“No iOS Zone” — It’s a Real Thing

Friday, 24 April 2015 00:00
“No iOS Zone” — It’s a Real Thing

iFrog no iOS zone hack problemThere are very few things better than happening upon an free, unprotected WiFi signal — it's true. But what if we told you a new test from Skycure, a leader in mobile threat defense solutions, warned you about connecting to these password-less signals?

In a field test — which Skycure performs many of — they found out that when a new wireless router is configured in a specific way and left without a password, it could cause iOS devices connected to the router to be rendered useless. It's a pretty wild idea to conceptualize, we understand, but basically, by generating a specially crafted Secure Sockets Layer (SSL) certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. As SSL is one of the best security practices, it is utilized in almost all apps in the Apple App Store; so the attack surface is potentially very wide.

Skycure performed this test in their own offices, and after setting the router in a specific configuration and connecting devices to it, their team witnessed the sudden crash of an iOS app. Under certain conditions, they even managed to get devices to go into a repeatable reboot cycle, rendering them completely useless (as seen in this video). Even if victims understand that the attack comes from a Wi-Fi network, they can't disable the Wi-Fi interface in the repeated restart state as shown in the video until they get outside the range of the router's signal.

no iOS zone wifi problemThere are tons of other questions that come up with this discovery. First of all, most people would think: Can the attackers get sensitive or personal data off of my device while it is connected to their Wi-Fi signal? The answer to that is: potentially. An organized Denial of Service (DoS) attack can lead to big losses. Think about the impact of launching such an attack on Wall Street or maybe at the world's busiest airports. The results would be catastrophic. How do you feel when you personally are without your phone for any period of time? Naked, perhaps? Well, wonder how helpless you'd feel if you had your phone in your hand but weren't able to use it AND your personal data was being pulled from it simultaneously? It's a scary thought.

The discovery of this threat is very new and since the susceptibility has not been confirmed as fully fixed yet, Skycure has decided to refrain from providing additional details in order to make sure iOS users are not exposed to it.

As a precautionary measure, there are certain things iOS users can do to avoid this vulnerability. First, the latest iOS 8.3 update may have fixed this. So, we urge users to upgrade to the latest version. But if you're anything like us, then you did that as soon as you saw the little red notification pop up on the corner of your settings app. Secondly, you should change your settings so as to NOT allow your device to automatically connect to the closest Wi-Fi signal. If you happen to connect to a bad signal before you change your settings, then you should try to get out of range of the attacking router.

This may be something that just requires an quick fix from Apple, but until it is resolved we urge you to beware of free Wi-Fi.

Subscribe to our newsletter