Researchers leverage SSL bug to crash Apple devices over Wi-Fi in 'No iOS Zone' attack

Posted:
in iPhone edited April 2015
A bug in iOS's secure sockets layer (SSL) library could allow an attacker to force apps --?or in some cases, the entire device --?to crash if users connect to a malicious Wi-Fi hotspot, security researchers demonstrated this week.




The attack, discovered by Skycure researchers Yair Amit and Adi Sharabani, takes advantage of an issue with iOS's parsing of SSL certificates. By sending a specially-crafted certificate to a device via a Wi-Fi hotspot, the duo was able to repeatedly crash both individual apps and iOS itself.

A modified version of the attack was able to induce a perpetual reboot cycle, effectively rendering an iPhone useless as long as it was in range of the affected hotspot.

Amit and Sharabani have reported the issue to Apple, and say they are working with the company on a fix. Some of the root causes may have already been addressed in iOS 8.3, and users are urged to update if possible.

SSL is a foundational cryptographic technology that underpins many secure network communications techniques, but its age has begun to show in recent years. The infamous "gotofail" bug grew from a vulnerability in Apple's SSL library, and the company recently ended support for SSL 3.0 after that version --?the most recent --?was found vulnerable to attack.

Comments

  • Reply 1 of 18
    markbyrnmarkbyrn Posts: 596member
    Let's develop a probable scenario for this grave problem. Some Apple hating Android lover who has skillz to implement this obscure exploit sets up a free WiFi hotspot to entice iOS users and than trolls them by crashing their devices. Tim Cook, fix this now!
  • Reply 2 of 18
    adrayvenadrayven Posts: 460member
    Most public WiFi has device isolation security on.. so this is basically meaningless. Goto Starbucks or any free WiFi, you cannot communicate with any other system on the same wifi.

    This is the most useless 'bug' I've seen yet. lol
  • Reply 3 of 18
    Quote:

    Originally Posted by Adrayven View Post



    Most public WiFi has device isolation security on.. so this is basically meaningless. Goto Starbucks or any free WiFi, you cannot communicate with any other system on the same wifi.



    This is the most useless 'bug' I've seen yet. lol

     

    How about instead of doing that, I bring my own hotspot to Starbucks and spoof the SSID of the real network. People unknowingly connect to my hotspot rather than the legitimate one, and I send their iPhones and iPads into reboot spasms.

     

    Have some imagination...

  • Reply 4 of 18
    libdemlibdem Posts: 36member



    "Obscure" bug.Are you high man? know it was 4/20 but jeez....Anyway good job  researchers for exposing the vulnerability. Better them than some Apple apologizing tick.

  • Reply 5 of 18
    auxioauxio Posts: 1,945member

    I'll keep a WiFi jammer handy in case anyone tries this on me.

     

    If I'm in a really bad mood, I'll harvest the hardware information about their hotspot, search for known vulnerabilities (almost all cheap hardware has them), and reconfigure their hotspot.  Then I'll use it to bombard NSA email accounts with terrorism-related text.

     

    But anyways, definitely something Apple needs to fix.  Given all of the SSL-related exploits lately, it sounds like they should have people audit the whole SSL stack.

  • Reply 6 of 18
    magman1979magman1979 Posts: 1,090member

    With all the recent vulnerabilities discovered in SSL, and more seemingly coming out each week, I don't think it's a stretch to say that SSL in it's entirety seems to be unraveling, and is fundamentally flawed IMO.

     

    Not trying to deflect any responsibility from Apple here, as they definitely need to fix this, but just saying SSL should get replaced ASAP by alternate tech, such as TLS, which I don't believe suffers from this, and many of the other SSL vulnerabilities.

     

    SSL is now starting to remind me of Java and Flash!

  • Reply 7 of 18
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by MagMan1979 View Post

     

    but just saying SSL should get replaced ASAP by alternate tech, such as TLS, 


    TLS does replace SSL. SSL 3.0 was a fall back and that has been deprecated in all popular browsers, at least on the desktop. What individual apps are using is unknown but, by and large, all commercial servers have disabled SSL 3.0 and earlier. TLS 1.2 is the current version although some older servers can only implement TLS 1.0 which still is better than SSL and all current browsers still work with it.

  • Reply 8 of 18
    auxioauxio Posts: 1,945member
    Quote:
    Originally Posted by mstone View Post

     

    TLS does replace SSL. SSL 3.0 was a fall back and that has been deprecated in all popular browsers, at least on the desktop. What individual apps are using is unknown but, by and large, all commercial servers have disabled SSL 3.0 and earlier. TLS 1.2 is the current version although some older servers can only implement TLS 1.0 which still is better than SSL and all current browsers still work with it.




    Yeah, that's the problem: if you want to be interoperable with most devices/servers out there, you need to keep it in as a fallback.  These types of things don't change overnight -- especially if they require firmware upgrades or new hardware.

  • Reply 9 of 18
    magman1979magman1979 Posts: 1,090member
    Quote:

    Originally Posted by mstone View Post

     

    TLS does replace SSL. SSL 3.0 was a fall back and that has been deprecated in all popular browsers, at least on the desktop. What individual apps are using is unknown but, by and large, all commercial servers have disabled SSL 3.0 and earlier. TLS 1.2 is the current version although some older servers can only implement TLS 1.0 which still is better than SSL and all current browsers still work with it.




    That's good to know, but at the same time, that makes this even more worrisome... TLS is a viable, safer alternative, yet developers are still being lazy and using SSL, and are not updating in a timely manner... Developers of these apps need to get off their keisters and start keeping them up-to-date!

  • Reply 10 of 18
    auxioauxio Posts: 1,945member
    Quote:

    Originally Posted by MagMan1979 View Post

     



    That's good to know, but at the same time, that makes this even more worrisome... TLS is a viable, safer alternative, yet developers are still being lazy and using SSL, and are not updating in a timely manner... Developers of these apps need to get off their keisters and start keeping them up-to-date!




    In this particular case, it's when connecting to a WiFi hotspot -- which is a hardware device.  Hence why Apple needs to have a fallback to SSL (it'll be a while before all hotspots are upgraded).

  • Reply 11 of 18
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by auxio View Post

     



    In this particular case, it's when connecting to a WiFi hotspot -- which is a hardware device.  Hence why Apple needs to have a fallback to SSL (it'll be a while before all hotspots are upgraded).




    Most consumer wifi routers do not have the ability to send certificates to visitors although they sometimes do provide a certificate on the admin side but they are usually self signed. More expensive commercial routers, otherwise know as hotspot gateways, can serve up secure welcome screens such as you might see at a hotel. The encryption for wifi does not use SSL certificates. They generally use AES with WPA2 which is a different protocol altogether.

     

    Where is Soli when you need him?

  • Reply 12 of 18
    jfc1138jfc1138 Posts: 3,090member

    With the speed of LTE I make sure my phone doesn't get distracted by stray WiFi that would provide lower speeds by restricting connections to my known networks only. Granted I've a grandfathered unlimited data plan...

     

    "Ask to join Networks" set to enabled. And when "free sketchy WiFi: just click here! Girls! Girls! Girls!" appears I Do Not click "yes".... Even places like NYC Penn Station seem to be centers of spoofed networks, at least I don't think AMTRAK serves their network out of Africa!

  • Reply 13 of 18
    auxioauxio Posts: 1,945member
    Quote:
    Originally Posted by mstone View Post

     



    Most consumer wifi routers do not have the ability to send certificates to visitors although they sometimes do provide a certificate on the admin side but they are usually self signed. More expensive commercial routers, otherwise know as hotspot gateways, can serve up secure welcome screens such as you might see at a hotel. The encryption for wifi does not use SSL certificates. They generally use AES with WPA2 which is a different protocol altogether.


     

    I thought EAP might use SSL as one of the options, but I guess not.  It'd only be at the VPN layer (after the initial connection) where you'd see SSL being used.  Trying to figure out how they're able to crash a device with an SSL certification on connection then... guess I should read the technical details of the attack.

     

    EDIT: Actually, EAP-IKEv2 might be susceptible (not clear)

  • Reply 14 of 18
    auxioauxio Posts: 1,945member
    Quote:
    Originally Posted by auxio View Post

     

    Trying to figure out how they're able to crash a device with an SSL certification on connection then... guess I should read the technical details of the attack.


     

    Ah, I see.  It's when any iOS system process tries to use SSL after connecting to the rogue WiFi network on startup.

  • Reply 15 of 18
    foggyhillfoggyhill Posts: 4,767member
    Quote:

    Originally Posted by auxio View Post

     

     

    Ah, I see.  It's when any iOS system process tries to use SSL after connecting to the rogue WiFi network on startup.


     

    The key here, is forcing the Apple device to use SSL (use the fallback), so the hotspot blocks everything but SSL I guess. Its a pretty specific attack with not much practical use (except malice I guess).

  • Reply 16 of 18
    The first thing you should do when you connect, is try to find one that has a security password in place like WPA or WEP.
    http://crakker.com/how-to-stay-secure-on-public-wifi-hotspots/
  • Reply 17 of 18
    fallenjtfallenjt Posts: 3,948member
    Quote:

    Originally Posted by BobJohnson View Post

     

     

    How about instead of doing that, I bring my own hotspot to Starbucks and spoof the SSID of the real network. People unknowingly connect to my hotspot rather than the legitimate one, and I send their iPhones and iPads into reboot spasms.

     

    Have some imagination...


    How about using your own LTE data plan? Public WiFi sucked ass slow anyway unless it's xFinity and you are a subscriber.

  • Reply 18 of 18
    jfc1138jfc1138 Posts: 3,090member
    Quote:

    Originally Posted by fallenjt View Post

     

    How about using your own LTE data plan? Public WiFi sucked ass slow anyway unless it's xFinity and you are a subscriber.




    True, my experience (AT&T) is that LTE is constantly good while public WiFi with it's dependence on how many people are connected, in this day of mobile device popularity, is borderline unusable, even when the numbers of possible connected devices is finite such as on an AMTRAK train.

Sign In or Register to comment.