Originally Posted By: tfabris
If you wanted to prevent a nicked phone from being used on your WPA network, you can PIN-lock the phone's UI, but I think that an "awake" phone will still connect to a known WPA network in the background, with the anticipation that someone will want to start using it as soon as they enter the PIN.

So I guess that means they haven't thought about the problem at all: if your Wifi is accessible from your Iphone, your 256-bit WPA2 encryption has just become (assuming a 6-digit PIN) more like 20-bit encryption.

Quote:
I don't know how the WPA key is stored on the phone itself, i.e., I don't know if they save it in a clear text file in memory.

With penny-plain mobile phones, a crack or firmware reload to the device that obviates PIN entry doesn't actually buy the criminal all that much: just a list of contacts, and phone service which can swiftly be revoked by the network based on IMEI number. With a smartphone (or other Wifi device; the problem isn't restricted to Iphones) a crack or jailbreak that can bypass the PIN and/or load software on the device, can confer considerable criminal advantage. It doesn't matter whether the WPA key is stored obfuscated, if the hooks that cause the OS to fetch, uncloak, and activate it are there for the calling by UI code.

I think advanced EAP-type WPA might be able to revoke access on an client-by-client basis, but normal PSK WPA certainly can't.

Peter