iOS WiFi Bug Allows Remote Reboot of All Devices In Area

New submitter BronsCon writes: A recently disclosed flaw in iOS 8 dubbed "No iOS Zone" allows an attacker to create a WiFi hot spot that will cause iOS devices to become unstable, crash, and reboot, even when in offline mode. Adi Sharabani and Yair Amit of Skycure are working with Apple for a fix; but, for now, the only workaround is to simply not be in range of such a malicious network.

Got to build one of those

[jfdavis668]

So I can get a seat at my local coffee house.

Re:Got to build one of those

[Rooked_One]

where do I get access to this wonderful toy???

Re:Got to build one of those

[toonces33]

Take it to the airport, or take it on the subway.

Just for grins, I downloaded all of the sounds that an iPhone makes onto my Android phone. In a quiet room, I can play the 'bing' noise that indicates an incoming message, or the noise that an iPhone makes when the battery is low. And then watch to see what kind of reaction there is from the people who are nearby.

Re:Got to build one of those

My time is worthless as well. Plus I too have incredibly low standards for comedy. We should be friends.

Re:Got to build one of those

[Jason+Levine]

Not that I would do this, but it might be fun to see someone stick something like this in a backpack and walk past an Apple store.

New version...

[TWX]

...of Microsoft-free Fridays?

even when in offline mode

[fustakrakich]

Exactly how does that work if the wifi is turned off?

Re:even when in offline mode

You're turning WiFi off wrong.

Re:even when in offline mode

From what I got from the pdf of their presentation, as long as you are in range of the attacker's network, you won't be able to switch to offline mode before iOS crashes and reboots. You'll have to physically move out of range of the network before you go into offline mode. Of course, if you are in offline mode to begin with when you are in range of the attacker's network, you won't be affected until you turn on your wifi.

Re:even when in offline mode

[Anubis+IV]

I was curious as well, so I read through their presentation slides and their press release.

The gist of the attack is that they've crafted a malicious SSL cert that can cause strange behavior in apps and the OS itself, including the possibility of initiating a crash-reboot-get malicious SSL cert-crash cycle. Once you get stuck in that cycle, there's no way to turn off WiFi, hence why they said that offline mode would not remedy the issue. That said, offline mode can indeed keep you from getting stuck in that cycle to begin with, and the researchers even recommended it as one of the ways to avoid the problem entirely. Alternatively, if it's already too late for you and you're in the crash loop, simply leaving the area will fix the issue for you, since you'll be able to pull down valid SSL certs and reboot as normal.

Which is to say, the summary has it wrong, since the attack cannot cause you to enter the crash loop while you're in offline mode, but you won't be able to enter offline mode once you're in the crash loop, so offline mode cannot save you at that point. Only leaving the area will work.

Re:even when in offline mode

[fisted]

Well I kind of chuckled when you said

How did it take you that long to read the handful of comments that existed at the time?

because it couldn't make more clear how (as per /. etiquette, of course, I know) directly jumping to the comment section is your usual MO, when in reality, the occasional guy who actually does spend a few minutes on reading TFA is not unheard of.
Therefore it could have been a funny and subtle troll as well; thanks for ruling out that possibility :).

Besides, It's also very possible that the poster just reads /. the way I do, which is skimming the front page for stories of potential interest (i know, i know), opening them in background tabs, and only /then/ going through the opened stories, eh, comment sections, one by one. So there's quite a delay between clicking on a story (causing comments to be loaded), and actually looking at it for the first time.

How is it working in offline mode

Seriously. the fact that offline mode is not offline is a bigger issue that this exploit.

Re:How is it working in offline mode

[BronsCon]

Actually, after giving the article another read-through, I think I got it wrong in the summary. The reboot cycle happens so quickly that, once you've entered it, you don't have the opportunity to turn WiFi off until you've left the range of the rogue AP. The article really isn't clear on that point, but it may well be that, if you have WiFi turned off already, you're safe.

Re:How is it working in offline mode

[Imagix]

But... just hold the phone wrong, and it can't see the wireless anyway!

Re:How is it working in offline mode

[Minwee]

Actually, after giving the article another read-through, I think I got it wrong in the summary.

Are you sure you're a Slashdot submitter?

Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

Re:How is it working in offline mode

[BronsCon]

It's my first accepted submission (to be fair, my first legitimate submission); I've been here for a while.

OH! I get it! You were playing on stereotypes!

Re:How is it working in offline mode

[Carewolf]

Actually, after giving the article another read-through, I think I got it wrong in the summary.

Are you sure you're a Slashdot submitter?

Oh, I see you're new here. Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

If you do manage to get the summary right, you can be sure an editor will fix that mistake.

Re:How is it working in offline mode

[c]

Don't worry, after a while you'll stop caring about having anything correct in the summary at all.

Then you'll be fully qualified as a Slashdot editor.

Literally

[grasshoppa]

That's a literal "work around".

Heh.

I'll get my coat.

Oblig Steve Jobs paraphrase

You're being somewhere wrong

Darn it

[93+Escort+Wagon]

I thought I was going to get First Post, but then this iPhone kept constantly rebooting.

Re:Wait, what? Even in offline mode?

[ebrandsberg]

I would agree that this is very much the more interesting point, that if you have turned off the antennas, it is still listening. NSA, is this a feature for you?

Re:Wait, what? Even in offline mode?

[suutar]

It's not that a phone that's offline is still vulnerable to wifi; it's that once this attack (which is carefully designed to get this result) hits you can't get enough control to go offline. The summary's got an inaccurate paraphrase, but TFA's phrasing isn't immediately clear. The researcher's blog has a better description.

Re:Dumb setting.

[Minwee]

If you have your phone set to connect to any available network, re-connect to wifi networks you have joined before, and to continually broadcast those SSIDs one by one until it receives a response, then don't be surprised to get owned every now and then you're following the 802.11 standard correctly.

If your phone is set to connect to networks with names like "attwifi" or "xfinitiwifi", then... well, that's what it will do.

App?

[viperidaenz]

So my Android device can act an an AP, is there an app for this yet?

Re:App?

[spire3661]

Almost all wifi radios can act as an AP. It was part of the standard for Ad-hoc networking, which has been gutted in modern implementations. I really hate that all the tech companies decided Ad-hoc was a threat to revenue and dont expose it in the UI.

Re:Smells like BS.

[bobbied]

even in "offline mode"? iPhone doesnt have an offline mode but an airplane mode and the story is 100% bullshit if he is claiming it can do this to a phone that is in airplane mode

That's not what they are saying... IF you have the phone in Airplane mode, you will have no problem. HOWEVER, if you don't and your phone tries to connect to the rouge AP then it crashes and reboots. At that point you are sunk because when your phone boots and it wasn't previously in Airplane mode, it will connect to the rouge AP and crash before you can get the phone into Airplane mode to stop the cycle.

So if your WiFi is actually turned off, nothing will happen. The problem is that once you get into this cycle, you cannot turn off the WiFi before the phone crashes and boots again. The only way to recover is to get out of range of the rouge AP so you can stop the crash, boot, crash cycle.

Re:Wait, what? Even in offline mode?

[Anubis+IV]

They use the word "force", but as the attack was originally described, what they're actually talking about doing is spoofing a network that your device already recognizes. More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.

There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, nor can it even easily be used in conjunction with this attack for the vast majority of users. Is it a potential problem? Absolutely, but only for a small subset of users. The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit. For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.

Re:Wait, what? Even in offline mode?

[BronsCon]

More or less, if an attacker knows your home WiFi SSD or can make a lucky guess about what other SSIDs your device might already recognize (e.g. ones that your device was programmed to know out of the box [e.g. attwifi, for 34% of users]), they can name their malicious network in such a way to possibly get you to automatically connect to it as a recognized network.

Hmm...

There's nothing particularly novel about that attack, and contrary to their verbiage, it doesn't force anyone to join a network, ...

34% of users can't tell their iPhones not to connect to a hotspot named attwifi. That sounds like the ability to force connection to a WiFi network to me.

... nor can it even easily be used in conjunction with this attack for the vast majority of users.

I'll grant you that, 66% is the vast majority. However ...

Is it a potential problem? Absolutely, but only for a small subset of users.

... 34% is not a small subset.

The way they're phrasing it and talking about it, it seems pretty clear that they're trying to boost their own profile a bit.

This I can agree with. It's what lead to the inaccuracy in the summary in the first place.

For most cases, the two attacks can't be used together unless the malicious agent is stalking their victim.

You're right, 66% does constitute "most cases"; 34% of all iPhones sold in the last 3.5 years (that is to say, realistically, damn near 34% of all iPhones currently in use) still seems like a pretty large victim pool, though.

So yes, perhaps the severity of the flaw was a bit overblown by the team that discovered it, but I think you're trying to let out a bit too much of the air.

another workaround: faraday cage

[davidwr]

Carry a Faraday cage with you, put your phone in it, reboot, and once it's rebooted, unlock the phone and turn off the WiFi.

You'll need to make it big enough to cover your hand and phone and transparent enough to see what you are doing.

It won't be complete because unless the Faraday cage covers your entire body (including your feet), the malicious WiFi signal could theoretically come through where your arm is. But unless the signal is really strong or bouncing off the wall behind you, you should be able to orient yourself so that the signal is too weak to be picked up by your phone.