Researchers from Skycure demonstrated a novel attack at the RSA 2015 conference that affects iPhones and other iOS devices. The attack, which takes advantage of new and previously announced vulnerabilities, locks iPhones into a never-ending reboot cycle effectively rendering them useless.
Developing a Denial of Service Attack
Skycure CEO Adi Sharabani explained that this attack began when Skycure researchers bought a new router and were messing around with its network settings. In doing so, they discovered a particular configuration that caused apps in iPhones connected to that router to crash whenever they launched.
"To us, these things are amazing," said Sharabani. "These bugs can always result in vulnerabilities."
Sharabani explained that an issue in how iOS devices handle SSL certificates caused the apps to crash. Were an attacker to create a Wi-Fi network with a particular configuration and victims joined it, apps on the victims' phones would crash when they reached out to the Web through SSL. Of course, the average user would probably switch off their Wi-Fi and use their cellular data connection, thus ending the attack. "It's really annoying, but it's not devastating," said Sharabani.
Devastating Development
To make it a little more devastating, Sharabani and his team combined this new vulnerability with one previously disclosed by Skycure and dubbed Wi-Fi Gate. That vulnerability took advantage of default settings in iOS devices from wireless companies. In the company's previous research, Skycure discovered that an attacker could create a rogue Wi-Fi network that appeared identical to one of the pre-set options and force phones to connect without victims realizing.
But Skycure went beyond merely crashing individual apps, and found the means to lock victims' iPhones into a never-ending crash and reboot cycle.
"There are many different processes in the operating system that interact with SSL, not just the apps themselves," explained Sharabani. "By doing this manipulation on requests coming off the operating system, we were able to crash different processes from the OS, causing the device to crash." When the device rebooted, it would automatically connect to the last Wi-Fi network it was connected to, crash again, reboot, and so on.
"You don't even have time to even just go to the settings and switch off the Wi-Fi," said Sharabani. "There's no way to mitigate it other than running away from the attacker."
Attack Limitations
While Skycure's attack renders a phone inoperable, there are other devices already on the market that can mess with your phone. Portable cell towers, called Femtocells, can intercept cellular communications and other devices can simply jam cellular radios. However, Sharabani stressed that Skycure's attack renders all aspects of a victim's phone inoperable, not just the ability to communicate. Victims could not, for example, take photos or video of whatever was happening around them at the time.
Another limitation on this type of attack is the geographic distance between the victims and the Wi-Fi network. Victims could easily just walk out of range of the network, but Sharabani suggested scenarios where victims are unable to flee. Say, as part of a terror attack or a government action against protestors.
Backup Plan
Thankfully, Skycure has already disclosed the issues to Apple. Some of the problems the company uncovered were addressed with the release of iOS 8.3. Also, the attack Skycure disclosed has yet to be seen in the wild and came entirely from the efforts of researchers. Sharabani said that Skycure gathers threat intelligence data from users of its mobile app, and that nothing of the sort had yet appeared. Emphasis on yet. "I can only say I haven't seen it, not that it doesn't exist," said Sharabani. You can see some the threats Skycure has uncovered, perhaps in your neighborhood, with their handy map tool.
This and other research (like that time they hacked my iPhone) from Skycure has highlighted that iOS, despite its bullet-proof reputation, can be successfully attacked. And while Skycure and its ilk are working to help make Apple's platform more secure by breaking it in interesting ways, Sharabani did voice concern about how much of our lives are tied to the devices we carry. His parting advice was that smartphone users understand the limitations of their devices and develop a back-up plan.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
