back to article Evil Wi-Fi kills iPhones, iPods in range – 'No iOS Zone' SSL bug revealed

A vulnerability in iOS 8 can be exploited by malicious wireless hotspots to repeatedly crash and reboot nearby Apple iPhones, iPads and iPods, security researchers claim. Skycure bods Adi Sharabani and Yair Amit say the attack, dubbed "No iOS Zone", will render vulnerable iOS things within range unstable – or even entirely …

  1. Robert Helpmann??
    Childcatcher

    MitM

    He also said the attack can be combined with HTTP request hijacking to trick iOS apps into pulling information from an attacker's servers, allowing the miscreant to compromise the software by feeding it bad data.

    Setting up a "No iOS Zone" is annoying, but being able to force victims to connect to controlled network from which a man-in-the-middle attack can be staged seems to be more severe. Different attacks for different goals, I suppose. As far as seeing it in the wild, it was used for a MitM attack, it would not be as noticeable as if the device started rebooting over and over. Time to stop wearing tin foil hats and start wrapping our phones in the stuff.

    1. werdsmith Silver badge

      Re: MitM

      An attack where my phone temporarily can't be used is a minor inconvenience.

      An attack where I connect to a rogue WiFi hotspot MitM and I am none the wiser happily sending and receiving sensitive data which is being recorded is much more of a problem. Unless it's all going to a do-nut shaped building in Cheltenham.

    2. Anonymous Coward
      Anonymous Coward

      Re: MitM

      Time to stop wearing tin foil hats and start wrapping our phones in the stuff.

      Or just turn the phone off, because wrapped in tin foil it'll be useless as a phone anyway.

      With this, and the increasing surveillance done by governments… it's hard to know where this is all going. At this rate we'll be teleported back to the 1980s before the World Wide Web and before mass adoption of mobile phones.

      The Internet: it was nice while it lasted.

    3. Anonymous Coward
      Anonymous Coward

      Re: MitM

      Sounds wonderful. If anyone can turn it into a mobile version that will disable all ithings in range from a Laptop then that would be top banana...

      1. Anonymous Coward
        Anonymous Coward

        Re: MitM

        I want to take this to the nearest Apple store....

  2. Anonymous Coward
    Paris Hilton

    Force connection?

    I may have missed it in the PDF, but how exactly do you force a device to connect a network?

    From the researcher's blog:

    "Users should disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting."

    So once out of range I can remove the network from my list of known networks and I will no longer have the problem...

    "In general, users should avoid connecting to any suspicious “FREE” Wi-Fi network."

    So unless I connect to the network I will not have a problem....

    How are they going to force the connection to be able to exploit the bug?

    Paris, because I'm as confused as she is.

    1. Anonymous Coward
      Anonymous Coward

      Re: Force connection?

      I may have missed it in the PDF, but how exactly do you force a device to connect a network?

      There is a mode in which iThings connect to any network that will allow it in (I suspect it's the same with Android). I specifically killed that off because I don't *want* the device to connect to networks without my knowledge, and it appears that wasn't a bad idea..

      Having said that, it's not difficult to mimic an existing network, and then you may be out of luck. You could have fun going to Starbucks, for instance.

      1. Roland6 Silver badge

        Re: Force connection?

        I may have missed it in the PDF, but how exactly do you force a device to connect a network?

        In the iOS WiFi settings there is an option "Ask to Join Networks". If this is not enabled then the device will attempt to connect to any known network AND available open networks. Enable it and your device will only automatically connect to known networks.

        However, there is one obvious loop-hole namely public hotspot SSIDs, which many users will have listed as known networks, these are obviously easy to find and hence be impersonated. Because the connection is done quietly, a user may be unaware their pocketed device has connected to "Starbucks" as you entered MCDonalds...

        Additionally, there is the unknown as how iOS handles hidden SSID's. I would of hoped in iOS 8 that Apple has effectively disabled support for this pointless mode of operation and hence the device doesn't periodically broadcast known SSID's in a vain attempt to find a network. As this broadcasting of SSID's enables the use of tools that simply takes the SSID a device is looking for and create an instant access point for that network!

        1. CanadianMacFan

          Re: Force connection?

          If you have "Ask to Join Networks" turned off then it will automatically join known networks, those it has joined before. Otherwise you will have to manually select a network. That's right from the settings page.

      2. Packet

        Re: Force connection?

        I believe you're incorrect.

        Once you have "ask to join networks" disabled, it will not automatically search for new networks (and accordingly, there will be no popup asking you to choose a newly found network)

        If you have connected to a network in the past, it will connect to that automatically.

        From the apple manual:

        Ask to join networks: Turn on Ask to Join Networks to be prompted when a Wi-Fi network

        is available. Otherwise, you must manually join a network when a previously used network

        isn’t available

    2. Morloch

      Re: Force connection?

      How to force a connection.....

      Try googling WiFi Pineapple.

      Put simply, if you have ever connected to an unsecured WiFi hotspot and not deleted it from your device afterwards, then this puppy will spoof the SSID.

      Combine it with plugins available and all those automatic attempts to login to Facebook, Twitter, etc will be simply handing out your account details...

      1. Anonymous Coward
        Anonymous Coward

        Re: Force connection?

        Combine it with plugins available and all those automatic attempts to login to Facebook, Twitter, etc will be simply handing out your account details...

        Not so fast - that would require a correct SSL site cert because all of these now use https links. Not that most users won't just OK the cert error, but it's not *that* easy.

        1. Alun Jones 1

          Re: Force connection?

          For "most", the paper says "92%" of users will click to continue through an SSL certificate error warning.

        2. Anonymous Coward
          Anonymous Coward

          Re: Force connection?

          According to the blurb... 90+% do simply click OK...

      2. Anonymous Coward
        Anonymous Coward

        Re: Force connection?

        So "Force" means, under specific device configurations, where the user has connected to specifically named networks in the past and not removed them then their device will attempt to connect. Ok, now I understand.

  3. Anonymous Coward
    Anonymous Coward

    Quality

    Where can I get a hold of the source code? :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Quality

      You know, our management hates spending anything. But given how much the younger generation sit playing with their phones in work hours (despite getting a disciplinary when caught) I think they'd pay for one of these to sit in the office...

  4. Michael Habel Silver badge

    Slap me silly...

    But, wouldn't the Secret here be to bang the Rocks together, to turn on Airplane Mode, and vise-verse turn the Radio's off?!

    1. Velv
      Black Helicopters

      Re: Slap me silly...

      Well, duh!

      Which assumes you can get to Airplane mode quickly enough after it crashes and before it crashes again.

      Unless you permanently live in airplane mode, which kinda defeats the point of a phone or smart CONNECTED device.

      I hope everyone is aware that Apple have hard coded wifi networks that their devices will automatically connect to when in range, for example when in an Apple Store, and this has also been expanded to Bluetooth to further refine your store journey. (Look up iBeacon if you don't believe me)

      1. A Non e-mouse Silver badge
        FAIL

        Re: Slap me silly...

        I hope everyone is aware that Apple have hard coded wifi networks that their devices will automatically connect to when in range, for example when in an Apple Store

        I was in my local Apple store the other day and I had to manually select and connect to the Apple Store WiFi. It wasn't hard coded in to my iPhone at all.

      2. Anonymous Coward
        Anonymous Coward

        Re: Slap me silly...

        "Which assumes you can get to Airplane mode quickly enough after it crashes and before it crashes again."

        Can't you just hold it wrong to block the signal whilst you fiddle with the settings?

        1. Anonymous Coward
          Anonymous Coward

          Re: Slap me silly...

          Can't you just hold it wrong to block the signal whilst you fiddle with the settings?

          Ninja-level use of Apple! Rips through the fabric of the reality-distortion field itself with enhanced chi power!

  5. Juan Inamillion

    "...a Wi-Fi hotspot that forces you to connect to their network..."

    That'll be the super annoying BT-Openzone then that seems to take over your bloody phone whenever you're out and about...

    1. 080

      Or even worse, when you are at home.

    2. Anonymous Coward
      Anonymous Coward

      That'll be the super annoying BT-Openzone then that seems to take over your bloody phone whenever you're out and about...

      Yes, I had to explicitly select "forget this network" - once you make the mistake of using it, it remembers it :(

  6. Slx

    I can see public Wi-Fi nodes becoming a major problem in the coming years...

    Same with public USB chargers.

    Thankfully ubiquitous, fast, unlimited 4G will probably ultimately render them as obsolete as payphone and fax machines in the future.

    I already find a lot of public Wi-Fi that I've been forced to use tends to be slow, insanely over priced for what it is and exploiting a captive audience (certain hotels etc) full of annoying restrictions (blocked ports, ads or pop up ads being served etc.

    Quite a lot of them also still seem to be using bog-standard ADSL2+ or something similar as you often get horrendously bad speeds, even though FTTC, Cable and even FTTH in some places are pretty widespread in urban and even small town areas. My 4G phone tethering is often a vastly superior solution.

    1. John Miles

      Re: My 4G phone tethering is often a vastly superior solution.

      I can see StingRay type attacks being a problem as well

    2. Anonymous Coward
      Anonymous Coward

      "Thankfully ubiquitous, fast, unlimited 4G will probably ......."

      ...resolve this problem in some parallel universe where ubiquitous, fast, unlimited 4G stands some chance of becoming a reality.

      In fact maybe that's what dark matter is: Simply a parallel universe scattered within our own, where they have this miraculous 4G of which you speak. Along with toasters that deliver evenly browned, unburned toast, self-loading dishwashers, self-wiping bottoms, and a host of other technical marvels.

      1. asdf

        hahaha good one

        >Thankfully ubiquitous, fast, unlimited 4G

        As poster above says good luck with that especially for us here in the States forced to use Verizon. Most of the telecos here are actually starting to push for 5G with limits so you can can hit your monthly data limit in 14 secs by accident and they get gravy overage charges.

    3. Colin Wilson 2

      Even worse - there's a 'free' wifi at Gatwick Airport that forces you to download a weird e-book reader app before you can use the wifi. Heaven alone knows what it tries to do - I didn't dare run it to find out.

      1. Destroy All Monsters Silver badge
        Trollface

        Heaven alone knows what it tries to do

        It's probably just an iGideon Bible, don't be so neurotic.

  7. Matt Bryant Silver badge
    Devil

    Blocking annoying Apple users trying to hog your Wifi for iTunes?

    There's an app for that!

    (Well, that's if you don't already block them by MAC address range already.)

  8. MyffyW Silver badge

    Limited smugness

    The only iThing I own is so old it's not affected.

    But I'm going to miss YouTube when Google pulls the plug.

  9. Captain Queeg

    No news here really...

    From the looks of it these guys have simply discovered BT Openzone! ;-)

  10. Henry Wertz 1 Gold badge

    "Thankfully ubiquitous, fast, unlimited 4G will probably ultimately render them as obsolete as payphone and fax machines in the future."

    Hah! While 4G has GREATLY decreased the cost per GB of providing service, the providers in the US have gone full-greed and actually INCREASED per-GB charges over the past 5 or 10 years. Unbelievable but true.

  11. chris 17 Silver badge

    “There is nothing you can do about it other than physically running away from the attackers. This is not a denial-of-service where you can't use your Wi-Fi – this is a denial-of-service so you can't use your device even in offline mode.”

    Does that make sense to anyone? Are they suggesting it'll mess with your device even if WiFi is off as in airplane mode but you are still in range?

    if so that surely makes a mockery of airplane mode where your device is still talking via radio?

  12. Anonymous Coward
    Anonymous Coward

    Apple is buggy.

    Wonder if they'll fix it in iOS 8.5 ?

    [to be released the week after everyone installs iOS 8.4]

  13. Malcolm Weir

    @Henry Wertz 1: Mostly true... but T-Mobile has NOT increased it's per GB charges. Probably doesn't count as a mobile phone company, though, because it does stupid things like provide no-cost international data roaming.

  14. Paul Hovnanian Silver badge

    Not seen in the wild?

    Perhaps it has. Multiple iOS devices going dark simultaneously. Scarier yet, where this is happening.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • A great day for non-robots: iOS 16 will bypass CAPTCHAs
    A bot says what? Apple relies on IETF standards to remove annoyance, citing privacy and accessibility

    Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification.

    The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will eliminate the frustrating requirement to select all the stops signs in a photo or decipher a string of characters.

    The news was mentioned at Apple's 33rd annual Worldwide Developer Conference (WWDC) along with the usual slew of features designed to enhance the functionality of iPhones.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Telegram criticizes Apple for 'intentionally crippling' web app features on iOS
    Native code or nothing thanks to Safari's approach to web apps

    A week after confirming plans for Telegram Premium, the messaging platform's CEO, Pavel Durov, is again criticizing Apple's approach to its Safari browser for stifling the efforts of web developers.

    Durov would very much like his web-based messaging platform, Telegram Web, to be delivered as a web app rather than native, but is prevented from offering users a full-fat experience on Apple's mobile devices due to limitations in the iOS Safari browser.

    There's no option for web developers on Apple's iPhone and iPad to use anything but Safari, and features taken for granted on other platforms have yet to make it to iOS.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Workers win vote to form first-ever US Apple Store union
    Results set to be ratified by labor board by end of the week

    Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.

    Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).

    "I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • We sat through Apple's product launch disguised as a dev event so you don't have to
    M2 chip teased plus MacBooks, iOS 16, macOS 13, watchOS 9 and more

    WWDC Apple opened its 33rd annual Worldwide Developer Conference on Monday with a preview of upcoming hardware and planned changes in its mobile, desktop, and wrist accessory operating systems.

    The confab consists primarily of streamed video, as it did in 2020 and 2021, though there is a limited in-person component for the favored few. Apart from the preview of Apple's homegrown Arm-compatible M2 chip – coming next month in a redesigned MacBook Air and 13" MacBook Pro – there was not much meaningful innovation. The M2 Air has a full-size touch ID button, apparently.

    Apple's software-oriented enhancements consist mainly of worthy but not particularly thrilling interface and workflow improvements, alongside a handful of useful APIs and personalization capabilities. Company video performers made no mention of Apple's anticipated AR/VR headset.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Apple update approach 'not realistic' in enterprise, but login 'shim' gets thumbsup
    JumpCloud SME report also finds remote workers getting better at following best security practices

    Not many people are talking about Apple's recent WWDC from an enterprise standpoint. But identity and machine management tool maker JumpCloud says a "shim" to connect "the login to the device through to the Safari browser" is a notable development.

    JumpCloud provides identity services, which is why chief strategy officer Greg Keller zeroed in on the feature, which his company details further in its latest IT trends report.

    The result, said Keller, was "an even more powerful login experience into these devices."

    Continue reading

Biting the hand that feeds IT © 1998–2022