iOS WiFi Bug Allows Remote Reboot of All Devices In Area 117
New submitter BronsCon writes: A recently disclosed flaw in iOS 8 dubbed "No iOS Zone" allows an attacker to create a WiFi hot spot that will cause iOS devices to become unstable, crash, and reboot, even when in offline mode. Adi Sharabani and Yair Amit of Skycure are working with Apple for a fix; but, for now, the only workaround is to simply not be in range of such a malicious network.
Got to build one of those (Score:5, Funny)
Re:Got to build one of those (Score:5, Insightful)
Re:Got to build one of those (Score:0)
where do I get access to this wonderful toy???
It should be a legal requirement in every built up area kill the muppet boxes off see the fanboys wet their panties love it big up to who found it just need the code released now so we can put to to very good use .
Re:Got to build one of those (Score:5, Funny)
Take it to the airport, or take it on the subway.
Just for grins, I downloaded all of the sounds that an iPhone makes onto my Android phone. In a quiet room, I can play the 'bing' noise that indicates an incoming message, or the noise that an iPhone makes when the battery is low. And then watch to see what kind of reaction there is from the people who are nearby.
Re:Got to build one of those (Score:5, Funny)
My time is worthless as well. Plus I too have incredibly low standards for comedy. We should be friends.
Re:Got to build one of those (Score:0)
I guess you must like hospital food.
Re:Got to build one of those (Score:0)
And Quarterback, the Nickelback cover band.
Re:Got to build one of those (Score:5, Funny)
Not that I would do this, but it might be fun to see someone stick something like this in a backpack and walk past an Apple store.
Re:Got to build one of those (Score:2)
Re:Got to build one of those (Score:2)
Re:Got to build one of those (Score:1)
A few seconds is still long enough to cause an accident.
Re:Got to build one of those (Score:1)
They shouldn't be playing about with their iDevices whilst driving; the insurance companies and police will both point the finger of blame at the driver.
Re:Got to build one of those (Score:2)
Re:Got to build one of those (Score:0)
Slap a name on it like "Hipster-Be-Gone" and I'll buy 5!
Re:Got to build one of those (Score:1)
Sign me up for one. This isn't a BUG its a FEATURE. And even better, a potential product!! We need an Android version and one for Crackberries - then deploy this anti-phone system in movie theatres, restaurants, etc. I would set one up around my house & business in a heartbeat.
Re: Got to build one of those (Score:2)
Re: Got to build one of those (Score:2)
New version... (Score:3)
please release this to the wild!! (Score:0)
Think of the children (who we could troll) !!!
Re:please release this to the wild!! (Score:1)
Re:please release this to the wild!! (Score:2)
Re:please release this to the wild!! (Score:1)
in offline mode? (Score:0)
Where is my tin foil hat?
even when in offline mode (Score:5, Interesting)
Exactly how does that work if the wifi is turned off?
Re:even when in offline mode (Score:5, Funny)
You're turning WiFi off wrong.
Re:even when in offline mode (Score:3, Informative)
From what I got from the pdf of their presentation, as long as you are in range of the attacker's network, you won't be able to switch to offline mode before iOS crashes and reboots. You'll have to physically move out of range of the network before you go into offline mode. Of course, if you are in offline mode to begin with when you are in range of the attacker's network, you won't be affected until you turn on your wifi.
Re:even when in offline mode (Score:0)
AHA! Suddenly that "you're holding your phone wrong" is looking like an anti-exploit feature!
Re:even when in offline mode (Score:2)
iOS won't attempt to join a Wi-FI network until you enter your passcode. Seems like a good protection against this would be to have a passcode and control panel enabled from the lock screen.
Phone boots up after crashing; DON'T unlock it, just swipe up the control center, turn off Wifi, then unlock.
Re:even when in offline mode (Score:2)
This attack doesn't seem to require joining the network in any way.
A simple wifi scan will do it which would still be occurring whilst locked.
Re:even when in offline mode (Score:5, Informative)
I was curious as well, so I read through their presentation slides [rsaconference.com] and their press release [skycure.com].
The gist of the attack is that they've crafted a malicious SSL cert that can cause strange behavior in apps and the OS itself, including the possibility of initiating a crash-reboot-get malicious SSL cert-crash cycle. Once you get stuck in that cycle, there's no way to turn off WiFi, hence why they said that offline mode would not remedy the issue. That said, offline mode can indeed keep you from getting stuck in that cycle to begin with, and the researchers even recommended it as one of the ways to avoid the problem entirely. Alternatively, if it's already too late for you and you're in the crash loop, simply leaving the area will fix the issue for you, since you'll be able to pull down valid SSL certs and reboot as normal.
Which is to say, the summary has it wrong, since the attack cannot cause you to enter the crash loop while you're in offline mode, but you won't be able to enter offline mode once you're in the crash loop, so offline mode cannot save you at that point. Only leaving the area will work.
Re:even when in offline mode (Score:0)
Good thing am still on iOS 7.1.3.
Re:even when in offline mode (Score:0)
Re:even when in offline mode (Score:0)
What if it's in an area you can't access? Better yet, what if it's in an area belonging to someone else, whom they'd also like to prank?
Re:even when in offline mode (Score:0, Troll)
Re:even when in offline mode (Score:2)
We all make mistakes, and your comment [slashdot.org] down below that you're referring to didn't exist at the time that I started reading and then typing a response to the first OP who had the same question I had. By the time I posted, your comment existed, of course, but I hadn't seen it.
Re:even when in offline mode (Score:0, Troll)
That said, I've done it, too. My comment was more a remark about Slashdot's lack of editorial function.
Re:even when in offline mode (Score:2)
How did it take you that long to read the handful of comments that existed at the time?
I loaded the page before you comment existed, started reading the source material, typed up a response to the first OP in the comments with the same question I had, posted my response, and only then had the page refresh with your comment. That's what I was getting at. Sorry if I was unclear.
Re:even when in offline mode (Score:1)
That said, I've done it, too. My comment was more a remark about Slashdot's lack of editorial function.
Re:even when in offline mode (Score:1)
Re:even when in offline mode (Score:2)
Re:even when in offline mode (Score:2)
You're doing just fine, and your response to all of our comments has been both polite and appropriate. We'll always complain about the summary. :P
Re:even when in offline mode (Score:2)
We'll always complain about the summary.
I know Why do you think I keep coming back? ;)
Re:even when in offline mode (Score:4, Informative)
How did it take you that long to read the handful of comments that existed at the time?
because it couldn't make more clear how (as per /. etiquette, of course, I know) directly jumping to the comment section is your usual MO, when in reality, the occasional guy who actually does spend a few minutes on reading TFA is not unheard of. :).
/. the way I do, which is skimming the front page for stories of potential interest (i know, i know), opening them in background tabs, and only /then/ going through the opened stories, eh, comment sections, one by one. So there's quite a delay between clicking on a story (causing comments to be loaded), and actually looking at it for the first time.
Therefore it could have been a funny and subtle troll as well; thanks for ruling out that possibility
Besides, It's also very possible that the poster just reads
Re:even when in offline mode (Score:0)
Sounds like the wifi doesn't completely turn off.
Re:even when in offline mode (Score:0)
Re:even when in offline mode (Score:2)
Re:even when in offline mode (Score:2)
Re:even when in offline mode (Score:2)
Exactly how does that work if the wifi is turned off?
That doesn't matter. The chip iPhone uses combines the wifi/baseband/bluetooth/radio/wifi-assisted-location all-in-one to save on battery.
And per the 3GPP technical specifications for GSM, the low baseband is never actually turned off (in case of an earthquake warning or a tsunami warning, it's always listening for a polling call for it to wake it up, or to boot up the device), This works even when the mobile cell phone service is turned off, when the wifi is turned off, and it can even work even when the phone itself is turned off. This standby mode is called the "paging channel" and it's supposed to only take 1% of the battery each day.
If you know people in Asia where there have been a few tsunami warnings, those people can tell you that their phone (or their friend's phones) will turn on all by themselves when there is a Tsunami warning. So we know that this functionality is already active in some parts of the world.
How is it working in offline mode (Score:2, Insightful)
Seriously. the fact that offline mode is not offline is a bigger issue that this exploit.
Re:How is it working in offline mode (Score:5, Insightful)
Re:How is it working in offline mode (Score:4, Funny)
Re:How is it working in offline mode (Score:1)
You can't turn off attwifi (if your iPhone is from AT&T) or similar carrier-created SSID's. Doing this trick on attwifi is going to affect a hell of a lot of iPhones in the US.
(Actually, airplane mode would work. But then you can't get cellular connections either.)
Re:How is it working in offline mode (Score:5, Funny)
Actually, after giving the article another read-through, I think I got it wrong in the summary.
Are you sure you're a Slashdot submitter?
Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.
Re:How is it working in offline mode (Score:4, Informative)
OH! I get it! You were playing on stereotypes!
Re:How is it working in offline mode (Score:5, Funny)
Actually, after giving the article another read-through, I think I got it wrong in the summary.
Are you sure you're a Slashdot submitter?
Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.
If you do manage to get the summary right, you can be sure an editor will fix that mistake.
Re:How is it working in offline mode (Score:2)
Re:How is it working in offline mode (Score:3)
Then you'll be fully qualified as a Slashdot editor.
Re:How is it working in offline mode (Score:2)
Literally (Score:5, Funny)
That's a literal "work around".
Heh.
I'll get my coat.
Oblig Steve Jobs paraphrase (Score:5, Funny)
You're being somewhere wrong
Wait, what? Even in offline mode? (Score:2, Redundant)
Re:Wait, what? Even in offline mode? (Score:3)
I would agree that this is very much the more interesting point, that if you have turned off the antennas, it is still listening. NSA, is this a feature for you?
Re:Wait, what? Even in offline mode? (Score:0)
Re:Wait, what? Even in offline mode? (Score:0)
I bet Apple has the wifi on even in offline mode, just as Google has on Nexus 5. The 5.0 Android had a bug that caused the device to reboot if it lost connection to our office's Wifi access point. This happened on certain location when I went out of office. Funny thing was that it happened on same spot even when the Wifi was turned off from device settings..
Re:Wait, what? Even in offline mode? (Score:5, Informative)
It's not that a phone that's offline is still vulnerable to wifi; it's that once this attack (which is carefully designed to get this result) hits you can't get enough control to go offline. The summary's got an inaccurate paraphrase, but TFA's phrasing isn't immediately clear. The researcher's blog [skycure.com] has a better description.
Re:Wait, what? Even in offline mode? (Score:2)
Re:Wait, what? Even in offline mode? (Score:0)
Horrible summary, read the article. If your WiFi is off, you are fine. If your WiFi is on but you didn't connect to the malicious network, you are fine.
Re:Wait, what? Even in offline mode? (Score:2)
Anyone can take any router and create a Wi-Fi hotspot that forces you to connect to their network
In other words:
If your WiFi is on...
you're boned.
Re:Wait, what? Even in offline mode? (Score:3)
They use the word "force", but as the attack was originally described [skycure.com], what they're actually talking about doing is spoofing a network that your device already recognizes. More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.
There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, nor can it even easily be used in conjunction with this attack for the vast majority of users. Is it a potential problem? Absolutely, but only for a small subset of users. The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit. For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.
Re:Wait, what? Even in offline mode? (Score:3)
More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box [e.g. attwifi, for 34% of users]), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.
Hmm...
There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, ...
34% of users can't tell their iPhones not to connect to a hotspot named attwifi. That sounds like the ability to force connection to a WiFi network to me.
... nor can it even easily be used in conjunction with this attack for the vast majority of users.
I'll grant you that, 66% is the vast majority. However ...
Is it a potential problem? Absolutely, but only for a small subset of users.
... 34% is not a small subset.
The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit.
This I can agree with. It's what lead to the inaccuracy in the summary in the first place.
For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.
You're right, 66% does constitute "most cases"; 34% of all iPhones sold in the last 3.5 years (that is to say, realistically, damn near 34% of all iPhones currently in use) still seems like a pretty large victim pool, though.
So yes, perhaps the severity of the flaw was a bit overblown by the team that discovered it, but I think you're trying to let out a bit too much of the air.
Re:Wait, what? Even in offline mode? (Score:2)
Good points all around. The one thing I might quibble about is the inability to remove the WiFi network. I can't check it at the moment, but I distinctly recall trying to delete "attwifi" as a recognized network years ago, back when I first noticed I had connected to it unexpectedly. That said, I'm not representative of a typical user, and 34% is higher than I had realized, so as I said, good points, and thanks for the rebuttal.
Re:Wait, what? Even in offline mode? (Score:2)
Also, I'm still on Slashdot, right? I'm asking because there hasn't been any name calling yet.
Re:Wait, what? Even in offline mode? (Score:2)
I'm thinking that if a malicious hotspot cycled through the known pre-installed SSIDs like "attwifi", common open SSIDs like "linksys", "NETGEAR", "dlink", "default", etc, plus corporate branded/hotspot SSIDs such as whatever Starbucks or McDonald's use, they could easily increase the vulnerable population to well over 75%.
Re:Wait, what? Even in offline mode? (Score:2)
Darn it (Score:5, Funny)
I thought I was going to get First Post, but then this iPhone kept constantly rebooting.
How can it crash even in Airplane Mode? (Score:0, Interesting)
I thought this toggled the device's radio to OFF!
Re:How can it crash even in Airplane Mode? (Score:1)
It cant, it's a complete fake claim that it can do it in airplane mode
Dumb setting. (Score:0)
If you have your phone set to connect to any available network, then don't be surprised to get owned every now and then.
Re:Dumb setting. (Score:4, Interesting)
If you have your phone set to connect to any available network, re-connect to wifi networks you have joined before, and to continually broadcast those SSIDs one by one until it receives a response, then don't be surprised to get owned every now and then you're following the 802.11 standard correctly [dot11.info].
If your phone is set to connect to networks with names like "attwifi" or "xfinitiwifi" [arstechnica.com], then... well, that's what it will do.
winnuke all over again! YES! (Score:0)
Winnuke was awesome. Hanging out in EFNet #jediknight and winnuking lame JK servers (64k ISDN 8 players join now!!!!) was great since practically nobody was patched back then, and thanks to the crappy peering system, people pretty much had to hand out their IP in a public forum (read: IRC) just to get any players.
L4m3 server = nuuuuuuuuuuuuke
Now you can wipe out a bunch of hipsters and flunkies at Starbucks, and practically nobody will know why.
so, noone cares? (Score:0)
So, like the "iTunes stops working on XP' story below...nothing of value is really lost then?
It only affect iThings. Noone of consequence cares.
Smells like BS. (Score:0)
even in "offline mode"? iPhone doesnt have an offline mode but an airplane mode and the story is 100% bullshit if he is claiming it can do this to a phone that is in airplane mode
Re:Smells like BS. (Score:4, Informative)
even in "offline mode"? iPhone doesnt have an offline mode but an airplane mode and the story is 100% bullshit if he is claiming it can do this to a phone that is in airplane mode
That's not what they are saying... IF you have the phone in Airplane mode, you will have no problem. HOWEVER, if you don't and your phone tries to connect to the rouge AP then it crashes and reboots. At that point you are sunk because when your phone boots and it wasn't previously in Airplane mode, it will connect to the rouge AP and crash before you can get the phone into Airplane mode to stop the cycle.
So if your WiFi is actually turned off, nothing will happen. The problem is that once you get into this cycle, you cannot turn off the WiFi before the phone crashes and boots again. The only way to recover is to get out of range of the rouge AP so you can stop the crash, boot, crash cycle.
Re:Smells like BS. (Score:1)
But what if it tries to connect to the mascara AP?
I bet you play lots of rouge-like games. And back in the day, you played Rainbow 6: Rouge Spear. (That one always just sounds naughty to me.) And when you go to Louisiana, you visit Baton Rogue, just because.
Re:Smells like BS. (Score:2)
Testing seems to show that iPhones on 8.3 don't connect to wifi immediately after a reboot. They wait until you login.
Re:Smells like BS. (Score:2)
App? (Score:5, Interesting)
So my Android device can act an an AP, is there an app for this yet?
Re:App? (Score:3)
Re:App? (Score:2)
I don't think I've owned a WiFi device that can't be an access point.
Re:App? (Score:2)
Silence your cell phones please (Score:2)
Oh well, add it too the list of IOS failures (Score:0)
So at one time I thought coming from Android that IOS was so much better. But now after the IOS 8 failings I have to admit Apple has lost its edge on IOS.
Sure, I get incredible battery life now that I have abandon iCloud, the new Photo's app and iCloud Drive I now have a fully functioning iPhone with very good battery life that runs apps well. If you can avoid all Apple bloatware which it has become of late. The iPhone becomes a very usable smartphone. I'm sure Apple will fix this bug just as fast as they fixed the WiFi issues, the incredible slug performance bugs, the missing data after upgrading and the awful way Apple deals with any problem.
Re:Oh well, add it too the list of IOS failures (Score:0)
Devil's advocate:
Have you heard of a single rogue app or malware on iOS that affected people in the wild?
Case closed.
High tech irony (Score:1)
Conceptually, it sounds an awful lot like Woz' TV jammer.
another workaround: faraday cage (Score:2)
Carry a Faraday cage with you, put your phone in it, reboot, and once it's rebooted, unlock the phone and turn off the WiFi.
You'll need to make it big enough to cover your hand and phone and transparent enough to see what you are doing.
It won't be complete because unless the Faraday cage covers your entire body (including your feet), the malicious WiFi signal could theoretically come through where your arm is. But unless the signal is really strong or bouncing off the wall behind you, you should be able to orient yourself so that the signal is too weak to be picked up by your phone.
Ann Droid to the Rescue! (Score:1)
'...for now, the only workaround is to simply not be in range of such a malicious network.' Really? How about not owning an iOS device?
Re: Ann Droid to the Rescue! (Score:2)
Herp derp. You could take the same approach to literally every security vulnerability ever. Remote exploit in the Linux kernel? Workaround: don’t use Linux! Malicious web pages? Workaround: don’t use the WWW!
Anti-hipster device (Score:1)
Proving a simple point (Score:2)
Great deal (Score:1)