A newly revealed bug in iOS lets attackers force iPhones and iPads into restart loops, repeatedly crashing and rebooting, using nothing but aWi-Fi network.
Once the user has entered what its discoverer, security researchers Skycure, dubs the “no iOS Zone”, there’s no way to fix their phone other than escaping the range of the malicious network; every time it reboots, it crashes almost immediately.
The basis of the attack uses a “specially crafted SSL certificate”, typically used to ensure a secure connection, to trigger a bug in the operating system that crashes out any app using SSL.
“With our finding, we rushed to create a script that exploits the bug over a network interface,” the researchers wrote. “As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide. We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service (DoS) attack can lead to big losses.”
But in addition to crashing individual apps, the bug can be used to crash the underlying operating system as well. “With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless.
“Even if victims understand that the attack comes from a Wi-Fi network, they can’t disable the Wi-Fi interface in the repeated restart state as shown in the video.”
When combined with an earlier vulnerability, named “Wi-Figate”, which lets attackers force a device to automatically connect to a given WiFi network, Skycure warns that an attack could be crafted which would deny service to any iOS attack in a given area. “Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.”
The researchers say they have warned Apple of the error, and are refraining from releasing technical details about it until after the company has issued a fix. Apple did not respond to a comment request ahead of publication.