Apple and AT&T Will Learn that User Agents are no good for access control

Apple iPhone users can access the Internet free of charge through AT&T hotspots, that's what Macrumors is reporting. That's a great additional feature for iPhone users and apparently for everyone else as well. The way of determining if a device is eligible for free access is by checking the User Agent of the device. Each browser identifies itself when it connects to the Internet through the user agent, which may reveal information about the operating system, language or version.

We all know that it is very easy to spoof the User Agent of any browser to a custom string, and while you can select anything you want, you can select user agents from different devices or browsers to make services believe you are using such a device or browser. All that needs to be done now is to change the User Agent of the browser to the User Agent of the iPhone's browser.

The User Agent of the iPhone browser is Mobile Safari 1.1.3 - iPhone. A user with Firefox or Opera can now easily change his User Agent to the one used by the iPhone to access the Internet without costs at every AT&T hotspot. One possible add-on that can be used for Firefox would be the User Agent Switcher.

User Agents are definitely not a secure way to protect a network or website from unauthorized access. The same can be said for referrer checks which are as insecure. It probably will only be a matter of time before AT&T decides to change the way the free access is granted. Probably through a small application that needs to be run on the iPhone instead or by adding other types of verification to the process.

Update: It is unlikely that this hole will remain open for too long though.