iOS WiFi Bug Allows Remote Reboot of All Devices In Area

New submitter BronsCon writes: A recently disclosed flaw in iOS 8 dubbed "No iOS Zone" allows an attacker to create a WiFi hot spot that will cause iOS devices to become unstable, crash, and reboot, even when in offline mode. Adi Sharabani and Yair Amit of Skycure are working with Apple for a fix; but, for now, the only workaround is to simply not be in range of such a malicious network.

Got to build one of those

[jfdavis668]

So I can get a seat at my local coffee house.

Re:Got to build one of those

[Rooked_One]

where do I get access to this wonderful toy???

Re:Got to build one of those

[toonces33]

Take it to the airport, or take it on the subway.

Just for grins, I downloaded all of the sounds that an iPhone makes onto my Android phone. In a quiet room, I can play the 'bing' noise that indicates an incoming message, or the noise that an iPhone makes when the battery is low. And then watch to see what kind of reaction there is from the people who are nearby.

Re:Got to build one of those

[Anonymous Coward]

My time is worthless as well. Plus I too have incredibly low standards for comedy. We should be friends.

Re:Got to build one of those

[Jason Levine]

Not that I would do this, but it might be fun to see someone stick something like this in a backpack and walk past an Apple store.

Re:

[JazzLad]

I want one for my drive home ...

Re:

[BronsCon]

Are you f'ing kidding me?! I'd much rather have other drivers glance at their phones for a few seconds at a time than stare at them in awe as they continuously reboot!

Re:

[tehlinux]

A few seconds is still long enough to cause an accident.

Re:

[Anonymous Coward]

They shouldn't be playing about with their iDevices whilst driving; the insurance companies and police will both point the finger of blame at the driver.

Re:

[BronsCon]

Indeed. That doesn't mean it's not preferable to giving the phone their full attention. Ideally, their phone should have none of their attention, but we're talking about 'murca here.

Re:

[Anonymous Coward]

Sign me up for one. This isn't a BUG its a FEATURE. And even better, a potential product!! We need an Android version and one for Crackberries - then deploy this anti-phone system in movie theatres, restaurants, etc. I would set one up around my house & business in a heartbeat.

Re:

[BronsCon]

So *every* iPhone screen can light up at the same time? Or so every iPhone user can bitch loudly over the movie at the same time? Perhaps both?

Re:

[BronsCon]

I dunno, my wife could probably kick your ass.

New version...

[TWX]

...of Microsoft-free Fridays?

Re:

[__aabppq7737]

Actually, at my school, the reverse happens; the students develop sophisticated attacks for _fun_. I'm pretty sure the students will see their iOS devices _played_ with in a tomorrow.

Re:

[armanox]

You don't go to Capitol College (I'm sorry, Capitol Technology University), do you? Because I'm sure they're doing it there now.

Re:

[__aabppq7737]

no

even when in offline mode

[fustakrakich]

Exactly how does that work if the wifi is turned off?

Re:even when in offline mode

[Anonymous Coward]

You're turning WiFi off wrong.

Re:

[Anonymous Coward]

From what I got from the pdf of their presentation, as long as you are in range of the attacker's network, you won't be able to switch to offline mode before iOS crashes and reboots. You'll have to physically move out of range of the network before you go into offline mode. Of course, if you are in offline mode to begin with when you are in range of the attacker's network, you won't be affected until you turn on your wifi.

Re:

[ZorinLynx]

iOS won't attempt to join a Wi-FI network until you enter your passcode. Seems like a good protection against this would be to have a passcode and control panel enabled from the lock screen.

Phone boots up after crashing; DON'T unlock it, just swipe up the control center, turn off Wifi, then unlock.

Re:

[cheater512]

This attack doesn't seem to require joining the network in any way.
A simple wifi scan will do it which would still be occurring whilst locked.

Re:even when in offline mode

[Anubis IV]

I was curious as well, so I read through their presentation slides [rsaconference.com] and their press release [skycure.com].

The gist of the attack is that they've crafted a malicious SSL cert that can cause strange behavior in apps and the OS itself, including the possibility of initiating a crash-reboot-get malicious SSL cert-crash cycle. Once you get stuck in that cycle, there's no way to turn off WiFi, hence why they said that offline mode would not remedy the issue. That said, offline mode can indeed keep you from getting stuck in that cycle to begin with, and the researchers even recommended it as one of the ways to avoid the problem entirely. Alternatively, if it's already too late for you and you're in the crash loop, simply leaving the area will fix the issue for you, since you'll be able to pull down valid SSL certs and reboot as normal.

Which is to say, the summary has it wrong, since the attack cannot cause you to enter the crash loop while you're in offline mode, but you won't be able to enter offline mode once you're in the crash loop, so offline mode cannot save you at that point. Only leaving the area will work.

Re:

[Anubis IV]

We all make mistakes, and your comment [slashdot.org] down below that you're referring to didn't exist at the time that I started reading and then typing a response to the first OP who had the same question I had. By the time I posted, your comment existed, of course, but I hadn't seen it.

Re:

[Anubis IV]

How did it take you that long to read the handful of comments that existed at the time?

I loaded the page before you comment existed, started reading the source material, typed up a response to the first OP in the comments with the same question I had, posted my response, and only then had the page refresh with your comment. That's what I was getting at. Sorry if I was unclear.

Re:

[BronsCon]

Like I said...

That said, I've done it, too. My comment was more a remark about Slashdot's lack of editorial function.

Re:

[fisted]

Not sure if I should mod you funny or troll, so I'll comment instead.

Re:

[BronsCon]

It's my submission, I'm gonna go out on a limb and say I'm probably not trolling. But, then, that's what a troll would say, isn't it? Cue the next poster who couldn't decide whether to mod me funny or troll, I suppose. :)

Re:

[Anubis IV]

You're doing just fine, and your response to all of our comments has been both polite and appropriate. We'll always complain about the summary. :P

Re:

[BronsCon]

We'll always complain about the summary.

I know Why do you think I keep coming back? ;)

Re:even when in offline mode

[fisted]

Well I kind of chuckled when you said

How did it take you that long to read the handful of comments that existed at the time?

because it couldn't make more clear how (as per /. etiquette, of course, I know) directly jumping to the comment section is your usual MO, when in reality, the occasional guy who actually does spend a few minutes on reading TFA is not unheard of.
Therefore it could have been a funny and subtle troll as well; thanks for ruling out that possibility :).

Besides, It's also very possible that the poster just reads /. the way I do, which is skimming the front page for stories of potential interest (i know, i know), opening them in background tabs, and only /then/ going through the opened stories, eh, comment sections, one by one. So there's quite a delay between clicking on a story (causing comments to be loaded), and actually looking at it for the first time.

Re:

[bobbied]

It's called "Airplane mode" or to the less technical among us "Head in the clouds" mode...

Re:

[slashmydots]

Apple phones have GPS devices that are active even when the phone is powered off. Take a guess if they sniff wifi while wifi is "off"

Re:

[stephanruby]

Exactly how does that work if the wifi is turned off?

That doesn't matter. The chip iPhone uses combines the wifi/baseband/bluetooth/radio/wifi-assisted-location all-in-one to save on battery.

And per the 3GPP technical specifications for GSM, the low baseband is never actually turned off (in case of an earthquake warning or a tsunami warning, it's always listening for a polling call for it to wake it up, or to boot up the device), This works even when the mobile cell phone service is turned off, when the wifi is turned off, and it can even work even when the p

How is it working in offline mode

[Anonymous Coward]

Seriously. the fact that offline mode is not offline is a bigger issue that this exploit.

Re:How is it working in offline mode

[BronsCon]

Actually, after giving the article another read-through, I think I got it wrong in the summary. The reboot cycle happens so quickly that, once you've entered it, you don't have the opportunity to turn WiFi off until you've left the range of the rogue AP. The article really isn't clear on that point, but it may well be that, if you have WiFi turned off already, you're safe.

Re:How is it working in offline mode

[Imagix]

But... just hold the phone wrong, and it can't see the wireless anyway!

Re:

[Anonymous Coward]

You can't turn off attwifi (if your iPhone is from AT&T) or similar carrier-created SSID's. Doing this trick on attwifi is going to affect a hell of a lot of iPhones in the US.

(Actually, airplane mode would work. But then you can't get cellular connections either.)

Re:How is it working in offline mode

[Minwee]

Actually, after giving the article another read-through, I think I got it wrong in the summary.

Are you sure you're a Slashdot submitter?

Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

Re:How is it working in offline mode

[BronsCon]

It's my first accepted submission (to be fair, my first legitimate submission); I've been here for a while.

OH! I get it! You were playing on stereotypes!

Re:How is it working in offline mode

[Carewolf]

Actually, after giving the article another read-through, I think I got it wrong in the summary.

Are you sure you're a Slashdot submitter?

Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

If you do manage to get the summary right, you can be sure an editor will fix that mistake.

Re:

[BronsCon]

Oh, did I say it was my mistake? Sorry, I meant the editors changed my summary!!

Re:

[c]

Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

Then you'll be fully qualified as a Slashdot editor.

Re:

[140Mandak262Jamuna]

Can't you just wrap it in Aluminium foil and block the signals from getting in? Just put it inside the tin-foil hat and it should be able to go off line/

Literally

[grasshoppa]

That's a literal "work around".

Heh.

I'll get my coat.

Oblig Steve Jobs paraphrase

[Anonymous Coward]

You're being somewhere wrong

Wait, what? Even in offline mode?

[Nkwe]

So offline mode isn't offline? This sounds like a bigger problem, than incorrect handling of a corrupt certificate.

Re:

[ebrandsberg]

I would agree that this is very much the more interesting point, that if you have turned off the antennas, it is still listening. NSA, is this a feature for you?

Re:Wait, what? Even in offline mode?

[suutar]

It's not that a phone that's offline is still vulnerable to wifi; it's that once this attack (which is carefully designed to get this result) hits you can't get enough control to go offline. The summary's got an inaccurate paraphrase, but TFA's phrasing isn't immediately clear. The researcher's blog [skycure.com] has a better description.

Re:

[BronsCon]

Indeed, I realized the error upon re-reading the article. If only I could update the summary...

Re:

[BronsCon]

Horrible wording in the article that made it not immediately clear, actually. I also posted a correction more than 20 minutes before your "horrible summary" judgment. Also, from the article:

Anyone can take any router and create a Wi-Fi hotspot that forces you to connect to their network

In other words:

If your WiFi is on...

you're boned.

Re:

[Anubis IV]

They use the word "force", but as the attack was originally described [skycure.com], what they're actually talking about doing is spoofing a network that your device already recognizes. More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.

There'

Re:

[BronsCon]

More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box [e.g. attwifi, for 34% of users]), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.

Hmm...

There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, ...

34% of users can't tell their iPhones not to connect to a hotspot named attwifi. That sounds like the ability to force connection to a WiFi network to me.

... nor can it even easily be used in conjunction with this attack for the vast majority of users.

I'll grant you that, 66% is the vast majority. However ...

Is it a potential problem? Absolutely, but only for a small subset of users.

... 34% is not a small subset.

The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit.

This I can agree with. It's what lead to the inaccuracy in the summary in the first place.

For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.

You're right, 66% does constitute "most cases"; 34% of all iPhones sold in the last 3.5 years (that is to say, realistically, damn near 34% of all iPhones currently in use)

Re:

[Anubis IV]

Good points all around. The one thing I might quibble about is the inability to remove the WiFi network. I can't check it at the moment, but I distinctly recall trying to delete "attwifi" as a recognized network years ago, back when I first noticed I had connected to it unexpectedly. That said, I'm not representative of a typical user, and 34% is higher than I had realized, so as I said, good points, and thanks for the rebuttal.

Re:

[BronsCon]

I haven't been an AT&T customer for almost 3 years at this point and my wife is the iPhone user so I can only go based on heresay at this point but I'm pretty sure the attwifi network can't be removed.

Also, I'm still on Slashdot, right? I'm asking because there hasn't been any name calling yet. :)

Re:

[c]

34% of users can't tell their iPhones not to connect to a hotspot named attwifi. That sounds like the ability to force connection to a WiFi network to me.

I'm thinking that if a malicious hotspot cycled through the known pre-installed SSIDs like "attwifi", common open SSIDs like "linksys", "NETGEAR", "dlink", "default", etc, plus corporate branded/hotspot SSIDs such as whatever Starbucks or McDonald's use, they could easily increase the vulnerable population to well over 75%.

Re:

[BronsCon]

Excellent point, but I don't think it'd quite be 75%. It would definitely be well above 34% for sure, though.

Darn it

[93 Escort Wagon]

I thought I was going to get First Post, but then this iPhone kept constantly rebooting.

Re:

[Lumpy]

It cant, it's a complete fake claim that it can do it in airplane mode

Re:Dumb setting.

[Minwee]

If you have your phone set to connect to any available network, re-connect to wifi networks you have joined before, and to continually broadcast those SSIDs one by one until it receives a response, then don't be surprised to get owned every now and then you're following the 802.11 standard correctly [dot11.info].

If your phone is set to connect to networks with names like "attwifi" or "xfinitiwifi" [arstechnica.com], then... well, that's what it will do.

Re:Smells like BS.

[bobbied]

even in "offline mode"? iPhone doesnt have an offline mode but an airplane mode and the story is 100% bullshit if he is claiming it can do this to a phone that is in airplane mode

That's not what they are saying... IF you have the phone in Airplane mode, you will have no problem. HOWEVER, if you don't and your phone tries to connect to the rouge AP then it crashes and reboots. At that point you are sunk because when your phone boots and it wasn't previously in Airplane mode, it will connect to the rouge AP and crash before you can get the phone into Airplane mode to stop the cycle.

So if your WiFi is actually turned off, nothing will happen. The problem is that once you get into this cycle, you cannot turn off the WiFi before the phone crashes and boots again. The only way to recover is to get out of range of the rouge AP so you can stop the crash, boot, crash cycle.

Re:

[Anonymous Coward]

your phone tries to connect to the rouge AP

But what if it tries to connect to the mascara AP?

I bet you play lots of rouge-like games. And back in the day, you played Rainbow 6: Rouge Spear. (That one always just sounds naughty to me.) And when you go to Louisiana, you visit Baton Rogue, just because.

Re:

[rreay]

Testing seems to show that iPhones on 8.3 don't connect to wifi immediately after a reboot. They wait until you login.

Re:

[BronsCon]

It was a misunderstanding after my first reading of the article. The actual issue is that the reboot cycle happens so rapidly that you never actually have an opportunity to interact with the phone to turn WiFi off once it starts, until you're out of range of the malicious AP.

App?

[viperidaenz]

So my Android device can act an an AP, is there an app for this yet?

Re:

[spire3661]

Almost all wifi radios can act as an AP. It was part of the standard for Ad-hoc networking, which has been gutted in modern implementations. I really hate that all the tech companies decided Ad-hoc was a threat to revenue and dont expose it in the UI.

Re:

[viperidaenz]

I don't think I've owned a WiFi device that can't be an access point.

Re:

[Bradmont]

About 80% of my coworkers use iOS devices. I could have a great deal of fun with this...

Silence your cell phones please

[medv4380]

So theaters don't have to build an illegal cell phone jammer. Just put up a WiFi network to nothing, and crash every iPhone in the theater for you.

High tech irony

[Anonymous Coward]

Conceptually, it sounds an awful lot like Woz' TV jammer.

another workaround: faraday cage

[davidwr]

Carry a Faraday cage with you, put your phone in it, reboot, and once it's rebooted, unlock the phone and turn off the WiFi.

You'll need to make it big enough to cover your hand and phone and transparent enough to see what you are doing.

It won't be complete because unless the Faraday cage covers your entire body (including your feet), the malicious WiFi signal could theoretically come through where your arm is. But unless the signal is really strong or bouncing off the wall behind you, you should be able to

Ann Droid to the Rescue!

[Roblimo]

'...for now, the only workaround is to simply not be in range of such a malicious network.' Really? How about not owning an iOS device?

Re:

[LMariachi]

Herp derp. You could take the same approach to literally every security vulnerability ever. Remote exploit in the Linux kernel? Workaround: don’t use Linux! Malicious web pages? Workaround: don’t use the WWW!

Anti-hipster device

[Lebrun]

So, basically an anti-hipster device? I want one.

Proving a simple point

[jbssm]

Together with the other exploits for Gatekeeper in OSX that just came out, this goes on to prove a very simple point. iOS and OSX are not fundamentally safer than Android or Windows, they where just protected because the installed user base was not enough to catch hackers attention on the desktop platform. That it's clearly changing.

Great deal

[pebear]

I so have an IPhone but I also have a couple Windows Phones and several Android phones. My favorite is the Note 3, even better now that AT&T finally upgraded it to Lollipop. Gotta have an extra couple phone with you just in case.