Apple users have unwittingly discovered a new feature after installing iOS 11 on their mobile devices: when you toggle your Wi-Fi and Bluetooth quick settings to “off” those services remain on for Apple services.
For example, Location Services is still enabled, and Handoff and Instant Hotspot stay on, even when iPhones and iPads are put in “Airplane Mode.”
The change in iOS 11 has come under criticism because it could expose users to security risks.
Because iOS 10 allowed users to perform a quick swipe in the Control Center to toggle Wi-Fi and Bluetooth fully off, users reasonably believe they had the same capability in iOS 11.
In in a blog post, the Electronic Frontier Foundation (EFF) criticized Apple for failing “to even attempt to communicate these exceptions to its users.”
In addition to not fully turning off Wi-Fi and Bluetooth, iOS 11 also automatically reactivates the latter at 5 a.m. the following day.
“When you consider Bluetooth’s known vulnerabilities, it’s especially important to make sure your Bluetooth and Wi-Fi settings are doing what you want them to,” the EFF said. “This is not clearly explained to users, nor left to them to choose, which makes security-aware users vulnerable as well.
“It gets even worse,” the EFF continued. “When you toggle these settings in the Control Center to what is best described as ‘off-ish,’ they don’t stay that way. The Wi-Fi will turn back full-on if you drive or walk to a new location.”
Apple has not commented publicly on the connectivity issue. But after Computerworld requested a comment about the issue via email, Apple directed it to a support document explaining the use of Bluetooth and Wi-Fi in Control Center with iOS 11.
In order to completely disable Wi-Fi and Bluetooth for all networks and devices, users must now go to “Settings” and turn each one off individually.
Apple did not say, when asked, whether it plans to change the Control Center functions back to those used in iOS 10 to ensure users can fully disable local network connections with a simple swipe.
Apple’s new support document explains that while an iOS device will immediately disconnect from Wi-Fi and Bluetooth accessories using the on-off toggle swipe, both Wi-Fi and Bluetooth will continue to be available, “so you can use these important features.”
The document lists all the features that will continue to operate even while Airplane Mode is activated. Those services include: AirDrop, AirPlay, Apple Pencil and Apple Watch, along with Continuity features such as Handoff, Instant Hotspot and Location Services.
“When a phone is designed to behave in a way other than what the UI suggests, it results in both security and privacy problems,” EFF said. “A user has no visual or textual clues to understand the device’s behavior, which can result in a loss of trust in operating system designers to faithfully communicate what’s going on.”
Because mobile users rely on the operating system as the bedrock for most security and privacy decisions, no matter what app or connected device they may be using, “this trust is fundamental,” the EFF said.
“In an attempt to keep you connected to Apple devices and services, iOS 11 compromises users’ security. Such a loophole in connectivity can potentially leave users open to new attacks. Closing this loophole would not be a hard fix for Apple to make.
“At a bare minimum, Apple should make the Control Center toggles last until the user flips them back on, rather than overriding the user’s choice early the next morning,” the privacy group said.
Charles Golvin, a research director for Gartner, said Apple’s choice to passively enable Wi-Fi and Bluetooth behind the scenes is unusual for a company that prides itself on offering transparent and predictable device behaviors.
“It’s kind of counter to Apple’s DNA,” he said.
While the new settings don’t open up new security risks, what they do is expose users to known Wi-Fi and Bluetooth connectivity issues.
For example, a Bluetooth-enabled device is almost always listening for unicast traffic targeted to it, even when it is not set on “discoverable mode,” according to a study by Armis Labs. “For this reason, to establish a connection, the initiating party only needs to know the [Bluetooth device address, MAC address] of the target device. Once an attacker acquires it, and is in physical proximity of the device (RF range) he or she can reach the surprisingly wide attack surface of its listening Bluetooth services.”
“Essentially, it comes down to both data being exposed and connections being established that are potentially uninvited or unwanted,” Golvin said.
Over time, he said, users will likely learn more about the new Wi-Fi and Bluetooth connectivity settings in iOS 11 – and users who care enough about them will no longer inadvertently leave them on.
IDC analyst William Stofega, however, said “you can’t have a device that people don’t understand what’s happening on it.”
The changes Apple made to wireless functions in iOS 11 were intentional in order to capture data and ensure mobile connectivity to an ever-growing universe of Apple applications, Stofega said.
While having Wi-Fi and Bluetooth continuously on is a convenience at home or in the office because they can seamlessly connect to common apps, when at a coffee shop, retail store or on an airplane, the feature leaves a mobile user open to spyware.
It’s also a drain on the iPhone’s battery and creates a situation where the phone or tablet is constantly “switching back and forth” among cellular, Bluetooth and Wi-Fi connections, Stofega said.
“I think what Apple could have done is explained what the heck is going on,” he said.
A recent analysis of 50,000 mobile devices by online security gateway provider Wandera revealed the battery decay rate of iOS 11-enabled devices has been significantly higher compared to iOS 10 devices out of the gate.
A newer analysis by Wandera – done after Apple pushed out improvements with 11.0.1 and iOS 11.0.2 – “suggests improvements in iOS 11 battery life are on the horizon.”
Regarding the problem of not fully explaining “what the heck is going on” in iOS 11 in terms of Wi-Fi and Bluetooth connections, Stofega said: “I’ve been on planes with iOS 11 and you can see everybody. There’s a lot of different tools…that at the very least can pick up sign-in or log-in information. Whenever you have something you’re not aware of on a device that is automatically connecting you to something, it’s not a good thing.
“The fact that you have to go online to look for articles about how to actually turn your device off when using iOS 11,” Stofega continued. “is an issue.”