Update: Sources close to Apple tell us that, contrary to the original claim, this issue – like the original one – was resolved in iOS 9.3. We also understand that Apple was able to successfully restore the test devices sent to it by the researchers.
While iOS 9.3 fixed a bug that bricked iOS devices when the date was set to January 1, 1970, security researchers have found a variation on the theme that can remotely brick devices as soon as they connect to a Wi-Fi hotspot. The exploit uses a combination of two weaknesses discovered in iOS, reports KrebsonSecurity.
The first is that iOS devices automatically reconnect to known Wi-Fi hotspots, but rely on the SSID to identity them. iPhones and iPads will auto-connect to a malicious Wi-Fi hotspot that spoofs the name of a known one.
Second, iOS devices are programmed to constantly check that their time and date settings are correct by connecting to Network Time Protocol (NTP) servers. All the researchers had to do was create their own Wi-Fi hotspot labelled ‘attwifi’ (as used by Starbucks) and their own NTP server pretending to be time.apple.com to deliver the January 1, 1970 date …
The result? The iPads that were brought within range of the test (evil) network rebooted, and began to slowly self-destruct. It’s not clear why they do this, but here’s one possible explanation: Most applications on an iPad are configured to use security certificates that encrypt data transmitted to and from the user’s device. Those encryption certificates stop working correctly if the system time and date on the user’s mobile is set to a year that predates the certificate’s issuance.
The vulnerability is related to, but not identical to, the original 1970 bug – which means it wasn’t fixed in iOS 9.3.
Security researchers Patrick Kelley and Matt Harrigan reported their findings to Apple, which fixed it in iOS 9.3.1, but devices running earlier versions remain vulnerable. The researchers agreed not to make the exploit public until Apple had patched it. Updating to the latest version of iOS will ensure you’re not vulnerable to this particular exploit.
FTC: We use income earning auto affiliate links. More.
Starbucks doesn’t use AT&T any more. They use Google.
That’s hardly the point. Technically, you could try something like this and name the network “Apple Store”.
How is this an exploit? It sounds to me like a classic man-in-the-middle attack, something that any device is susceptible to.
A classic MITM attack relies on the user doing something – logging into their bank, accessing their email, etc. This doesn’t. Just walking down the street will do it.
Let us know when this actually happens.
It sounds like it is time to have some fun at the office…
We all know Android devices running on older versions have numerous security flaws that either won’t be or cannot be patched. That’s a fact. So why do we never hear of all these Android users getting their bank accounts wiped out? Every iOS flaw is trotted out as the iPhone Armageddon yet we never hear of iOS users getting their bank accounts wiped out either. Why is that?
What would be the purpose of this attack? Why would a hacker take the time to set up an ‘evil’ network just to brick iOS devices? Where’s the motive? Most of all where’s the profit, the reward for taking the risk of getting caught?
1. Security researchers are paranoid at their very core. They think every flaw they find means the end of the known universe.
2. They like scaring paranoid users who see a hacker hiding behind every rock.
Is finding and patching flaws a good thing? Yes. Is blowing things way out of proportion juts to scare users a good thing? Not in my opinion.
Bottom line on this article? Yawnnnnnn…
It’s certainly true that these days a lot of malware authors have realised they can make money, but the original motivation was simply doing stuff because they can – and that mentality is still out there.
screenshot is reversed..
boot color
thats funny…
Too bad the time server can’t be changed in iOS. I use time.nist.gov on my Macs.
IMO, the two vulnerabilities are not Wi-Fi auto-connecting to known SSIDs and automatic time synchronisation. They’re both good features—and SSIDs exist for that reason! It’s just that the both make this time-bug-based middle-in-the-man attack possible if the two actual vulnerabilities co-exist.
The two actual vulnerabilities are obviously the time bug but also the insecure (or buggy) NTP. The former has been fixed (people, update your devices when you can!). The latter might need some redesigning or overall improvement by Apple or others (see also https://en.wikipedia.org/wiki/Network_Time_Protocol#Security_concerns).