[310260]

This has been around for a while now and is not some new eSIM thing. It's existed with physical SIMs too. It's Passpoint access authorized via your SIM. Your device won't just randomly connect to anything with the same SSID. It has to auth via the SIM and it's on secure networks that your carrier has agreements with. Same as the access you get over the LTE or 5G network.

[newZWhoDis]

This is wrong, the networks show up as “my networks” and a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.

>and it’s on secure networks

No it’s not, my home networks are behind strong firewalls and things like pie hole. Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?

[diebeforei485]

> a iPhone 14 Pro Max on 16.4 will 100% connect to that with the same priority as a real/my personal wifi network.

That isn't what Apple says - https://support.apple.com/en-us/HT202831

At least according to the support doc, the most preferred network should be joined first, other private networks are the next priority, and public networks (including EAP-SIM, the subject of this thread) are the lowest priority.

[newZWhoDis]

These hotspot networks show up under “My Networks” on iOS 16.4 FWIW.

They can say what they want about “being given the lowest priority”, but but they clearly are competing with my home network and winning some fraction of the time.

[sleepybrett]

I suspect this has to do with beaconing and once you force it to join your wifi it will stop until you leave your wifi coverage.

If you are walking towards your house and it sees one of these 'sponsored networks' it will autojoin it, when you walk into your house it won't switch. It saw the 'sponsored networks' beacon first.

[RetpolineDrama]

>I suspect this has to do with beaconing and once you force it to join your wifi it will stop until you leave your wifi coverage.

Great point. Wouldn't that mean it "beacons" to your neighbor when you drive home? Then stays connected as you go inside?

Wifi is tricky, if a momentary loss of your main SSID results in your device hopping to the next-available SSID your phone is basically always at risk of jumping LANs

[newZWhoDis]

Which is fine for a house, but imagine a (wifi) crowded condo/apartment. You could be in bed but opposite your neighbors closet so physically closer to their WiFi thus “louder”.

[sleepybrett]

it's not about louder, it's about who it sees first. Once you manually override it should be good unless your wifi drops out for some reason.

[diebeforei485]

Yeah, that doesn't match their spec. Unless your home network goes down momentarily and the iPhone immediately switches to the other wi-fi network. You could maybe check the iPhone logs (or the router logs!) to see if this happens, but this is going to be a pain to figure out what is happening and when.

[310260]

>Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?

I have T-Mobile. T-Mobile maintains agreements for Passpoint networks at random places like airports, T-Mobile stores, or (I recently found out) Home Depot. These networks are encrypted and authorized against a RADIUS server.

My SIM has them programmed into it. I can't just stand up the "t-mobile" or "Passpoint Secure" SSID from my home network and my phone automatically connects to it. That's not how it works.

Based on the fact that your devices are showing preference, I'm gonna take a wild guess and say you have Xfinity/Spectrum/Optimum Mobile. The cable co. MVNOs maintain their own WiFi networks which are (again) connected to via Passpoint and authorized using RADIUS. However, the cable company WiFi networks extend far into neighborhoods and are broadcast from CPEs. Your devices prefer them because that's part of the network you signed up for.

Just VPN back to your home network if you're not confident in their security.

[bluehex]

You explained why this might be happening technically but why are you acting like it's okay? "Just VPN home" is not a solution if the phone is preferring a terrible one bar connection over the home one. Imagine the quality of that vpn connection you're suggesting as a fix.

[310260]

I invite the WiFi Alliance to participate more in 3GPP meetings and straighten out the standard for handover between LTE/5G and Passpoint WiFi networks then.

[lxgr]

And I invite the 3GPP alliance and Apple to stay the hell out of my Wi-Fi preferences (or at least give me a clear option of opting out of autoconnecting).

Their job is to get my phone on a 3GPP network, and (already a stretch) to possibly offer a reasonable default of autoconnecting to secure Wi-Fi networks that can alleviate mobile network load in crowded locations, but never in preference over my home network, and never ever without a way to opt out of all of it.

[doggy_afuera]

This has nothing to do with your preferences. This is network management pure and simple. This is how you implement efficient infrastructure in congested locations like stadiums, airports, and large retail (where you may have no signal at all). Whether the cellular radio or wifi radio is used has nothing to do with you; you are paying for a connection and there are some very intelligent people tasked with figuring out the best way to solve that problem. Because if they didn't, your phone wouldn't have connectivity in those locations and you'd be on here complaining that their service sucks

[elefanten]

How gracious. In exchange, I invite all of the 3GPP stakeholders to respect people's technological autonomy and refrain from enabling solutions that force crap down their throats.

[doggy_afuera]

If you have a better solution than the 3GPP and member parties i.e. carriers have come up with I invite you to build your own better network experience and handsets rather than just posting snark. Perhaps try mounting some hubcaps to trees.

[310260]

This isn't about technological autonomy. OP signed up for wireless service that is specifically sold as Hotspot WiFi-first. That's one of its main features. It's sold as that very, very clearly. If you don't want their WiFi, go get service from another provider!

[newZWhoDis]

> Just VPN back to your home network if you're not confident in their security.

I’m sorry but wtf?

You’re saying that, in my own home, I should just accept that my devices connect to an external wifi against my will and VPN back into my own home… while in my home?

Seriously?

[310260]

(Gonna assume you have a cable MVNO still)

Yes. You signed up for a cable provider mobile service. A huge part of their whole value proposition for their service is "get access to millions of cable WiFi hotspots!" That's their product. They plaster it everywhere in all their ads.

Your situation with Pi-hole and firewalls etc. is a niche use case. Their service is made to appeal to people who are 1) cable company customers and 2) want cheaper service. The majority of people who fall into those categories have an Xfinity router at home that broadcasts the Passpoint SSID. The phones connect to that SSID and have service. Passpoint is going to be more secure than any WPA2/3 network anyway.

If you don't want that to happen, then get a different mobile provider. This one is not for you.

[thedougd]

WiFi isn’t just for accessing the Internet. It’s also for accessing other devices on your home network such as printers. This is a broken implementation with no room for argument.

[michaelmrose]

Xfinity hardware provides a separate SSID that uses WPA2/3 to secure your connection and a SSID for "Xfinity WIFI". On Android one can and should in fact select which nodes to connect to not merely whether to connect to all nodes but whether to connect to individual nodes. This is essential because in real world non test environments real customers using real networking hardware and phones do not handle adjacent networks well because signal strength varies wildly throughout their space resulting in devices roaming back and forth for no fucking good reason. This is especially true in dense environments like apartment buildings.

Xfinity customers using xfinity wifi on their android device NEVER experience conflict from dancing between AP with xfinitywifi in their home or from their neighbors unless they explicitly connect to adjacent networks and if they do so they can correct the issue by long pressing on the undesired AP name and selecting "forget".

Nobody cares what a company thinks they signed up for. They give essentially two shits. They pay tech companies to solve their problems and expect solutions that work. The situation as described doesn't work for normal network conditions and equipment. The fact that it also breaks niche stuff that techies like is just diarrhea icing on a shit cake.

[newZWhoDis]

I signed up for cellphone service.

Absolutely no where did I consent to have my devices (yes, my owned devices not leased/payment planned) suddenly lock me out of basic networking settings.

This is almost as stupid as buying a Walmart keyboard and finding out plugging it in disables eth0 because you might load Amazon.

[m463]

You can restrict apps from using the internet in the cellular menu. But with wifi, they can communicate unrestricted.

[lxgr]

That’s a very obvious omission in the iOS privacy/security settings I‘ve never understood.

Why can I grant fine-grained access to my photos, location etc., but not just outright denying network access to an app that works offline, which would make all of the other concerns mostly moot?

[lxgr]

> Just VPN back to your home network if you're not confident in their security.

So you expect the average user to be able to set up a Zeroconf/mDNS-proxying VPN, since that’s the only type that will allow things like Google Cast or AirPrint to still work?

Home networks are not just about security or speed, some people have devices on them they can otherwise not reach.

[michaelmrose]

Having multiple adjacent networks enabled is liable to cause customer devices to roam between access points on and off their LAN even when

- Remote access point doesn't provide access to desired resources

- Have acceptable performance

- Have acceptable security parameters according to users needs

Most users can't stand up a vpn inside their network and configure it to alleviate the self inflicted wound of having their phone decide that the user isn't qualified to select the wifi access points it prefers to connect to. You may as well ask them to grow wings and skip Delta. Instead they will be placing irate calls to their ISP about why their wifi sucks so much and I will be silently cursing Apple.

[doggy_afuera]

Thank you for adding some technical context to this discussion. There's a lot of (sadly) uninformed people in this thread spitting mad prophesying about a topic they clearly do not understand with any technical depth. If only the retail stores replaced their enterprise gear for EAP with a "pi hole". P.S. nice username

[throwaway09223]

> "No it’s not, my home networks "

When your phone is on 5g it is not behind a strong firewall, or any firewall at all. It's sitting directly on the internet. I can run a webserver on my phone and you can browse it.

> Do you not see the problem with all of my families devices “preferring” a neighbors network over mine?

If you've been laboring under the misconception that your phone is safe on your home network then perhaps this is a shock. But having your phone connected to a carrier means the carrier is responsible for providing a network.

Normally your phone is connected both to the carrier network and to whatever wifi network the user prefers, if wifi is available.

It seems like the major usability problem here is that instead of connecting to both networks, the carrier network supplants the user's network -- which breaks expectations when near user-run wifi.

[lxgr]

> When your phone is on 5g it is not behind a strong firewall, or any firewall at all.

I‘d be surprised if that’s true for most operators.

And even if there really is no stateful firewall: On IPv4 you’ll be behind carrier-grade NAT (so no inbound connections), and on IPv6 (including NAT64/DNS64), successfully guessing somebody‘s IP address seems extremely unlikely. (A server that you’ve visited might "dial you back", though.)

And for most users, the most visible effect will probably be that they can’t connect to their Chromecast, smart speakers, AirPrint etc, not decreased security.

[throwaway09223]

> I‘d be surprised if that’s true for most operators.

It's true for the operators I've tested so far

> On IPv4 you’ll be behind carrier-grade NAT (so no inbound connections)

Sometimes, but often still not the case.

> on IPv6 (including NAT64/DNS64), successfully guessing somebody‘s IP address seems extremely unlikely

Guessing a specific person's ip is a very different threat model from being hit by a random scan.

[kortilla]

Except it’s shit. I constantly have to disable WiFi to get 5g again in the airport if I want something that actually works. Verizon with passpoint is absolutely trash and has nearly driven me to cancel my Verizon service because it can’t be removed.

[fy20]

I remember something like this happening nearly a decade ago with an iPhone 5S. I was at a large mall I visited often and saw I was connected to a WiFi network I hadn't used before.

The mall had WiFi but there was a portal which required SMS authentication and was time limited (the same as every other hotspot, it was rules of the country), so I didn't bother using it on my phone. Plus the carrier had a modern LTE deployement, where I'd often get over 50mbit download speeds - which was faster than my home internet. The network was named something like "<carrier> offload" so I assumed they had a kind of WiFi deployment to limit cell tower load, and it was added by the carrier settings profile.

I can't remember if I was able to disable or delete the network (it worked, so I didn't care). I'm wondering if this feature has been there for a while, but OPs ISP has only just decided to use it (I imagine some exec had an OKR to increase adoption of their public WiFi hotspots).

[mihaaly]

Being around unknowingly for a while does not make a thing good!

[RetpolineDrama]

Yeah I don't get this angle, I've seen a bunch of people here act like it's no big deal because carriers "could" have done this a long time ago.

Well, we know NOW and it's not ok.