[seraphsf]

I know something about this. I built and ran a service for carriers to help with “WiFi offload”.

It’s intended as a consumer-friendly way to increase capacity in dense areas (like a sports stadium or mall) where the carrier’s cell towers don’t have enough capacity.

Wifi offloading is not new. AT&T helped invent these standards back in ~2009 when their network was getting crushed by massive increases in traffic as iPhone usage took off.

WiFi offload networks are configured as “Managed Networks” which are lower priority than any user-selected networks. You can disable them by turning off “auto-join”. (Also these WiFi offload networks are secure; you can’t spoof them).

However it appears that the original poster’s carrier (presumably Xfinity Mobile or Spectrum Mobile) has done something new - they’ve disabled the user’s ability to turn off “auto-join” on iOS. Some overzealous team is trying to lower their cellular costs. That’s because both Comcast and Spectrum rent capacity on Verizon Wireless towers, but their MVNO cellular service is not profitable unless their customers are using the cable company’s own WiFi fairly often.

However this (disabling “auto-join”) is a dumb move. It’s obviously problematic for users whose neighbors are broadcasting the [Xfinity WiFi or Spectrum Mobile?] SSID.

To my knowledge, no major carrier does this. If you’re on AT&T, T-Mobile, or Verizon, the “managed offload networks” can be easily disabled. And the major carriers are using higher-quality commercial WiFi networks for offload, not random home cable modems.

[mihaaly]

Friendly remark.

Recently the term "consumer-friendly" became the synomym of "we shove it down your throat whether you like it or not!". If you wish to communicate some real user-friendly feature better find some other phrase. Reading "consumer-friendly" statements of providers makes me turn away and never look back.

See the above example. Hijacking the device we use for our daily operations, very important one with sensitive data, already in risk from multitude of origins, hijacking it remotely into some unknown channels along hidden organisational incentives is a very offensive and frightening move. The technology is not new and it is OPTIONAL for very long time. Shoving it down the throat is bad. Very bad.

(I am pretty disappointed with the population of the world that accepts anything from service providers for mostly marginal or never missed gains, accepting the elimination of choice. Providers feel they can get away with anything and became increasingly hostile.)

[jsty]

If the use case is as described (connecting to WiFi APs owned and controlled by the network in deadspots / hotspots - e.g. stadiums and large buildings - and not end-user APs in homes), it's not clear to me that this poses any significant threat above and beyond connecting to the same operator's cell towers. If you don't trust them to run a WiFi network, probably shouldn't trust their cell network either.

Having phones automatically and uncontrollably route via random 3rd party APs is a bad decision, but I didn't read GP as advocating for this.

[blincoln]

The knowledge and equipment to hack WiFi-related systems is a lot easier to obtain on most of the world than the cellular equivalent.

In the US, at least, tampering with cell service risks getting the FCC involved, so very few people do it compared to WiFi hacking.

I'm very curious, for example, if the devices that connect to these APs are vulnerable to the WiFi client isolation bypass that was disclosed about a week ago.[1] That seems a lot scarier when there are potentially thousands of random people's personal phones connecting to the same WiFi infrastructure instead of a bunch of more or less trusted corporate devices in an office.

[1] https://github.com/vanhoefm/macstealer

[JohnFen]

> If you don't trust them to run a WiFi network

WiFi APs are not secure enough unless you're using another layer of security on top (a VPN, for instance). It's not a matter of trusting them to properly run a WiFi network. It's a question of if there's an additional layer of security on top. Is there?

[TheHappyOddish]

Whilst I agree with what you're saying in premise, I think if you told most consumers "hey, when you have bad reception like at a stadium, your provider will connect you over WiFi instead of 4G", they simply wouldn't care and more importantly wouldn't want to know.

This probably is "consumer-friendly" in the sense of "provides the outcome desired for most consumers".

[mihaaly]

Sensibly and originally the consumer-friendly term is desirable, also the obvious and default behaviour from providers selling products to users.

Unluckily it is over and misused for things forced through regardless of wanted or not - but benefitial for the provider for sure -, being a routine misdirection (basicly bullshit) text.

[tengwar2]

To amplify this: a recognised problem with GSM/GPRS was that although the mobile device authenticated itself to the network. This introduced MITM vulnerabilities. As a response, 3G brought in mutual authentication. Do these managed WiFi networks have mutual authentication? As far as I know, no.

[seraphsf]

Yes, WiFi offload uses the Hotspot 2.0 spec with mutual authentication (EAP-AKA or EAP-SIM typically). Both the phone and the WiFi network will mutually authenticate with the carrier’s Authentication Server.

[DougBTX]

> If you wish to communicate some real user-friendly feature better find some other phrase.

The cycle of deception never ends. If a company misuses words, they'll do it again with new ones. We must resist by sticking to the plain meaning of words.

[KyeRussell]

Sigh. Would you to someone this way were they were telling you this story at a conference lunch?

I really hope not.

They have chimed in to provide further context based on their personal experience. You’ve latched onto and have subsequently read way too much into two words that they used, and tried to offset your unjustified browbeating with “friendly remark”.

[mehlmao]

If someone tells me to my face that ignoring user preferences is actually 'consumer-friendly', I will tell them to their face that it isn't. 'Friendly remark' is passive aggressive and can be left out.

[divan]

Thanks for explanation.

> they’ve disabled the user’s ability to turn off “auto-join” on iOS

How (and why) is it even possible for carriers?

[seraphsf]

Frankly, I don’t know. This thread is the first I’ve heard of it.

Carriers ask phone makers for config changes all the time. It’s possible this is a new capability that was requested by certain carriers.

To be fair, it’s also possible that the OP and I are misinterpreting what’s going on. For instance, iOS syncs your preferences across devices. Perhaps there’s some bug that’s causing the wrong setting to propagate back to this person’s phone because their iPads, etc are still set to allow “auto join”.

[stacktrust]

> iOS syncs your preferences across devices.

This theory could be tested by signing out of iCloud before changing "auto-join".

[webmobdev]

> How (and why) is it even possible for carriers?

This happened in India. So one day mobile data was quite slow on my non-Apple phone. I asked my friend to enable hotspot on his iPhone. We were stumped when we couldn't find the "Personal Hotspot" option at all in ios settings. Called Apple support who informed us that Hotspot option is only available if the carrier enables it. They asked us to contact the carrier.

We were outraged and thought the carriers in India had suddenly decided to charge us extra for this option. Or maybe just for iPhone users. (In india, no carrier charges us extra for this option - and that is how it should be right? We are already paying more according to the bandwidth (3g/4g/5g speeds) and they also already limit how much data we can download. Imagine being charged extra for the "privilege" of sharing your data and consuming it faster!). We were prepared to yell at the carrier if they wanted more money from us for this but their customer support explained to us that this is a common complain they have with Apple iPhones, and all we needed to do was add some more info in the mobile data settings, which she provided us.

That's when we realised that it is a very American / Apple thing because the US business model of mobile phone and carriers are very different from India. In the US, most mobile phones are sold through the carriers and Apple and its competitors have to work with them closely. Whereas in India, consumers purchase their mobile phones independent of the carrier.

[simonh]

Every now and then, maybe every year or two, my iPhone says it needs to update mobile settings from the carrier. Fo those settings they asked you to change, it sounds like the Indian carriers probably could update them through that mechanism, or possibly that they were going to do so but hadn't got round to it yet.

[webmobdev]

That happens with indian carriers too. From what I understood, Indian carriers don't bother with the HotSpot settings because it is enabled by default for all users at their end. This works fine with Android phones but often not iPhones (in my personal experience).

[cleanchit]

Why don't the stadiums just setup an open wifi network? (no password)

[karlshea]

Some do. Allianz Field in St Paul has an open guest network, then you “sign in” with your email like you would at a coffee shop.

It works great, super speedy. Definitely better than the cell network during a game.

[JohnFen]

Probably because the stadiums don't want to incur the expense of doing so. That scale of setup wouldn't exactly be cheap.

[sholladay]

Confirmed. I’m on one of the major carriers and after multiple hours, auto-join is still disabled after I turned it off. Though, I haven’t tried rebooting.

[hk1337]

I’m in the same boat as you. It’s been off for almost 24 hours and I rebooted my device. I’m not using an eSIM like OP maybe that’s the difference, I don’t think so.

I wonder if those with the problem were to restart or reset their device, if they would still have the problem?

[JohnFen]

> (Also these WiFi offload networks are secure; you can’t spoof them)

How do we know this? What's the security mechanism?

[seraphsf]

Hotspot 2.0, a.k.a. Passpoint. Within that standard, the phones, WiFi networks, and carriers are all using EAP-AKA or EAP-SIM authentication.