iOS 1970 Bug Is Back, Can Be Exploited Via Rogue WiFi Networks

An anonymous reader writes: Back in February iOS users noted that setting your phone/tablet's date to January 1, 1970 would permanently brick their devices. After Apple fixed the issue in iOS 9.3.1, two security researchers have now uploaded a video on YouTube showing how to exploit this bug from a remote location, with no access to the user's phone. The setup involves attackers putting up a Wi-Fi network on which they're running a rogue NTP server. This server tells iOS devices syncing their time that it's December 31, 1969, 23:59:00. Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked.

LOL at the sound track for the exploit video

[JoeyRox]

Guy takes himself way to seriously, as if this exploit can be used to compromise a remote ICBM launch pad or something.

Re:LOL at the sound track for the exploit video

You cannot assert it won't.

Cite: Stuxnet, Flame

It's a game.

Re:LOL at the sound track for the exploit video

[ArmoredDragon]

A simple bug in Apple's software is much different than a trojanized payload.

Re:LOL at the sound track for the exploit video

I thought Apple's software was the trojanized payload?

Also Good for Corporate WiFi Networks

[xxxJonBoyxxx]

Forget "rouge" WiFi networks - now IT can finally strike back at BYOD users who insisted on connecting their iPhones into an internal corporate network. :)

Re:Also Good for Corporate WiFi Networks

If the IT department setup their network in a way that allows these devices to connect then the problem is the IT department, not the employee.

Re:Also Good for Corporate WiFi Networks

[phishybongwaters]

Well you shouldn't be allowing their devices on your internal network if you don't want them. Packetfence comes to mind....... but there's plenty of other easy to implement solutions to resolve rogue devices connecting with legit credentials.

Re:Also Good for Corporate WiFi Networks

[magarity]

Forget "rouge" WiFi networks

And then there's the eyeliner networks and the foundation networks to worry about.

Re:Also Good for Corporate WiFi Networks

[acoustix]

If the IT department setup their network in a way that allows these devices to connect then the problem is the IT department, not the employee.

Correct. Anyone who is running a PSK wireless environment on their corporate network deserves what happens. Use certificates, AD membership, etc to authenticate.

Re:Also Good for Corporate WiFi Networks

[MobileTatsu-NJG]

Wouldn't it be easier to just do your job?

Re:Also Good for Corporate WiFi Networks

[xxxJonBoyxxx]

>> Wouldn't it be easier to just do your job?

Found the PHB. C'mon people, it's almost Friday - lighten the fuck up.

Re:Also Good for Corporate WiFi Networks

"rogue", you nitwit, not "rouge".

Re:Also Good for Corporate WiFi Networks

Looks like a job for BOFH.

Re:Also Good for Corporate WiFi Networks

>> Well you shouldn't be allowing their devices on your internal network if you don't want them.

Every company I know about that introduced BYOD did so because a C-level wanted to use his iPhone (and not carry two devices). If any IT guy said "No, not on my network, I don't want them." it wouldn't have been his network much longer.

Re:Also Good for Corporate WiFi Networks

He's not supposed to say "Not on my network", he's supposed to say: "here's how much it'll cost." then do his job properly.

     

Re:Also Good for Corporate WiFi Networks

[Eristone]

And said C level executive will say (if you are lucky) "Here's X amount of dollars. Make it work, I want to be able to use device in meeting next Wednesday." I can guarantee you that X is going to be less than the amount needed to do it properly and a performance goal will be added to said IT guy's yearly review showing how well they made it work (or not work).

Re:Also Good for Corporate WiFi Networks

[Coren22]

The nail polish networks are truly terrifying though.

Apple genuii

[Impy+the+Impiuos+Imp]

Fire the engineers who "fixed" this.

The fix should not just be prevent the user from setting the problematic time, but fixing the issue directly should the time become the bogus time by any means.

If the battery can catch fire, then you really, really, really need to fix it properly.

And the testers need a slap, too. One test case should have been setting the time by force to see what happens, and not just testing the time set lockout.

Re:Apple genuii

[pushing-robot]

No, fire the summary writer.

The bug was fixed, this is just a practical way of exploiting devices running the affected versions.

Also, there have been no battery fires, but aluminum feels pretty hot when it gets to 50C and people assumed their phones must be OMG about to CATCH FIRE!!11!!eleven

Re:Apple genuii

[AmiMoJo]

It's not just the engineers who were supposed to have fixed the 1970 issue, it's the ones who thought it would be a good idea to connect to random NTP servers and blindly accept their claim that time travel has been invented and it's now the 1960s, only now they have wifi and NTP.

Re:Apple genuii

[lobiusmoop]

We've already seen what happens when do don't do basic sanity checking on the upstream NTP data

Re:Apple genuii

[afidel]

This is true. Also WHY is the ipad following NTP if the slew rate is greater than 500ppm? The NTP RFC's clearly states that this is the maximum you should adjust the clock via the protocol(s).

Re:Apple genuii

[gwolf]

That, or maybe the fact that the phone was left unplugged on a drawer until somebody's grandchild connected it after January 2038 just to see what is that thing.

Of course, your comment still applies: It's probably impossible to travel back to 1969 and have working wifi and NTP. But I think it's highly unlikely that by 2038 we will have Wifi networks compatible with today's standards, or NTP servers compatible with today's implementations.

Then again, today's Wifi is still compatible with what 802.11b, which I first used in the late 1990s, and NTP operates at least since 1985. If Wifi has survived for 20 years and NTP for 30, who says it won't last 22 more?

Re:Apple genuii

More than likely, if a device has been powered off for a substantial amount of time (or the batteries phyiscally disconnected) the clock may be substantially wrong. Adjusting by 500ppm might take too long to fix the clock to the correct time. So they probably intentionally ignored the RFC with some good reasons (setting the initial time is probably outside the use cases of the RFC). The code probably was used for all time-setting rather than initialization of the time and hence the bug. Obviously, there probably ought to be sanity checks (and I am sure that Apple has since added them) - for example, the time shouldn't ever be set earlier than the date the OS was built.

Re:Apple genuii

[peragrin]

Actually I bet current devices 2016 will still connect to the same wifi in 2038.

Remember wifi 802.11b came out in 1999 which makes it 17 years old.
2038 is only 22 years away. 801.11n and ac will still be around.

Re:Apple genuii

[tlhIngan]

This is true. Also WHY is the ipad following NTP if the slew rate is greater than 500ppm? The NTP RFC's clearly states that this is the maximum you should adjust the clock via the protocol(s).

NTP has two modes.

First is to keep clocks in sync, so if you have a network of devices, the clocks can tick pretty much together. This is what you use NTPd for - to keep clocks on a network in sync.

The other use is to set the clock, which uses the same protocol, except we call it "daytime protocol" because they do an NTP query to get the current date/time to set it. In Linux, you use "ntpdate" to set the clock initially since NTPd will refuse to run if the system clock and server clock are too far apart. So you use ntpdate to get the clock close enough.

Most devices when you set "Automatically set date/time" use daytime to set the clocks. It's only stuff like the Apple watch (which is used to keep time) that generally wants to keep time in sync.

Re:Apple genuii

[myowntrueself]

It's not just the engineers who were supposed to have fixed the 1970 issue, it's the ones who thought it would be a good idea to connect to random NTP servers and blindly accept their claim that time travel has been invented and it's now the 1960s, only now they have wifi and NTP.

What I'd do is set up to capture all DNS traffic and direct it to my own DNS server and return my own NTP server for any requests for the NTP servers that iDevices are typically configured to use.

No need for 'rouge NTP servers'.

However, checking that the amount of time change that the NTP server is asking for is within sane parameters is normally normal...

Re:Apple genuii

[malditaenvidia]

No, fire their damage control department, instead. They're doing a terrible job of minimizing the issue.

Re:Apple genuii

[phayes]

Nope, the problem only exists in the mind of the people who like to hate on Apple and jump to false conclusions on unsubstantiated reports. There is no fixing these people.

Re:Apple genuii

[robmv]

NTP authentication

Re:Apple genuii

This is Apple you are talking about. They will just do a press release, which blames users on holding the device wrong and orders users to buy a new iphone.

Re:Apple genuii

[Solandri]

Also, there have been no battery fires, but aluminum feels pretty hot when it gets to 50C and people assumed their phones must be OMG about to CATCH FIRE!!

Not sure what Apple fanblog has been spreading that nonsense. Anyone familiar with Lithium-ion chemistry can tell you unequivocally that charged Li-ion batteries can catch fire when damaged or overcharged. You'd be a fool to dismiss it as anti-Apple rhetoric - click on related links to other brand Li-ion batteries catching fire if you feel this is somehow singling out Apple. They're all dangerous and need to be treated with respect for the potential damage they can do. It's why the FAA has banned them in checked baggage on passenger airliners (not that the passenger cabin is much better, but at least there are people there who will immediately notice the fire and try to put it out).

Re:Apple genuii

[myowntrueself]

NTP authentication

Yes that might help. In the 'near' future.

Re: Apple genuii

Faulty logic. 11b won't be in any new generation and it was never in 5GHz. The 2.4GHz band is so bad, 11b will be long chased away for more efficient protocols by then.

Re:Apple genuii

[Flea+of+Pain]

Actually I bet current devices 2016 will still connect to the same wifi in 2038.

Remember wifi 802.11b came out in 1999 which makes it 17 years old.
2038 is only 22 years away. 801.11n and ac will still be around.

But...but...what standard will the hoverboard I've been promised run on?

Re:Apple genuii

[Zaiff+Urgulbunger]

+1 for "eleven" - did actually lol at that! :D

Re:Apple genuii

I doubt it's any Apple fanblog. I suspect "the other guys".

And it's not permanently and irreversibly bricked either. A software update or disconnecting the battery will reset the clock.

Re: Apple genuii

[mattventura]

11a came out at the same time as 11b.

Re:Apple genuii

[Aqualung812]

The issue with this is that I'm pretty sure NTP authentication is bidirectional by IP address.
That means Apple would need a unique key for every iOS device, and they would somehow have to dynamically update their current IP.

NTP authentication is pretty broken IMHO. I wish it were something that was one-way, where the clients can just have a trusted signature installed and validate the timestamp. It isn't critical to hide the NTP info from snooping, just to validate that the timestamp has been issued by a trusted source and that it hasn't been modified.

Re:Apple genuii

[robmv]

Follow the link, there is Public-Key Authentication now

Re:Apple genuii

[Pyramid]

Because like most portable devices, they probably aren't running a full ntp daemon/stack, but an SNTP client that periodically queries a single time server and sets the device's clock to whatever the reply contains. At a bare minimum, they should query several quasi-random servers like pool.ntp.org (style) at the same time. It would make an attack like this more difficult. And or perform a sanity check using the following pseudocode:

If date Skylab leaving crater in Austrailia
          don't do that stupid shit
Else, set the damned clock.

Re:Apple genuii

[Aqualung812]

Nice! I've yet to see this implemented, but glad to see it is being worked out.

Re: Apple genuii

Sorta, what was your point?

Re: It's sad those republicans...

[xxxJonBoyxxx]

>> They want mandatory prison terms for programmers that fix software bugs.

I'll have to look into that. Maybe I'll finally get some peace and quiet - it can't be worse than an "open concept" office. :)

Bad Summary?

[blazer1024]

So the summary (and the headline) seem to imply that this bug affects even devices with iOS 9.3.1, but the article actually states:

If the device was running an iOS version vulnerable to the 1970 bug, after a minute, the device would reach the problematic crash date.

...

Kelley and Harrigan recommend that users update as soon as possible to iOS 9.3.1.

This is actually just a remote way to exploit this bug, and not a new bug as the summary suggests.

Re:Bad Summary?

[phishybongwaters]

Yeah it came off confusing but I think we were supposed to figure it out from: "OS 1970 Bug Is Back" back, meaning it's the same bug. It is NOT clear that this bug doesn't affect 9.3.1 from the summary, the article linked though states it's clearly. This is the new slashdot, at least this one is kinda relevant to geek news

Re:Bad Summary?

[cant_get_a_good_nick]

That's a horrible clickbait summary.

Hey your phone will catch fire! We'll throw some mumbo jumbo about NTP to scare you. Please come click on this story, and oh by the way disable your adblocker...

umm what?

[phishybongwaters]

"Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked." How exactly does changing the system time via NTP cause the battery to catch fire? While I'm fully onboard with hating ios and most things apple does..... I'm not exactly sure how that statement makes any sense. I'm going to tell you right now, changing the date on my windows device and android device does not, in any way, affect battery life or heat. At all. The fact that this is even possible means there's a massive code issue in relation to the battery. Under what mechanism does the date and time have any effect on the battery drain? It simply makes no sense. Than again, the same can be said for the system becoming unresponsive AT ALL due to the fucking date. This is half-assed work at best. I expect a lot of bullshit from apple, but half assed stuff like this is not one of those things.

Re:umm what?

[frnic]

Don't let you hate blind you, this is NOT a new exploit, this is the same exploit and is fixed in 9.3.1 and the article even suggests updating to prevent it.

Re:umm what?

Researchers are claiming that iOS devices, both iPhones and iPads, would not crash immediately, like in the original scenario, but would slowly start to heat up and become unresponsive.

Sounds like ticking into the forbidden timestamp reacts badly with the fix to prevent setting the phone to the forbidden timestamp, and results in an infinite loop until the power is drained or the hardware damaged.

Without knowing the code, I presume that the "fix" is a low-level if statement to interrupt changes to the forbidden timestamp and revert to the previous datetime. That would reliably result in an infinite loop when ticking into the condition (well, unless you can find a way to stop time and fix the timestamp, but if you can do that you're really wasting your skills by fixing iPhones).

Re:umm what?

[zAPPzAPP]

Maybe the system has direct control over the charger circuit, so if it locks up while the battery is being charged, it won't stop charging?
Maybe it's just the temperature sensor, which is monitored by the system, so if there is any problem with the battery overheating, the safety does not trigger?

There are countless possibilities how this may occur. The bug bricks the system, so it seems to be pretty low level.

None of this should be possible in a proper designed system, but then again the initial bug is rediculous too.

Re:umm what?

[AmiMoJo]

The bug causes some kind of infinite loop that heats up the CPU. Cooling in phones is fairly marginal and they can't run at 100% constantly. They have thermal protection that shuts the device down if it gets too hot, or on other CPUs throttles the core frequencies back. I don't know if Apple have the throttling, it can affect benchmark results so maybe they decided that it would happen rarely enough not to worry about.

Anyway, the infinite loop uses lots of power, draining the battery, and converts much of it into heat. And the flaw is apparently in some part of the system that isn't subject to any kind of watchdog that would kill it if it goes nuts.

Re:umm what?

I don't know if Apple have the throttling, it can affect benchmark results so maybe they decided that it would happen rarely enough not to worry about.

It does (I've seen people post pictures of an iPhone indicating that it's too hot) but apparently they implemented it in software and not hardware.

Oops!

Re: umm what?

Maybe they were just saying that with this new exploit, it is possible for the battery to NOT catch fire, which is totally plausible.

Re:umm what?

[Lotharus]

Maybe it's just the temperature sensor, which is monitored by the system, so if there is any problem with the battery overheating, the safety does not trigger?

I'm pretty sure there's something to this. Periodically my iPhone 5S becomes hot enough to be very uncomfortable to hold while charging, and a power cycle cures the issue. Personally I think it's awfully daft to have something as important as a Li+ battery temperature sensor dependent upon the OS rather than being a separate, independent component.

So if the battery does catch fire...

...the device is not permanently and irreversibly bricked?

Re:So if the battery does catch fire...

[Qzukk]

No, it's permanently and irreversibly burned.

Re:So if the battery does catch fire...

[pushing-robot]

No, at that point it's briquette.

This is caused by LUDDITE NTP servers!

Modern app appers know that ONLY apps can app apps, so if you use an appy app time server instead of LUDDITE NTP, everything will be super appy!

Apps!

It was fixed...

[pushing-robot]

If it wasn't clear, the bug was fixed in 9.3.1 - this only affects devices that haven't been updated.

Also, I think the highest temperature recorded was 54C... not something you'd want to touch, but not likely to catch fire either.

Finallly, if it's like the previous exploit, the device isn't completely bricked... when the battery goes dead or is disconnected the device can be reset.

Re:It was fixed...

Finallly, if it's like the previous exploit, the device isn't completely bricked... when the battery goes dead or is disconnected the device can be reset.

Shush with your definitions. The term 'brick' has now been co-opted to mean my device doesn't work at this instant in time.

I've seen people complain that their windows PC was 'bricked' when they got a bsod...

Re:It was fixed...

Which is why the submitter wrote "permanently and irreversibly bricked". Is that co-opted as well?

Re:It was fixed...

Apple's solution was to replace the iPhones. If it could be fixed, they wouldn't just swallow that cost. It's permanently bricked.

Installing iDevice detecting NTP server...

.. now.

Re: It's sad those republicans...

You must hate yourself.

Re: It's sad those republicans...

I've been fired from two jobs for fixing too many bugs. Pukianz don't need a law to force capitalists to make horrible products so that consumers are forced to upgrade. Those people make bad software on purpose.

Time Travelling

Apple customer complaint: "Every time my phone tries to time travel, it overheats the battery and then bricks!" Apple Genius: "It's really simple. Time traveling requires infinite amount of energy, which your phone tries to pull from the battery. Unfortunately Apple batteries don't provide such amount of power at this point. Have a nice day!"

Crapple

Great jorb, guys.

How was this discovered?

[magarity]

Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?

Re:How was this discovered?

[darkain]

Simple, someone was just testing edge cases. https://en.wikipedia.org/wiki/...

Re:How was this discovered?

[marciot]

Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?

Obviously someone whose software license has expired.

It's not a bug

It's a feature!

Wow

[JustAnotherOldGuy]

"Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked."

Okay, I gotta hand it to Apple- that's innovative as hell! What a way to drive new sales.

"It Just Works" *cough*

Re:Wow

"Permanently and irreversibly bricked", as in "plug it into your computer, start it in recovery mode, and restore your most recent backup".

Question on iOS and NTP

[acoustix]

Does the rouge network need to dnsmasq time.apple.com? Or could this be accomplished by just passing on a DHCP option on the network to trust a local NTP server? Obviously setting up a dnsmasq makes the exploit more difficult.

Roughly have of the iOS devices that are controlled by my BES12 server are running versions older than 9.3.1.

Re:Question on iOS and NTP

[myowntrueself]

Does the rouge network need to dnsmasq time.apple.com? Or could this be accomplished by just passing on a DHCP option on the network to trust a local NTP server? Obviously setting up a dnsmasq makes the exploit more difficult.

Roughly have of the iOS devices that are controlled by my BES12 server are running versions older than 9.3.1.

Redirecting DNS traffic, or NTP for that matter, is not difficult. No need for DHCP, a simple iptables rule will do this in about one line...

"Insane" NTP servers

[AF_Cheddar_Head]

Doesn't the NTP specification have something about how devices are supposed to ignore NTP updates that are X number of minutes different than the current time the device has?

Why don't the Apple IOS devices do this?

Re:"Insane" NTP servers

[bruce_the_loon]

Interestingly enough, CentOS 6, and therefore probably RHEL 6, has a ntpdate startup service as well as an ntpd startup service. As suggested by the name, the ntpdate service executes the ntpdate cli to force a full time sync with the servers in ntpd.conf.

That isn't there in CE5. And at least it is off by default, but someone decided it was a good thing to force a time resync at boot.

IOS probably followed this model for some reason.

Re:"Insane" NTP servers

That isn't uncommon with servers, battery powered devices and devices without real time clocks. The reason is basically the same, they all have instances where they are not sure how long they have been down and, therefore, what time it is. Without knowing what time it is, all sorts of secure protocols do not function. Therefore, you could end up with a server that you cannot SSH into or a device that cannot use TLS or cannot verify its signed software, etc.

Re:"Insane" NTP servers

That seems to vary. My CentOS 6 server came with neither, I chose to install ntpdate. There is no ntpd.conf on the system, I run ntpdate through cron.

Re:"Insane" NTP servers

[bruce_the_loon]

Base minimum Centos 6 doesn't have ntp installed, but the RPM is in the base repository and doing a yum install ntpd gives me both, and an ntpd.conf.

It was trivially obvious.

[tlambert]

Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?

It was mostly discovered because it's trivially obvious that any method of setting the date on the iPhone is functionally equivalent to any other method of setting the date, and that as such, you can exploit the bug from any time set method that the device supports.

We even discussed this in several forums already, and the fix is to update to 9.3.1, since they are only exploiting a bug that already existed. Further, it still only exists on 64 bit iPhones (32 bit iPhones are "safe"), and it can also be exploited by emulating a cell tower, instead of emulating a WiFi hot spot that the iPhone already trusts, since all cell phones pretty much trust the time stamp sent by cell towers.

Not at all ironically, you have to asymptotically approach the time, as well, since NTP has built in protections against a large time drift in the first place; the cell tower attack technically doesn't use NTP, and so would not have this "problem".

Pretty much, this is a "nothing to see here".

Slow news day before income tax day, anyone?

Also...

[tlambert]

Also...

No danger of fire or permanent bricking, either. 50 C is far lower than the flashpoint of anything but an accelerant, and drain or disconnect the battery, and the problem goes away, just like before.

Re: It's sad those republicans...

This. They want to take our iPhones.

Hmmm... cheap iPhone killer?

How hard would it be to take an ESP8266 module with a battery, have it broadcast a fake ESSID, and serve the killer NTP packet? Say, spoofing Starbuck's SSID? Or McDonalds? I'd bet you kill a lot of un-upgraded devices that way... At maybe $2-$3 each, this is in the disposable range.

Is there an App for that?

Seems like a fairly quick and effective way to permanently deny access to your phone should anyone get their grubbies on it without your approval...

Smoke Signals

In this day and age it would seem like smoke signals might be an excellent choice for communication.

Sure, everyone can see them, but iphones, blackberrys, android devices are all very leaky insecure devices anyway - regardless of what "the man" might tell us.

This should be trivial to fix.

IF NEW.DATE CURRENT DATE - 2, goto INVALID.DATE

then the invalid date subroutine ignores further attempts to alter the date.

FTFY

Re:This should be trivial to fix.

[MrNiceguy_KS]

IF NEW.DATE CURRENT DATE - 2, goto INVALID.DATE

then the invalid date subroutine ignores further attempts to alter the date.

FTFY

So if you set someone's date forward 15 years, they can't set it back?

Trusting SSIDs

Was contemplating this. Would it be a good idea if an SSID was accompanied by some trust metric, like a certificate chain? Then, if a device is going to maintain a list of known WiFi networks (which is handy), it can do certificate checking to make sure it's not just a network called 'attwifi', but actually is signed by AT&T.

Obviously, some DHCP parameters would be ignored until the SSID is verified, as well as holding back normal traffic.

Re:Trusting SSIDs

[matt_hs]

So how do you decide which DHCP parameters to ignore? In this case, you ignore the NTP servers. What if another bug is found such that a DHCP address of 128.128.128.128/8 causes it to HCF? What if a bug is found when 127.0.0.1 and 127.255.255.255 are given as DNS servers? Point being, which DHCP parameters do you ignore until the SSID is verified?

...if the battery didn't catch fire?

Oh my god. Apple actually implemented the HCF instruction?

I prefer THIS 1970 bug

[havana9]

I prefer this 1970 bug, of course!