Skip to main content

Security flaw allows attackers to crash carrier iOS devices within range of a fake WiFi hotspot

[youtube=https://www.youtube.com/watch?v=i2tYdmOQisA]

Security researchers yesterday demonstrated a method of creating a ‘No iOS zone,’ inside of which all carrier iPhones and iPads on iOS 8 are rendered impossible to use, reports Skycure. Most apps that connect to the Internet crash on opening (shown above), and it’s even possible to put iOS devices into a constant boot loop (shown below).

The approach exploits an SSL bug in iOS, causing an app to crash when it attempts to establish a secure connection to a server. Although the exploit requires the iPhone or iPad to connect to a fake WiFi hotspot, the researchers were able to force devices to do so … 

The forced WiFi connection takes advantage of an older exploit known as WifiGate, explained by Gizmodo:

iOS devices are pre-programmed by the carrier to automatically connect to certain networks. For example, US customers on the AT&T network will auto-connect to any network called ‘attwifi’. There’s no way to prevent your phone from doing this, short of turning Wi-Fi off altogether.

Unlocked iOS devices or Wifi-only iPads obviously aren’t susceptible but the combination of the two – using a fake SSID for each carrier, and running the exploit on the wireless routers used – means that almost everyone attempting to use an iOS device within WiFi range of them would find it unusable. Even if you don’t explicitly open an app that connects to the Internet, many background apps will automatically do so.

The researchers have responsibly declined to reveal the exact details of the attack method, and are now working with Apple to develop a fix. A separate SSL bug, this time within open-source networking software used by many apps, was yesterday revealed to leave around 1,500 iOS apps vulnerable to man-in-the-middle attacks – the same day we learned that OS X 10.10.3 failed to fully fix the Rootpipe vulnerability on Macs.

You can see the boot-loop in action below.

[youtube=https://www.youtube.com/watch?v=PmgI0LaFYLA]

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. 89p13 - 9 years ago

    Glad I only buy unlocked iPhones – though I would expect Apple responds to this problem quickly!

  2. joh05gra - 9 years ago

    A restore using “Device Firmware Upgrade” should solve this problem, right?

  3. lkrupp215 - 9 years ago

    I do turn off WiFi when I am out with my iPhone. There is no such thing as a safe public WiFi hotspot, real or fake.

    As to why someone would use this exploit I am at a loss as it appears there’s no financial motive. The only motive would be to massage a hacker’s ego. Once this started to happen in an area the jig would be up, the fake WiFi signal traced. This sounds like yet another flaw that you would probably never see in the wild.

  4. peskeguy - 9 years ago

    “US customers on the AT&T network will auto-connect to any network called ‘attwifi’. There’s no way to prevent your phone from doing this, short of turning Wi-Fi off altogether.”

    This isn’t true. If you are connected to ‘attwifi’ you can turn off auto-joining of that ssid. Of course, you need to connect at least once to turn it off so hope it’s a real ‘safe’ att hotspot. Do it at a Mcdonald’s or starbucks most are set up with attwifi.

  5. airmanchairman - 9 years ago

    From iPhone 5S settings: “Known networks will be joined automatically. If no known networks are available, you will have to manually select a network”.

    This is the explanation below the toggle switch labelled: “Ask to Join Networks”, which can be turned off as well…

  6. nana (@purplemaize) - 9 years ago

    My 4s and mac mini 10.10.3 were doing the same thing yesterday early evening. I thought my phone was rebooting and updating by itself. This could happen even in Jersey too with ATT. Uky. Wifi security gotta find a better way…( Put everything in a tin can again… LOL)

  7. tomtubbs - 9 years ago

    “Security flaw bypassed by turning off wifi, changing settings”

  8. proto732 - 9 years ago

    This is what I do ever time I get a new iPhone or restore and start as a new phone.

    You can’t prevent your phone from connecting to ‘attwifi” but you can prevent it from getting anywhere on the internet.

    Go to a spot with a legit ATTwifi hotspot. Your phone connects to it. Edit the wifi profile and put in a bogus DNS entry … like 1.1.1.1.

    There done. You phone may connect to the wifi, but now it can’t get anywhere. It should retain this setting for any wifi network with the same name.

    So if the hacker relies on redirecting your traffic, or sending you to a malware page, this should provide some protection. If you accidentally connect to ‘attwifi” (because you might not know where they are) your phone simply wont be able to get anywhere on the internet.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear