Security researchers presenting at this week's RSA Conference in San Francisco, have uncovered a whole new compelling reason to switch off your phone. Skycure's Yair Amit and Adi Sharabani have demonstrated a startling vulnerability in iOS that can allow malicious hackers to crash any iOS device within range of a WiFi hotspot. And it doesn't even matter if targeted devices are trying to deliberately connect to the WiFi network or not. Yes, you heard that right. Pranksters are going to *love* this one. The researchers have dubbed their discovery "No iOS Zone", and explained how they uncovered the attack method when preparing a demonstration:
"One day, during preparation for a demonstration of a network-based attack, we bought a new router. After setting the router in a specific configuration and connecting devices to it, our team witnessed the sudden crash of an iOS app." "After a few moments, other people started to notice crashes. Pretty quickly, we realized that only iOS users were suffering from crashes."
According to the researchers, the attack can render vulnerable iOS devices within range so unstable that they can be forced into a constant cycle of crashes. Although many may view such an attack as a practical joke, the truth is that such a "denial of service" attack could have a serious impact on organisations reliant upon their iOS devices. In their presentation, Amit and Sharabani could be used at political events, or by protestors in financial hubs.
The researchers released a video of the WiFi attack in action. So, if you've ever wanted to watch a movie of a phone crashing over and over again, this is your chance. https://www.youtube.com/watch?v=PmgI0LaFYLA&rel=0 (That's the problem with wireless attacks - there's nothing much to see) The solution? Well, according to Sharabani, an old-fashioned approach to defence is best: run away. After all, once your phone is constantly crashing you won't have a chance to turn off WiFi.
"Anyone can take any router and create a Wi-Fi hotspot that forces you to connect to their network, and then manipulate the traffic to cause apps and the operating system to crash." "There is nothing you can do about it other than physically running away from the attackers. This is not a denial-of-service where you can't use your Wi-Fi – this is a denial-of-service so you can't use your device even in offline mode."
The researchers say that they first informed Apple of the problem in early October 2014, and that iOS 8.3 appears to resolve some of the issues they uncovered. Chances are that this won't be the last time that a serious denial of service flaw is found in iOS. Just last month, Apple released iOS 8.2 which fixed a flaw that allowed hackers to restart iPhones by sending them a maliciously-crafted Flash SMS. More details of the "No iOS Zone" flaw can be found in the slide deck of the presentation given at the RSA conference. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.