although the mobile device authenticated itself to the network. This introduced MITM vulnerabilities. As a response, 3G brought in mutual authentication. Do these managed WiFi networks have mutual authentication? As far as I know, no.
seraphsf
Yes, WiFi offload uses the Hotspot 2.0 spec with mutual authentication (EAP-AKA or EAP-SIM typically). Both the phone and the WiFi network will mutually authenticate with the carrier’s Authentication Server.
DougBTX
> If you wish to communicate some real user-friendly feature better find some other phrase.
The cycle of deception never ends. If a company misuses words, they'll do it again with new ones. We must resist by sticking to the plain meaning of words.
KyeRussell
Sigh. Would you to someone this way were they were telling you this story at a conference lunch?
I really hope not.
They have chimed in to provide further context based on their personal experience. You’ve latched onto and have subsequently read way too much into two words that they used, and tried to offset your unjustified browbeating with “friendly remark”.
mehlmao
If someone tells me to my face that ignoring user preferences is actually 'consumer-friendly', I will tell them to their face that it isn't. 'Friendly remark' is passive aggressive and can be left out.
divan
Thanks for explanation.
> they’ve disabled the user’s ability to turn off “auto-join” on iOS
How (and why) is it even possible for carriers?
seraphsf
Frankly, I don’t know. This thread is the first I’ve heard of it.
Carriers ask phone makers for config changes all the time. It’s possible this is a new capability that was requested by certain carriers.
To be fair, it’s also possible that the OP and I are misinterpreting what’s going on. For instance, iOS syncs your preferences across devices. Perhaps there’s some bug that’s causing the wrong setting to propagate back to this person’s phone because their iPads, etc are still set to allow “auto join”.
stacktrust
> iOS syncs your preferences across devices.
This theory could be tested by signing out of iCloud before changing "auto-join".
webmobdev
> How (and why) is it even possible for carriers?
This happened in India. So one day mobile data was quite slow on my non-Apple phone. I asked my friend to enable hotspot on his iPhone. We were stumped when we couldn't find the "Personal Hotspot" option at all in ios settings. Called Apple support who informed us that Hotspot option is only available if the carrier enables it. They asked us to contact the carrier.
We were outraged and thought the carriers in India had suddenly decided to charge us extra for this option. Or maybe just for iPhone users. (In india, no carrier charges us extra for this option - and that is how it should be right? We are already paying more according to the bandwidth (3g/4g/5g speeds) and they also already limit how much data we can download. Imagine being charged extra for the "privilege" of sharing your data and consuming it faster!). We were prepared to yell at the carrier if they wanted more money from us for this but their customer support explained to us that this is a common complain they have with Apple iPhones, and all we needed to do was add some more info in the mobile data settings, which she provided us.
That's when we realised that it is a very American / Apple thing because the US business model of mobile phone and carriers are very different from India. In the US, most mobile phones are sold through the carriers and Apple and its competitors have to work with them closely. Whereas in India, consumers purchase their mobile phones independent of the carrier.
simonh
Every now and then, maybe every year or two, my iPhone says it needs to update mobile settings from the carrier. Fo those settings they asked you to change, it sounds like the Indian carriers probably could update them through that mechanism, or possibly that they were going to do so but hadn't got round to it yet.
cleanchit
Why don't the stadiums just setup an open wifi network? (no password)
karlshea
Some do. Allianz Field in St Paul has an open guest network, then you “sign in” with your email like you would at a coffee shop.
It works great, super speedy. Definitely better than the cell network during a game.
JohnFen
Probably because the stadiums don't want to incur the expense of doing so. That scale of setup wouldn't exactly be cheap.
sholladay
Confirmed. I’m on one of the major carriers and after multiple hours, auto-join is still disabled after I turned it off. Though, I haven’t tried rebooting.
hk1337
I’m in the same boat as you. It’s been off for almost 24 hours and I rebooted my device. I’m not using an eSIM like OP maybe that’s the difference, I don’t think so.
I wonder if those with the problem were to restart or reset their device, if they would still have the problem?
stacktrust
Apple Configurator (self-hosted local MDM, free macOS app in store) has an option for "supervised" iOS devices so that Wi-Fi connections are limited to SSIDs which are pre-defined in the MDM profile. It's intended for enterprise usage. Worth testing to see how MDM policy interacts with carrier-managed Passpoint networks.
Note: you can't supervise an existing device without wiping it, so this is an experiment to conduct with a spare phone, or one already managed by Configurator/MDM.
Apple Configurator training: https://it-training.apple.com/tutorials/deployment/dm095
Wi-Fi payload: https://developer.apple.com/documentation/devicemanagement/w...
Another option is using Apple's MDM for small business to define a list of approved SSIDs, https://www.apple.com/business/essentials/
Edit: is there an option to "Remove Profile" in Settings?
General -> VPN & Device Management -> Configuration Profiles
Change IP address to manual and 127.0.0.1
Change subnet mask to 255.255.255.0
Change DNS to manual and 251.252.253.254philsnow
Thank you for that first link. I stumbled across Apple Configurator when I was trying to lock down an old phone, to have at home as a pseudo-landline (but which I can take with me on trips) that is safe to leave accessible to kids. I got it working by muddling through, and that link would have at least let me situate myself in the space of "what does this thing do?" better.
jdelman
What settings did you use to lock down your phone?
philsnow
More or less:
- prevent removal of profiles:
general -> security -> "with authorization", and added a password
- prevent total phone wipe:
general -> functionality -> [ ] allow Erase All Content and Settings (supervised only)
- only allow a few apps to run:
restrictions -> apps -> restrict app usage -> only allow some apps
phone, messages, facetime, settings
- disallow installing new apps:
restrictions -> functionality -> [ ] allow installing apps (supervised only)
- content filter -> filter type -> limit adult content
I'm not really sure what this does but makes sense to enable it
- wi-fi -> configure one payload,
for my home guest network
- google account -> configure one payload,
for a phone@vanitydomain.com google account
newZWhoDis
I do not have any profiles installed, and none of my devices are managed.
I’m aware this could potentially be fixed by enrolling all my family’s devices in an MDM.
But I mean come on, wipe everyone’s phone to enroll in MDM? Seems pretty crazy when the phone should just let you control what it does/does not join.
Edit: I misread your post, I see now it was more suggesting a test. My bad.
stacktrust
If Carrier MDM policy can override Configurator/Enterprise MDM policy, then corporate security admins will likely be unhappy about their lack of control over enterprise device networking.
Has the industry forgotten the pre-iPhone disaster of telco-controlled devices? https://www.quora.com/Why-was-the-iPhone-initially-exclusive...
> The landscape of the cell phone market was very different pre-2007. Most notably, the carriers had complete control over what phones were allowed on their network. A carrier could nix a feature that had been in R&D for years and suddenly you couldn’t sell your new phone with this amazing feature. They were especially protective of data and overloading their networks, which led to browsers on phones being stripped down and limited. The whole “full web” was not a technical impossibility, it was just that carriers wouldn’t allow phones on the network that had a full browser.
> Apple bucked the rules of the cellphone industry by wresting control away from the normally powerful wireless carriers ... Mr. Jobs once referred to telecom operators as "orifices" that other companies, including phone makers, must go through to reach consumers.
mynameisvlad
Since when did you have to wipe your phone to enroll it in MDM? You don’t even have to wipe it if you unenroll, and that would certainly be more important since the phone could have downloaded sensitive content in that time.
Yechi770
Don't know since when, but definitely for a few years. To fully unenroll too. The reason is because in order to fully manage the device it needs to reset and restart in a managed mode.
MelancholyMiser
You don't have to wipe to enrol, only to supervise a device. Supervision enables a lot of features that would be considered user hostile in a different context - it's definitely not something you want being enabled without you knowing.
cxie
The "Remove Profile" option in Settings might be helpful if it's available, but it seems like it could be carrier-dependent, and not all users may have this option.
The null routing workaround seems interesting and could potentially help in avoiding unwanted connections to the carrier's Wi-Fi SSID. However, this method might require some technical knowledge and might not be ideal for less tech-savvy users.
wpm
T-Mobile's you absolutely can disable, but I would have never ever thought to look there until I read this.
I switched off Auto-join on both "t-mobile" and "TMobileWingman", but I couldn't hit the "Done" text-but-its-really-a-button in the upper right until I made some change to the normal known networks list, so I deleted a couple that I didn't remember or recognize. YMMV.
It's gross either way. No way, no way in hell this is something that should be shadow dropped onto my phone.
s3p
This is insane. I have never heard of these and after checking I also have them on my iDevice. Tmobile should explain what wingman is and why it's on IOS devices.
ajmurmann
I don't understand why Apple allows carriers to do this. Apple id a well-respected brand by most of their customers while carriers are seen as an evil you cannot do without.
jrockway
I suppose "brand perception" loses to "we bought all the RF spectrum". If T-mobile, AT&T, and Verizon say "no iPhone", guess who is out of business? Not the spectrum owners.
mihaaly
"Apple id a well-respected brand". Less and less so. With stunts like this.
thefz
Because without the ability to join carriers' networks, Apple would be selling overpriced paperweights.
How can Apple be well-respected after wanting to scan your photos for CSAM is well beyond me, but I guess everyone is different.
leephillips
> a well-respected brand by most of their customers
Not surprising. I don’t respect or trust them, so I’m not one of their customers.
RetpolineDrama
Maybe Apple doesn't know carriers are doing this and the capability is an oversight? Verizon and AT&T seem to be respecting the user auto-join preference flag.
I'm thinking Apple didn't expect the carrier to do this.
judge2020
Probably to force more traffic onto wifi to keep people off of their network whenever possible.
undefined
tekknik
T-mobile here as well, no wingman. This means you’ve used in flight wifi.
codethief
> what wingman is
Not really related but hypothesizing it's the following makes me chuckle: https://www.youtube.com/watch?v=y8OnoxKotPQ
kccqzy
I have T-mobile but I haven't a clue what you are talking about. There are Wi-Fi networks called "t-mobile" and "TMobileWingman"? I just don't see them at all. Under what condition should I see them?
newZWhoDis
Settings/Wifi/edit/scroll down to “managed networks”
These are networks added by your carrier you can’t remove. They have equal priority to your real networks.
In my case, 2 neighbors have freebie wifi/modem combos blasting out 1-bar hotspots that match my carriers free hotspot SSIDs, so all my family’s personal devices constantly switch between my real home network and these “hot spots” with no way to stop it short of removing everyone’s SIMs
sundvor
Appalling.
You'd need an extremely strong reality distortion field to advocate for it. I can only guess it's a way for the telcos to offload 5g traffic.
In the Android world, if Samsung/Telstra introduced something similar in Australia that'd be enough for me to jump ship to another manufacturer that didn't. There's an auto-enabled "Hotspot 2.0" feature that I've turned off; it's not ideal that it's on by default but for people on lesser data plans it could be convenient. It's a simple toggle to turn off, nothing's forced.
unethical_ban
I could see a system where carriers partner with cities to install wifi at crowded locations, preset a carrier provided password and use that for better service than 5g.
But I am shocked that they would force connection to open ssids.
diebeforei485
I am able to disable "Auto-join" on those, but I don't have these WiFi hotspots near me so I can't test if that Auto-join toggle actually works.
cyxxon
I do not have that section under Settings/WiFi. Does that mean tht my carrier simply has not added any managed networks, or should this section always be there, even if it is empty? Or is this a US thing, as I am in Germany?
ummonk
Thanks I just did this as well. I often defend Apple's decisions but this is downright ridiculous.
newZWhoDis
Make sure you check up on it later, in my case the carrier turns auto-join back on a few minutes later.
ummonk
Thanks. Doesn't seem to have happened yet but I have no confidence it'll remain that way.
codazoda
Wingman does not stay turned off for me, as op mentioned in his edit.
nvrspyx
It doesn't stay off for me either, but after some digging on the internet, Wingman appears to be an in-flight wifi network on planes (which may not actually exist anymore and T-Mobile are in the process of removing from devices according to this recent comment by a stranger on an old Reddit thread[1]). While it's annoying that it doesn't stay off, it doesn't seem to be something that would cause problems in practice because flights typically only have one wifi network.
1: https://reddit.com/r/tmobile/comments/7u535i/_/jcl01il/?cont...
TylerE
What happens if someone spoofs the SSID though?
KerrickStaley
You can hit Cancel and it will still retain the auto-join setting (very counterintuitive).
newZWhoDis
Wait 5 minutes and check it again. “Auto join” will be turned on again
bobbylarrybobby
Very bizarre: I unchecked the auto join settings and, as you said, the done button wasn't enabled. So I pressed cancel, and the changes persisted.
trafficante
I noticed this a couple days back at Home Depot, of all places. Was looking up the locations of stuff I needed to pick up via their website while sitting out in the parking lot and my iPhone kept switching off 5g to hop on some single bar wifi that I couldn’t delete or deselect auto-join.
Eventually just turned off wifi and the problem was “solved” but man this is going to be annoying if it starts happening at the grocery store or something.
grogenaut
tinfoil hat but frys used to seem to fuck with competitor websites on their in building wifi. amazon would never work. At last 2 times I had to go outside to get cell coverage and then pull up the amazon price to show them to get a price match. nothing really stopping home depot or whomever from shoving a pi-hole in front of competitor sites either.
josephcsible
> nothing really stopping home depot or whomever from shoving a pi-hole in front of competitor sites either.
And this is why people who say "DNS-over-HTTPS is bad since it bypasses Pi-hole!" are wrong.
kxrm
I think the argument is about choice, not whether this tech should exist. When a device or app forces DNS-over-HTTPS it does so to take away my choice.
zamnos
A pi-hole that null roots traffic? No, unfettered by TLS certificates and morals, the competitors site would show the item as being out of stock and drastically more expensive, and the store's closing early today.
jacooper
I mean blocking 8.8.8.8 and 1.1.1.1 should be enough.
lxgr
I‘m generally not a big fan of most consumer VPNs, but this is one scenario where they can really help.
newZWhoDis
I noticed this because a condo has neighbors nearby with routers blasting said hotspot, so now you’re not even safe in your own home.
trafficante
Oh god no. I live in one of those “techbaby’s first econobox” neighborhoods where you can shake hands with your neighbors if both of you lean out the window a smidge.
I have never had so much trouble with network radio interference as I do here, so I can only imagine the fresh hell when one of my neighbors lights up one of these things.
There’s already a “stop hitting yourself” scenario going on with a guy blasting multiple competing 160mhz width APs for some reason. Thank god for Wifi 6E
zrobotics
A condo-sized Faraday cage would solve that problem...
toomuchtodo
They have faraday paint if you’re so inclined.
newZWhoDis
YC24 here I come
Fatnino
On Android with tmo if I go near a home depot my phone will hop on their wiri and get a little R next to the wifi signal icon. This R doesn't go away even after I go home and get on my home wifi. Can only get rid of it by rebooting the phone.
meshaneian
R for reboot /s
mihaaly
If some carrier representatives reads this they may come to the conclusion that it is time disabling wifi switch off remotely too!
310260
This has been around for a while now and is not some new eSIM thing. It's existed with physical SIMs too. It's Passpoint access authorized via your SIM. Your device won't just randomly connect to anything with the same SSID. It has to auth via the SIM and it's on secure networks that your carrier has agreements with. Same as the access you get over the LTE or 5G network.
newZWhoDis
This is wrong, the networks show up as “my networks” and a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.
>and it’s on secure networks
No it’s not, my home networks are behind strong firewalls and things like pie hole. Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?
diebeforei485
> a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.
That isn't what Apple says - https://support.apple.com/en-us/HT202831
At least according to the support doc, the most preferred network should be joined first, other private networks are the next priority, and public networks (including EAP-SIM, the subject of this thread) are the lowest priority.
newZWhoDis
These hotspot networks show up under “My Networks” on iOS 16.4 FWIW.
They can say what they want about “being given the lowest priority”, but but they clearly are competing with my home network and winning some fraction of the time.
310260
>Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?
I have T-Mobile. T-Mobile maintains agreements for Passpoint networks at random places like airports, T-Mobile stores, or (I recently found out) Home Depot. These networks are encrypted and authorized against a RADIUS server.
My SIM has them programmed into it. I can't just stand up the "t-mobile" or "Passpoint Secure" SSID from my home network and my phone automatically connects to it. That's not how it works.
Based on the fact that your devices are showing preference, I'm gonna take a wild guess and say you have Xfinity/Spectrum/Optimum Mobile. The cable co. MVNOs maintain their own WiFi networks which are (again) connected to via Passpoint and authorized using RADIUS. However, the cable company WiFi networks extend far into neighborhoods and are broadcast from CPEs. Your devices prefer them because that's part of the network you signed up for.
Just VPN back to your home network if you're not confident in their security.
bluehex
You explained why this might be happening technically but why are you acting like it's okay? "Just VPN home" is not a solution if the phone is preferring a terrible one bar connection over the home one. Imagine the quality of that vpn connection you're suggesting as a fix.
newZWhoDis
> Just VPN back to your home network if you're not confident in their security.
I’m sorry but wtf?
You’re saying that, in my own home, I should just accept that my devices connect to an external wifi against my will and VPN back into my own home… while in my home?
Seriously?
m463
You can restrict apps from using the internet in the cellular menu. But with wifi, they can communicate unrestricted.
lxgr
> Just VPN back to your home network if you're not confident in their security.
So you expect the average user to be able to set up a Zeroconf/mDNS-proxying VPN, since that’s the only type that will allow things like Google Cast or AirPrint to still work?
Home networks are not just about security or speed, some people have devices on them they can otherwise not reach.
michaelmrose
Having multiple adjacent networks enabled is liable to cause customer devices to roam between access points on and off their LAN even when
- Remote access point doesn't provide access to desired resources
- Have acceptable performance
- Have acceptable security parameters according to users needs
Most users can't stand up a vpn inside their network and configure it to alleviate the self inflicted wound of having their phone decide that the user isn't qualified to select the wifi access points it prefers to connect to. You may as well ask them to grow wings and skip Delta. Instead they will be placing irate calls to their ISP about why their wifi sucks so much and I will be silently cursing Apple.
doggy_afuera
Thank you for adding some technical context to this discussion. There's a lot of (sadly) uninformed people in this thread spitting mad prophesying about a topic they clearly do not understand with any technical depth. If only the retail stores replaced their enterprise gear for EAP with a "pi hole". P.S. nice username
throwaway09223
> "No it’s not, my home networks "
When your phone is on 5g it is not behind a strong firewall, or any firewall at all. It's sitting directly on the internet. I can run a webserver on my phone and you can browse it.
> Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?
If you've been laboring under the misconception that your phone is safe on your home network then perhaps this is a shock. But having your phone connected to a carrier means the carrier is responsible for providing a network.
Normally your phone is connected both to the carrier network and to whatever wifi network the user prefers, if wifi is available.
It seems like the major usability problem here is that instead of connecting to both networks, the carrier network supplants the user's network -- which breaks expectations when near user-run wifi.
lxgr
> When your phone is on 5g it is not behind a strong firewall, or any firewall at all.
I‘d be surprised if that’s true for most operators.
And even if there really is no stateful firewall: On IPv4 you’ll be behind carrier-grade NAT (so no inbound connections), and on IPv6 (including NAT64/DNS64), successfully guessing somebody‘s IP address seems extremely unlikely. (A server that you’ve visited might "dial you back", though.)
And for most users, the most visible effect will probably be that they can’t connect to their Chromecast, smart speakers, AirPrint etc, not decreased security.
kortilla
Except it’s shit. I constantly have to disable WiFi to get 5g again in the airport if I want something that actually works. Verizon with passpoint is absolutely trash and has nearly driven me to cancel my Verizon service because it can’t be removed.
fy20
I remember something like this happening nearly a decade ago with an iPhone 5S. I was at a large mall I visited often and saw I was connected to a WiFi network I hadn't used before.
The mall had WiFi but there was a portal which required SMS authentication and was time limited (the same as every other hotspot, it was rules of the country), so I didn't bother using it on my phone. Plus the carrier had a modern LTE deployement, where I'd often get over 50mbit download speeds - which was faster than my home internet. The network was named something like "<carrier> offload" so I assumed they had a kind of WiFi deployment to limit cell tower load, and it was added by the carrier settings profile.
I can't remember if I was able to disable or delete the network (it worked, so I didn't care). I'm wondering if this feature has been there for a while, but OPs ISP has only just decided to use it (I imagine some exec had an OKR to increase adoption of their public WiFi hotspots).
mihaaly
Being around unknowingly for a while does not make a thing good!
RetpolineDrama
Yeah I don't get this angle, I've seen a bunch of people here act like it's no big deal because carriers "could" have done this a long time ago.
Well, we know NOW and it's not ok.
rootusrootus
I was all prepared to be very irritated. Especially if I could not disable them.
But disabling does work for me. And according to the documentation[0] these networks wouldn't get selected in preference to my home network anyway. My blood pressure is dropping a bit.
Assuming these are actually authenticated networks as described, then I don't know if this is any worse than allowing the phone to use the cellular signal. Same provider.
If your phone is hopping onto one of these while at home, I guess check your home wifi signal strength because it's probably dropping out?
newZWhoDis
On my device these hotspots show up under “My Networks”
Disabling (switching auto-join to off) also does not work, most of them switch back on a few minutes later. This seems to be carrier-dependent from the comments thus far.
I disagree based on my reading of the documentation, these are treated as identical to your other networks. The only benefit is my home network is usually louder, but that’s the rub it doesn’t always work and devices routinely switch.
In my case I noticed this in a condo, so the physical distances are less
cxie
I can understand the frustration this issue might cause, especially if your device keeps switching to these managed networks despite having a stable home Wi-Fi connection. It seems like there might be a difference in behavior based on the carrier, which complicates the situation further.
newZWhoDis
I strongly believe these carrier networks should only be added to “my networks” as a permission-gated prompt, and also be deletable.
Would solve this whole thing I think
650REDHAIR
If I make a new SSID with the name of an xfinity/att/Verizon hotspot would that means every up to date iPhone user would automatically connect to it?
rootusrootus
No, unless you have found an exploit for EAP-SIM, Passpoint, etc.
jiveturkey
i didn’t think ios had the capability to enforce any specific auth method for any specific SSID. you’re saying it does?
colechristensen
Yes.
seraphsf
No. That’s not how it works. These managed networks require a specific secure authentication from the carrier itself.
mihaaly
If we trust the providers and manufacturers and we know that they are careful and with the best intentions then there may be no problem, but hey, they force things, they do secretive things, some even mislead and scam us, they eroded the trust in them themselves collectively!
I do not feel comfortable not knowing what wifi network my device will connect to the next minute along some opaque incentives of an organization I have no control or insights about. What if I have resources or devices in a specific wifi network that I rely upon and they hop over to something else because they want to? I have serious doubts about this move. To me even the hidden direct wifi communication switched on silently allowing two Apple devices communicate each other in the vicinity was a drastic move. We watched some movie on Apple TV and suddenly interrupted with the message and confirmation code display that my second neighbours MacBook Air wants to connect to my Apple TV. "How did he connect to my network?!", came the panic. I have important and confidential data available on my local network (with passwords, but still, one barricade was broken already!). Luckily the guy was aware of this new ""feature"" (more like a nuisance) and so now it is turned off on my Apple TV.
The trust is eroded a lot.
jsjohnst
I’ve tested this on iPhone 14 Pro Max, 13 Pro Max, and 12 Pro Max. Using iOS 16.4 and 16.5 beta, I’m unable to replicate this.
AT&T 54.0.1
Managed Networks: AT&T Wi-Fi Passpoint, attwifi
Verizon 54.0.1
Managed Networks: PrivateMobileWifi, VerizonWifi, VerizonWifiAccess
T-Mobile 54.1.0
Managed Networks: t-mobile
———
I’ve tested the following scenarios
- confirm auto-join disabled, wait 10min, recheck and still disabled.
— confirm auto-join disabled, reboot, recheck and still disabled.
- confirm auto-join disabled, enable airplane mode, recheck and still disabled.
- confirm auto-join disabled, disable wifi, re-enable wifi, recheck and confirm still not auto-join enabled.
- confirm auto-join disabled, switch cellular data to alternate esim, switch back, confirm still not auto-join enabled.
At this point I feel there must be something different about your setup that’s non-standard in some way.
It’s slimey as hell that they get added automatically, but still very much possible to disable at least it seems.
Edit: “Wingman” and related variations never appear on either of my T-mobile devices.
newZWhoDis
Wow, thank you for your detailed post.
I have multiple iPhone 14 Pro Max, all 16.4
All on Xfinity Mobile 54.0.1
Yes, I know Comcast sucks but they are the only provider in my area for gigabit and they whitelabel Verizon mmWave 5G for a serious discount if you bundle with their internet (which I’m basically forced to use)
In my case, I disable auto join on all 9 managed networks and 5 of them are back to enabled before I’m done checking the list.
TylerE
If you don't want the service, why did you buy it, even if the discount was 100%?
newZWhoDis
“The service” was cellphone service, there is no logical reason my phone OS should arbitrarily lock me out of wifi settings due to my cellular carrier.
m463
I noticed this type of thing a LONG time ago (years) when my browser session was hijacked by some starbucks terms of service popup. my phone had auto joined an at&t wireless hotspot at a nearby starbucks.
I could disable auto-join at that time and it didn't happen again.
Also as a general precaution I turned off wifi except at home.
However, if it cannot be disabled, I find it troubling.
newZWhoDis
In my particular case it’s happening in my condo and all of my families devices routinely switch between my real network and the 1-bar hotspots several floors away.
It’s impossible for me to disable and breaks all local connections to things like PLEX, as well as kid safety/adult content filtering.
m463
Killing local network access is an actual bug.
related - I wonder if this is specific to esim or if this would happen with a regular sim too?
and can you just call your carrier?
I had a comcast business router and it started broadcasting an open comcast wifi access point (for comcast customers). I called and asked them to turn it off and they did.
BanjoBass
I just checked my phone, There were 3 verizon networks in there I don't recognize. I'm using a regular SIM.
newZWhoDis
The carrier told me to contact apple.
And in my case, I can’t exactly harass all my neighbors to disable their “free hotspot”. I should be able to control my own phone and dictate what it does/does not connect to.
mr_toad
> Killing local network access is an actual bug.
Yeah in additional to any local servers you have it would break continuity (handoff etc), it would break casting. Sounds very poorly thought through.
conductr
It amazes me how features like this make it through to release and seemingly nobody considered this very basic experience of your home being hijacked
xbar
It gets more sickening every day. I own every Apple device there is. But there has never been a company more anti-Steve-Jobs-vision than Apple.
The seamless experience has turned into a my fight against Apple's hatred of their customer.
lyu07282
> I own every Apple device there is.
I'm not sure anyone really ever "owned" an apple device, at least since the first iPhone or so, it seems to me we kind of redefined what ownership means. Apple owns every device they make, you are allowed to pay for limited and revokable usage rights. You have very limited knowledge or control over most of its proprietary hardware and software. Apple, the phone carrier, the apps you install, all have more, varying control over your device. The kind of freedom Stallman talked about for example has been lost for a very long time.
Aeolun
Maybe? I certainly still have more control than on windows.
d0c_z3r0d4y
Last I checked, you were still able to install apps on Windows from sources other than the Windows store.
bhawks
The real reality distortion field is that folks believe that Apple (or Steve Jobs) is somehow benevolently pro-user, almost to an extent of sacrificing itself for the users benefit. This never was true, Apple is a company like every other company and it views their customers are simply revenue streams.
Apple's pro-user perception is an (amazing) marketing campaign.
Would a pro-user company use it's monopoly position to raise eBook prices 20-30% and simultaneously eliminate any competition in the eBook space, on the backs of their users? Apple did exactly this, directed explicitly by Steve Jobs and was forced to pay nearly half a billion dollars and be found guilty of violating antitrust law.
https://en.m.wikipedia.org/wiki/United_States_v._Apple_Inc.
https://www.techemails.com/p/ibooks-is-going-to-be-the-only-...
Apple's priority is Apple - and that is the only priority. This is a perfectly reasonable thing too, they are not running a charity. They often build pretty good products, but I think folks are doing themselves a disservice to believe that Apple maintains some kind of user focus moral high ground. They want the dollars in your pocket, and if they can get more of them by acting against you they will do it if they think it's unlikely they will be called out on it.
ksec
Steve used to care about things like this. And even if he didn’t once it has his attention you know something will be done or at least looked into with a reasonable eye. Now it is nothing.
1101010010
They're instruments of social control and behavioral management. People will get upset and this comment will probably even get removed (censored), but this is the truth with closed source software from for-profit corporations.
issafram
Get an Android phone. It's the bee's knees.
RetpolineDrama
Some comments suggest android is effected as well.
YPPH
Apple stood up against carrier customisation. No custom firmware, boot logos, or pre-installed bloatware. Upgrades occurred when Apple was ready to release them, not years later than carriers had finished their "testing". This was fairly revolutionary at the time.
This is definitely a backwards step contrary to that vision of career subordination.
neilv
Whenever someone sadly hits their personal "last straw" threshold for iPhone, one option to consider is the privacy&security-focused GrapheneOS variant of Android.
https://grapheneos.org/features
You can run GrapheneOS on recent models of Pixel hardware. (It usually has to be a unit purchased from Google, or that otherwise hasn't had OEM-unlocking disabled by the carrier that sold it.)
https://grapheneos.org/faq#device-support
https://grapheneos.org/install/web#enabling-oem-unlocking
You might also try minimizing the apps that you depend upon, though GrapheneOS has put work into supporting apps in a bit more private&secure way. There's also the option of the F-Droid app store, if you want to try to avoid commercial apps altogether, but still need things like an OpenStreetMap app.
There were a lot of things I liked about iPhone, but I overall feel more respected by GrapheneOS.
If you end up liking GrapheneOS, and have the means, there's an optional Donate page on their Web site.
das-hinterland
Top posting because there is a lot of mis/false information overwhelming the comments section and this needs to be known.
Facts:
1. OP is a customer of Xfinity Mobile - which is a "Wi-Fi first" internet service. Note they don't call it "cellular" because it isn't.
2. Their terms of service are clearly laid out here: https://www.xfinity.com/mobile/policies/broadband-disclosure...
To quote:
"Comcast's Xfinity Mobile broadband Internet access service ("Xfinity Mobile service" or "Service") utilizes Wi-Fi service - both Xfinity WiFi and Wi-Fi provided by other Internet Service Providers ("ISPs"). When not connected to Wi-Fi, the Service utilizes our carrier partner's mobile broadband Internet access service network and is subject to its network management practices and controls."
Basically they roam onto cellular when their WiFi is out of range.
3. OP keeps claiming that he never agreed to anything blah blah yes you did. When you sign up for anything with Comcast they make you sign an agreement that you agree to their ToS. See South Park episode "Human CentiPad".
4. The service OP signed up for is at a discounted price because of trade offs. The trade offs are that your device will prefer the Xfinity hotspots over cellular. That's literally how it works. That's why you're getting it for cheaper because the service sucks by design. That's on the customer.
5. People attempting to point these facts out have been getting downvoted which is just sad.
TheDong
The OP isn't complaining that their phone is roaming to a managed Wi-Fi _in preference to cellular_
They're complaining that it's not using their own Wi-Fi and causing real issues for their family members.
Trying to justify this behavior because "well, the ToS maybe said something about this" rightly deserves to get downvoted, as do your other points.
None of what you call out changes the fact that:
1. The OP is experiencing real issues, preventing them from using their own Wi-Fi at home
2. This is because of a configuration setting they cannot change on a device they own.
What SIM they're using, what ToS they've signed, none of that should matter when OPs goal is just "I want to be able to use my own Wi-Fi at home".
das-hinterland
We don't know much about the OP's WiFi setup other than he chose to use his own equipment and not to use the carrier's gateway - which would broadcast its own, stronger, passpoint SSID in his apartment and likely these issues would go away.
Consider the following scenario: the OP's router is flaky and disassociates stations during which time the phone gets kicked off then "sees" the carrier's SSID from the neighbor and joins it. Now it's on that network. Suddenly this becomes a self-created problem. The solution is to not use Xfinity mobile or any other "Wi-Fi first" MVNO.
andreareina
It can both be true that OP is getting what they asked for, and that this is a bad thing for Apple to unilaterally allow. How does Apple know that OP signed up to have their preferences ignored?
das-hinterland
This has been going on for years. Not many people know of the deep integration between Apple and the carriers. Your iPhone, when a SIM is inserted, pairs it with a "carrier profile" which is downloaded from Apple's servers. This profile, among other things, has network settings and preferences such as the APN. That's why you need to have the phone connected to the internet to "activate" it; it's part of the provisioning process. These wifi offload networks (along with likely a setting if it can be disabled or not) is likely downloaded as part of that profile.
This is reminiscent of those "ad supported" ISPs of yesteryear that people would subscribe to then complain that it has ads.
Y_Y
I like your fervour, but does any of what you said apply when cellular isn't involved and OP wants to use their own WiFi network but can't because of an unnecessary restriction in their phone OS?
boulos
> Top posting because there is a lot of mis/false information overwhelming the comments section and this needs to be known.
You posted this as a reply to a top comment. Perhaps re-post as a top-level comment? I think dang can move these, but likely won't see it for a while.
neilv
Replying to the top-voted comment, for visibility rather than relevance, is something I haven't noticed much on HN.
I'm not saying it's wrong, but it seems to be unilaterally subverting the voting mechanism, with the rationale that person is confident the message is so important that the voting mechanism is irrelevant or can't be trusted.
A person could be right, in an instance, but imagine if everyone did that every time they were confident. We'd need a way to mitigate the conflicts from all that individual confidence. Maybe with a democratized voting system.
newZWhoDis
Nothing in the terms of service you linked says they can disable my devices ability to NOT join their network.
And their advertising absolutely does not suggest they are “WiFi first”, they advertise cellular service with hotspot access. AT&T and Verizon do the same thing (advertise all these great free hotspots you get).
No one intentionally signs up to lose control of their WiFi system on devices they own, so stop making excuses for Apple’s behavior.
RetpolineDrama
I just read their ToS and pulled up their sales/landing pages.
"Wi-Fi first" is a term you made up, their claim is that they _offer_ cellular service and wifi hotspots like all the other carriers.
Read your quoted section again, "utilizes" does not mean "force you to use over all other network options against your will".
beckman466
wow they've done it: they've out-exploited an already monsterably ruthless monopoly!
crossroadsguy
As someone who reluctantly moved to iOS from Android and reluctantly stays on iOS there really is no other option for "normal" ("regular"?) users who don't want the Google crap all over their existence.
Graphene, Lineage etc are all excellent solutions for people who want to (or "can") get their hands dirty and can live without normal functions of "commercial" apps, for everyone else as of today there is just two option - Apple's iOS or Google blessed Android. I am not even talking about warranty and bricking woes.
This is a duopoly as clear as day. We can keep telling ourselves that we have options, we don't. It's settled, at least that is how it is right now (again, maybe except for "tinkerers" which I guess even I was until around a decade ago).
KingMachiavelli
I will say GrapheneOS is much more usable than normal custom Android ROMs. Maybe this has changed but IME even Lineage based ROMs, official or otherisez don't have automatic updates the same way stock does.
But GrapheneOS and a few similar projects actual have fully automatic updates, for every Android security update and major versions.
Once installed which is very easy as long as your are starting fresh, GrapheneOS requires no effort to maintain. F-droid or even the Google Play Store works just fine once configured. The only apps that don't work are major banking apps and snapchat so not a big deal.
If you have family/friends that use smartphones but don't really use "Apps" then GrapheneOS is perfectly fine.
an_aparallel
I am not 1% as technical as the regular HN contingiency - and i can only say - flashing a pixel 6 pro with graphene was smooth as silk. Just requires some good reading and instruction following skills.
Amazing OS...works fast, UI doesnt change whenever it feels like...absolutely the best tech related thing i've done this year.
I would have been on it sooner if i wasnt so annoyed about needing to own a Google phone to use it :P
crossroadsguy
My banking and finance apps are the mandatory apps that I keep on my phone :(
These are the kinds of caveats I tried to point to in my comment. That it’s not an option even though it feels like that.
aembleton
> The only apps that don't work are major banking apps and snapchat so not a big deal.
Its a big deal for me if my banking app doeosn't work.
judge2020
It's a duopoly. But what is the solution? Requiring developers develop for GrapheneOS? Or forbidding Apple from making iOS/iPhone secure enough to be used by at-risk individuals being targeted by nation state actors with n > $1M in resources to use on attacking someone (by forcing them to allow third-party app stores/downloading apps from websites/etc)?
Zuiii
Break them up!
The potential for manufacturers to abuse their customers when they control the full stack. Belllabs both Google and Apple. Hardware and software should developed by separate entities anyway. If it works for normal computers, it can work for small normal computers too.
AnthonyMouse
> Or forbidding Apple from making iOS/iPhone secure enough to be used by at-risk individuals being targeted by nation state actors with n > $1M in resources to use on attacking someone (by forcing them to allow third-party app stores/downloading apps from websites/etc)?
This has always been a pretext. They could sell phones that allow you to do any of those things by default and allow the user to set an option that locks the device to only Apple's store until the device is factory wiped. That would not be any less secure for people who choose that option, but would give people the choice without tying that choice to the entire platform.
> It's a duopoly. But what is the solution?
That depends on who you are.
If you're a government, antitrust.
If you're anyone technical, buy a device that isn't always the easiest to use and then use your talents to make it better for everyone.
If you're in a managerial role at any kind of large enterprise, smart companies have purchasing requirements that penalize certain vendor behavior, by prohibiting purchases from them entirely or requiring them to come in some significant percentage lower than any competing bid. Make sure vendor-locked products get penalized by your company. Let the vendors know this is why they're not being chosen. (The reverse version of this also works: Have corporate charge individual departments a large premium for purchases of disfavored products. Then they have to decide how much they really need it and alternatives get attractive.)
If you're a regular person, don't buy anything that requires you to install an app on your phone. Use your bank's website and if you can't then get a different bank. Don't do business with companies that remove your choice of platforms, even if you still don't currently have one, so that someday you might.
fsflover
> But what is the solution?
The solution is to abandon both and join the community of GNU/Linux phone users, https://puri.sm/products/librem-5 and https://pine64.org/pinephone.
madmads
I use GrapheneOS on a Pixel 7 Pro daily and I can use banking, transport, and government apps just fine. There's only been one time I had to look up how to get an app working and that was trivial. I get notifications and can use the Google services I choose with permissions I pick. I can even use all the hardware features such as Google's AI image editing and camera features. Even installing GrapheneOS is done through a browser and takes just a few steps. If you are just slightly technically inclined I see no reason you can't use GrapheneOS, I haven't personally had to compromise in any way while I have gained complete control of my device.
Even if using GrapheneOS came with downsides, the amount of power you gain over your device would have been worth it. If you have a Pixel device you owe it to yourself to spend a few minutes finding out if you want to try GrapheneOS.
neilv
This doesn't address all your concerns, but for people who want to keep the commercial apps, GrapheneOS now supports that to some degree:
iopq
About a billion people in China can manage without a single Google program on their phone
flexagoon
Here's the thing: Lineage is for people who "can live without normal functions of commercial apps". Graphene is not. Because all "normal functions" work on Graphene.
It's also super easy to install - you literally just need to press a few buttons in a web browser.
(Lineage is also not an excellent solution because it has severe security flaws and questionable privacy benefits)
emptybits
Another vote for GrapheneOS here. I moved away from a great iOS experience to a great GrapheneOS experience nearly two years ago. Pixel 5. Works fantastic. Bonus: I get nearly two full days of battery life between charges, even with heavy use, because my phone is not full of apps and system services chatting away to their motherships all day. I have all the mobile apps I need and enough of the apps I want. (And probably a little more peace and useful disconnection because I'm "missing" some apps that I used to spend time with but I honestly can't tell you what they were or that I actually "miss" them. Ha.)
I'm still a happy MacOS desktop user and while I occasionally miss some mobile/desktop automagic syncing that Apple does so well (iMessage, Photos, etc.) I find this split GrapheneOS/MacOS life forces me to smartly use more Signal Messenger and suggest others try it too. And I use the amazing Syncthing on all my devices for mobile/desktop syncing needs like photos and more.
Also ... moving away from an iPhone, I moved from Apple Watch to Garmin Fenix and am super happy about that move also. Two weeks of battery life from a watch that's more durable, has physical buttons that I prefer, and is more customizable when I'm feeling nerdy. Garmin's philosophy on user data/privacy seemed to be very good compared to Google, Samsung, and other watches. And they're better built watches and meant for 24/7 hard use.
Kudos and donation to the GrapheneOS team. Also, their regular system updates work so smoothly, perfectly, if a little too frequently.
Maybe it's not forever, but I did this purely as an experiment with my Apple safety net waiting for me. The iPhone and Apple Watch have depreciated and gathered dust and haven't been touched in nearly two years. Time will tell...
mypgovroom
This! I'm very impressed with how well it works and the continued anti-consumer steps iOS and Android make are only driving Graphene's development!
Zuiii
Thank you. I previously relied exclusively on samsung to for phones, tablets, and smartwatches but decided to stop dealing with them after they decided to silently enable sending everything I typed to grammarly in an update. (Literally 2 decades of good will wasted).
If the next models remains secure with GrapheneOS, I'll be switching to using pixels exclusively instead. How long does GrapheneOS support pixel devices? A strong clear policy on Security updates was main reason why I stuck with samsung and continued to recommend them for so long despite them becoming more and more abusive.
madmads
There's active support going back to the Pixel 4a with the Pixel 4 being EOL.
https://grapheneos.org/faq#device-support
Looking under the next section "Which devices are recommended?" it sounds like support is planned for the full life of newer devices that have 5-year update guarantees.
r0l1
My words! I made the switch to Copperhead / now GrapheneOS 7 years ago and never looked back. Can only recommend this OS and the lead dev is a legend.
hackernewds
Or you know, switch to Android.
tdonovic
This is a very US centric way of looking at this. Currently sitting in a packed subway carriage in Busan, South Korea. There are carrier WIFI APs installed in every carriage. Their network is literally built to offload people onto wifi where possible, I presume to reduce congestion on not much or very directional spectrum in the tunnels. In this case, it makes perfect sense to push people onto their wifi. Not connecting to your own networks preferentially is a pita though. Seems like a really neat solution imo
stevehawk
I think most Americans on here are concerned that if they're at home, and their neighbor has a carrier sponsored wifi hotspot, then their phone may prefer the neighbors hotspot to their own home network. Things like this could disrupt talking to local devices (airplay, homeassistant, etc).
01100011
Sort of. I can understand offloading to WiFi. I cannot understand preferring carrier WiFi hotspots over my own.
kalleboo
I live in Japan and first noticed this "feature" when I'd lose connection as every time I'd walk past a FamilyMart convenience store (which you can find every 3 blocks or so) it would connect to "0000docomo" and then immediately lose connection as I kept walking. Although in my case, disabling auto-join works fine.
Why would they install WiFi repeaters and not just 4G/5G microcells on the trains?
rizwank
I suspect cell site density and that Wi-Fi infra doesn’t require the same regulatory permissions as a microcell. Wi-Fi is unlicensed.
kalleboo
Yeah I guess there may not be a regulatory framework for ambulatory cells
Havoc
Cost seems like the most likely answer
newZWhoDis
Fair criticism. But can you defend blocking the user from manually disabling these networks?
I’d understand if I got a pop up saying “add these networks for the best experience”, I accepted them, etc.
I would have (upon detecting this problem) just removed them and gone about my day.
The problem here is that you are forced to use them with no opt-in and no way to disable it.
armatav
Why can't I remove the network from my phone then?
Makes "perfect" sense.
lxgr
I can see how it can be a very useful feature – but why not let users decide if they want to keep enjoying it, or opt out of it for whatever reason? I can think of many valid ones.
altairprime
I wish they’d install this in elevators here, too.
lxgr
My office building‘s elevators have 5G signal, which makes much more sense as it avoids a hard handover between SSIDs/networks (or Wi-Fi and mobile data), which in turn has a much higher chance of not dropping calls.
altairprime
I’d accept either, relative to what I have today, which is nothing.
MrStonedOne
If apple wants to add a second wifi radio to handle carrier offloading, and having it treat this second wifi radio as a cellular radio by another medium, sure.
but I should have fullllllllllllllllll fucking control over what wifi network my device connects to.
The fact it can connect to mobile data is only 10% of the device, and i don't see why connecting to a carriers mobile network should grant that carrier the ability to edit user settings like what wifi networks its allowed to connect to.
Wowfunhappy
Is this based entirely on the SSID? In other words, could I force other people's phones to connect to my router by just changing the name of my Wifi network?
That seems like an obvious security vulnerability.
i_am_jl
This is funny, because the very first iPhone did exactly this in the US for the SSID "AttWifi". Crazy that they brought it back 15 years later.
diebeforei485
Presumably it uses EAP-SIM to authenticate, not just the SSID.
https://support.apple.com/guide/deployment/how-apple-devices...
jiveturkey
unfortunately your link doesn’t mention anything of the sort (whether auth method is a requirement of the SSID)
andy_ppp
The SSID is the key. There is no other security as far as I understand it - you can test this by changing routers and naming the SSID and password the same. Devices will join this new network no questions asked.
astrange
That depends on the carrier. There is such a thing as SIM authenticated WiFi networks and they can use it.
robocat
> There is no other security as far as I understand it
https://news.ycombinator.com/item?id=35447903 says it uses RADIUS authentication and “I can't just stand up [spoof] the ‘t-mobile’ or ‘Passpoint Secure’ SSID”.
Wowfunhappy
> There is no other security as far as I understand it - you can test this by changing routers and naming the SSID and password the same. Devices will join this new network no questions asked.
AIUI this is a feature, not a bug. It allows devices to switch between different access points automatically.
For example, a large school will need to use many different access points in order to cover the entire building. Students will not want to manually switch between all of these access points, so the school gives each one an identical SSID and password. Devices will then switch automatically as needed.
Riverheart
I read this as cellular providers offloading traffic from their networks by making it so phones will piggyback on Wi-Fi networks. Maybe a symptom of increasing demand for more data but unwillingness to eat the cost or too many users. With Wi-Fi calling they’ve got that covered.
TylerE
Hardly exotic these days. I have multiple APs at home, all sharing the same ssid with automatic handoff. Practically every ASUS router (at least) can do it, and it's only a few clicks to set up.
blincoln
That is how pre-shared key (PSK) WiFi works, but it's not how WiFi that uses strong authentication (e.g. WPA2 Enterprise) works.
There may be bugs/vulnerabilities in the stronger authentication, of course.
Using PSK for untrusted clients is a bad practice, because everyone who knows the PSK can decrypt all of the wireless traffic even without setting up a malicious AP with the same SSID. If a phone carrier were forcing devices onto PSK networks, it would be an even bigger problem than the one discussed here.
m463
along with the fact that you can restrict some apps from using the internet via the cellular menu and never hook to a wifi that lets them connect.
But with this in place, you cannot restrict some apps from using the internet, the type and amount of data will be unrestricted.
gloyoyo
Basically, this is a HUGE argument with several simple solutions, but it does BEG to be resolved promptly before the vulnerability (and the WTF) threshold go through the roof...
Get the top HN stories in your inbox every day.
Well this was a major surprise so I figured I’d share it here to get some eyeballs on it.
Essentially, the latest iOS (16.4 at post time) allows your cellular carrier (via eSIM) to add “managed networks” to your device.
These networks cannot be removed, they cannot have “automatically join” disabled, and they have equal priority with your real, personal networks.
So guess what happens when your neighbors get a wifi/modem combo that blasts a free hotspot SSID? Not only does it pollute the already crowded 2.4ghz band, your iPhone will often prefer this connection over your real /local wifi (despite said wifi being at 1 bar).
As of post-time, there is no way to remove these networks short of completely disabling cell service/removing the eSIM and resetting all network settings.
You can see this for yourself by going to WiFi/“edit” and scrolling down.
Edit: to clarify, I can disable “auto join”, but in 4-5 minutes all of my devices have auto-join turned back on. I’m guessing it re-syncs with the carrier profile. Also, this does not seem to be eSIM or SIM related it can happen on both.