iOS 1970 Bug Is Back, Can Be Exploited Via Rogue WiFi Networks (softpedia.com)

← Back to Stories (view on slashdot.org)

iOS 1970 Bug Is Back, Can Be Exploited Via Rogue WiFi Networks (softpedia.com)

Posted by msmash on Thursday April 14, 2016 @03:35AM from the weird-bugs-strange-exploits dept.

An anonymous reader writes: Back in February iOS users noted that setting your phone/tablet's date to January 1, 1970 would permanently brick their devices. After Apple fixed the issue in iOS 9.3.1, two security researchers have now uploaded a video on YouTube showing how to exploit this bug from a remote location, with no access to the user's phone. The setup involves attackers putting up a Wi-Fi network on which they're running a rogue NTP server. This server tells iOS devices syncing their time that it's December 31, 1969, 23:59:00. Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked.

60 of 106 comments (clear)

Min score:

Reason:

Sort:

LOL at the sound track for the exploit video by JoeyRox · 2016-04-14 03:38 · Score: 1

Guy takes himself way to seriously, as if this exploit can be used to compromise a remote ICBM launch pad or something.
1. Re:LOL at the sound track for the exploit video by ArmoredDragon · 2016-04-14 04:39 · Score: 2
  
  A simple bug in Apple's software is much different than a trojanized payload.
Also Good for Corporate WiFi Networks by xxxJonBoyxxx · 2016-04-14 03:39 · Score: 4, Funny

Forget "rouge" WiFi networks - now IT can finally strike back at BYOD users who insisted on connecting their iPhones into an internal corporate network. :)
1. Re:Also Good for Corporate WiFi Networks by Anonymous Coward · 2016-04-14 03:44 · Score: 3, Insightful
  
  If the IT department setup their network in a way that allows these devices to connect then the problem is the IT department, not the employee.
2. Re:Also Good for Corporate WiFi Networks by phishybongwaters · 2016-04-14 03:46 · Score: 1
  
  Well you shouldn't be allowing their devices on your internal network if you don't want them. Packetfence comes to mind....... but there's plenty of other easy to implement solutions to resolve rogue devices connecting with legit credentials.
3. Re:Also Good for Corporate WiFi Networks by magarity · 2016-04-14 03:56 · Score: 2
  
  Forget "rouge" WiFi networks
  And then there's the eyeliner networks and the foundation networks to worry about.
4. Re:Also Good for Corporate WiFi Networks by acoustix · 2016-04-14 03:56 · Score: 1
  
  If the IT department setup their network in a way that allows these devices to connect then the problem is the IT department, not the employee.
  Correct. Anyone who is running a PSK wireless environment on their corporate network deserves what happens. Use certificates, AD membership, etc to authenticate.
  
  --
  "A plan fiendishly clever in its intricacies"- Homer Simpson
5. Re:Also Good for Corporate WiFi Networks by xxxJonBoyxxx · 2016-04-14 04:56 · Score: 1
  
  >> Wouldn't it be easier to just do your job?
  
  Found the PHB. C'mon people, it's almost Friday - lighten the fuck up.
6. Re:Also Good for Corporate WiFi Networks by Eristone · 2016-04-14 12:02 · Score: 1
  
  And said C level executive will say (if you are lucky) "Here's X amount of dollars. Make it work, I want to be able to use device in meeting next Wednesday." I can guarantee you that X is going to be less than the amount needed to do it properly and a performance goal will be added to said IT guy's yearly review showing how well they made it work (or not work).
7. Re:Also Good for Corporate WiFi Networks by Coren22 · 2016-04-18 05:34 · Score: 1
  
  The nail polish networks are truly terrifying though.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Apple genuii by Impy+the+Impiuos+Imp · 2016-04-14 03:43 · Score: 4, Insightful

Fire the engineers who "fixed" this.
The fix should not just be prevent the user from setting the problematic time, but fixing the issue directly should the time become the bogus time by any means.
If the battery can catch fire, then you really, really, really need to fix it properly.
And the testers need a slap, too. One test case should have been setting the time by force to see what happens, and not just testing the time set lockout.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
1. Re:Apple genuii by pushing-robot · 2016-04-14 03:56 · Score: 5, Informative
  
  No, fire the summary writer.
  The bug was fixed, this is just a practical way of exploiting devices running the affected versions.
  Also, there have been no battery fires, but aluminum feels pretty hot when it gets to 50C and people assumed their phones must be OMG about to CATCH FIRE!!11!!eleven
  
  --
  How can I believe you when you tell me what I don't want to hear?
2. Re:Apple genuii by AmiMoJo · 2016-04-14 03:56 · Score: 1
  
  It's not just the engineers who were supposed to have fixed the 1970 issue, it's the ones who thought it would be a good idea to connect to random NTP servers and blindly accept their claim that time travel has been invented and it's now the 1960s, only now they have wifi and NTP.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Apple genuii by lobiusmoop · 2016-04-14 04:06 · Score: 1
  
  We've already seen what happens when do don't do basic sanity checking on the upstream NTP data
  
  --
  "I bless every day that I continue to live, for every day is pure profit."
4. Re:Apple genuii by afidel · 2016-04-14 04:08 · Score: 1
  
  This is true. Also WHY is the ipad following NTP if the slew rate is greater than 500ppm? The NTP RFC's clearly states that this is the maximum you should adjust the clock via the protocol(s).
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
5. Re:Apple genuii by gwolf · 2016-04-14 04:12 · Score: 1
  
  That, or maybe the fact that the phone was left unplugged on a drawer until somebody's grandchild connected it after January 2038 just to see what is that thing.
  Of course, your comment still applies: It's probably impossible to travel back to 1969 and have working wifi and NTP. But I think it's highly unlikely that by 2038 we will have Wifi networks compatible with today's standards, or NTP servers compatible with today's implementations.
  Then again, today's Wifi is still compatible with what 802.11b, which I first used in the late 1990s, and NTP operates at least since 1985. If Wifi has survived for 20 years and NTP for 30, who says it won't last 22 more?
6. Re:Apple genuii by peragrin · 2016-04-14 04:23 · Score: 1
  
  Actually I bet current devices 2016 will still connect to the same wifi in 2038.
  Remember wifi 802.11b came out in 1999 which makes it 17 years old.
  2038 is only 22 years away. 801.11n and ac will still be around.
  
  --
  i thought once I was found, but it was only a dream.
7. Re:Apple genuii by tlhIngan · 2016-04-14 04:53 · Score: 3, Informative
  
  This is true. Also WHY is the ipad following NTP if the slew rate is greater than 500ppm? The NTP RFC's clearly states that this is the maximum you should adjust the clock via the protocol(s).
  NTP has two modes.
  First is to keep clocks in sync, so if you have a network of devices, the clocks can tick pretty much together. This is what you use NTPd for - to keep clocks on a network in sync.
  The other use is to set the clock, which uses the same protocol, except we call it "daytime protocol" because they do an NTP query to get the current date/time to set it. In Linux, you use "ntpdate" to set the clock initially since NTPd will refuse to run if the system clock and server clock are too far apart. So you use ntpdate to get the clock close enough.
  Most devices when you set "Automatically set date/time" use daytime to set the clocks. It's only stuff like the Apple watch (which is used to keep time) that generally wants to keep time in sync.
8. Re:Apple genuii by myowntrueself · 2016-04-14 05:08 · Score: 1
  
  It's not just the engineers who were supposed to have fixed the 1970 issue, it's the ones who thought it would be a good idea to connect to random NTP servers and blindly accept their claim that time travel has been invented and it's now the 1960s, only now they have wifi and NTP.
  What I'd do is set up to capture all DNS traffic and direct it to my own DNS server and return my own NTP server for any requests for the NTP servers that iDevices are typically configured to use.
  No need for 'rouge NTP servers'.
  However, checking that the amount of time change that the NTP server is asking for is within sane parameters is normally normal...
  
  --
  In the free world the media isn't government run; the government is media run.
9. Re:Apple genuii by malditaenvidia · 2016-04-14 05:29 · Score: 1
  
  No, fire their damage control department, instead. They're doing a terrible job of minimizing the issue.
10. Re:Apple genuii by phayes · 2016-04-14 05:33 · Score: 1
  
  Nope, the problem only exists in the mind of the people who like to hate on Apple and jump to false conclusions on unsubstantiated reports. There is no fixing these people.
  
  --
  Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
11. Re:Apple genuii by robmv · 2016-04-14 06:33 · Score: 1
  
  NTP authentication
12. Re:Apple genuii by Solandri · 2016-04-14 07:41 · Score: 1
  
  Also, there have been no battery fires, but aluminum feels pretty hot when it gets to 50C and people assumed their phones must be OMG about to CATCH FIRE!!
  Not sure what Apple fanblog has been spreading that nonsense. Anyone familiar with Lithium-ion chemistry can tell you unequivocally that charged Li-ion batteries can catch fire when damaged or overcharged. You'd be a fool to dismiss it as anti-Apple rhetoric - click on related links to other brand Li-ion batteries catching fire if you feel this is somehow singling out Apple. They're all dangerous and need to be treated with respect for the potential damage they can do. It's why the FAA has banned them in checked baggage on passenger airliners (not that the passenger cabin is much better, but at least there are people there who will immediately notice the fire and try to put it out).
13. Re:Apple genuii by myowntrueself · 2016-04-14 08:02 · Score: 1
  
  NTP authentication
  Yes that might help. In the 'near' future.
  
  --
  In the free world the media isn't government run; the government is media run.
14. Re:Apple genuii by Flea+of+Pain · 2016-04-14 09:02 · Score: 1
  
  Actually I bet current devices 2016 will still connect to the same wifi in 2038.
  Remember wifi 802.11b came out in 1999 which makes it 17 years old.
  2038 is only 22 years away. 801.11n and ac will still be around.
  But...but...what standard will the hoverboard I've been promised run on?
  
  --
  Do not argue with an idiot. He will drag you down to his level and beat you with experience.
15. Re:Apple genuii by Zaiff+Urgulbunger · 2016-04-14 09:10 · Score: 1
  
  +1 for "eleven" - did actually lol at that! :D
16. Re: Apple genuii by mattventura · 2016-04-14 12:32 · Score: 1
  
  11a came out at the same time as 11b.
17. Re:Apple genuii by Aqualung812 · 2016-04-15 05:05 · Score: 1
  
  The issue with this is that I'm pretty sure NTP authentication is bidirectional by IP address.
  That means Apple would need a unique key for every iOS device, and they would somehow have to dynamically update their current IP.
  NTP authentication is pretty broken IMHO. I wish it were something that was one-way, where the clients can just have a trusted signature installed and validate the timestamp. It isn't critical to hide the NTP info from snooping, just to validate that the timestamp has been issued by a trusted source and that it hasn't been modified.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
18. Re:Apple genuii by robmv · 2016-04-15 05:26 · Score: 1
  
  Follow the link, there is Public-Key Authentication now
19. Re:Apple genuii by Pyramid · 2016-04-15 06:11 · Score: 1
  
  Because like most portable devices, they probably aren't running a full ntp daemon/stack, but an SNTP client that periodically queries a single time server and sets the device's clock to whatever the reply contains. At a bare minimum, they should query several quasi-random servers like pool.ntp.org (style) at the same time. It would make an attack like this more difficult. And or perform a sanity check using the following pseudocode:
  If date Skylab leaving crater in Austrailia
  don't do that stupid shit
  Else, set the damned clock.
  
  --
  ~Any apparent grammatical or typographic errors are caused by defects in your display device.
20. Re:Apple genuii by Aqualung812 · 2016-04-15 06:33 · Score: 1
  
  Nice! I've yet to see this implemented, but glad to see it is being worked out.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Re: It's sad those republicans... by xxxJonBoyxxx · 2016-04-14 03:43 · Score: 2

>> They want mandatory prison terms for programmers that fix software bugs.

I'll have to look into that. Maybe I'll finally get some peace and quiet - it can't be worse than an "open concept" office. :)
Bad Summary? by blazer1024 · 2016-04-14 03:43 · Score: 5, Insightful

So the summary (and the headline) seem to imply that this bug affects even devices with iOS 9.3.1, but the article actually states:

If the device was running an iOS version vulnerable to the 1970 bug, after a minute, the device would reach the problematic crash date.
...
Kelley and Harrigan recommend that users update as soon as possible to iOS 9.3.1.
This is actually just a remote way to exploit this bug, and not a new bug as the summary suggests.
1. Re:Bad Summary? by phishybongwaters · 2016-04-14 03:52 · Score: 1
  
  Yeah it came off confusing but I think we were supposed to figure it out from: "OS 1970 Bug Is Back" back, meaning it's the same bug. It is NOT clear that this bug doesn't affect 9.3.1 from the summary, the article linked though states it's clearly. This is the new slashdot, at least this one is kinda relevant to geek news
2. Re:Bad Summary? by cant_get_a_good_nick · 2016-04-14 04:55 · Score: 2
  
  That's a horrible clickbait summary.
  Hey your phone will catch fire! We'll throw some mumbo jumbo about NTP to scare you. Please come click on this story, and oh by the way disable your adblocker...
umm what? by phishybongwaters · 2016-04-14 03:44 · Score: 1, Insightful

"Twenty minutes later, if the battery didn't catch fire (which is possible with this new exploit), the iPad or iPhone device is permanently and irreversibly bricked." How exactly does changing the system time via NTP cause the battery to catch fire? While I'm fully onboard with hating ios and most things apple does..... I'm not exactly sure how that statement makes any sense. I'm going to tell you right now, changing the date on my windows device and android device does not, in any way, affect battery life or heat. At all. The fact that this is even possible means there's a massive code issue in relation to the battery. Under what mechanism does the date and time have any effect on the battery drain? It simply makes no sense. Than again, the same can be said for the system becoming unresponsive AT ALL due to the fucking date. This is half-assed work at best. I expect a lot of bullshit from apple, but half assed stuff like this is not one of those things.
1. Re:umm what? by frnic · 2016-04-14 03:55 · Score: 4, Insightful
  
  Don't let you hate blind you, this is NOT a new exploit, this is the same exploit and is fixed in 9.3.1 and the article even suggests updating to prevent it.
2. Re:umm what? by zAPPzAPP · 2016-04-14 04:01 · Score: 1
  
  Maybe the system has direct control over the charger circuit, so if it locks up while the battery is being charged, it won't stop charging?
  Maybe it's just the temperature sensor, which is monitored by the system, so if there is any problem with the battery overheating, the safety does not trigger?
  There are countless possibilities how this may occur. The bug bricks the system, so it seems to be pretty low level.
  None of this should be possible in a proper designed system, but then again the initial bug is rediculous too.
3. Re:umm what? by AmiMoJo · 2016-04-14 04:06 · Score: 1
  
  The bug causes some kind of infinite loop that heats up the CPU. Cooling in phones is fairly marginal and they can't run at 100% constantly. They have thermal protection that shuts the device down if it gets too hot, or on other CPUs throttles the core frequencies back. I don't know if Apple have the throttling, it can affect benchmark results so maybe they decided that it would happen rarely enough not to worry about.
  Anyway, the infinite loop uses lots of power, draining the battery, and converts much of it into heat. And the flaw is apparently in some part of the system that isn't subject to any kind of watchdog that would kill it if it goes nuts.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:umm what? by Lotharus · 2016-04-15 07:31 · Score: 1
  
  Maybe it's just the temperature sensor, which is monitored by the system, so if there is any problem with the battery overheating, the safety does not trigger?
  I'm pretty sure there's something to this. Periodically my iPhone 5S becomes hot enough to be very uncomfortable to hold while charging, and a power cycle cures the issue. Personally I think it's awfully daft to have something as important as a Li+ battery temperature sensor dependent upon the OS rather than being a separate, independent component.
  
  --
  http://undecidedgames.blogspot.com
So if the battery does catch fire... by Anonymous Coward · 2016-04-14 03:45 · Score: 1

...the device is not permanently and irreversibly bricked?
1. Re:So if the battery does catch fire... by Qzukk · 2016-04-14 04:11 · Score: 2
  
  No, it's permanently and irreversibly burned.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:So if the battery does catch fire... by pushing-robot · 2016-04-14 07:02 · Score: 2
  
  No, at that point it's briquette.
  
  --
  How can I believe you when you tell me what I don't want to hear?
This is caused by LUDDITE NTP servers! by Anonymous Coward · 2016-04-14 03:45 · Score: 1

Modern app appers know that ONLY apps can app apps, so if you use an appy app time server instead of LUDDITE NTP, everything will be super appy!
Apps!
It was fixed... by pushing-robot · 2016-04-14 03:46 · Score: 5, Informative

If it wasn't clear, the bug was fixed in 9.3.1 - this only affects devices that haven't been updated.
Also, I think the highest temperature recorded was 54C... not something you'd want to touch, but not likely to catch fire either.
Finallly, if it's like the previous exploit, the device isn't completely bricked... when the battery goes dead or is disconnected the device can be reset.

--
How can I believe you when you tell me what I don't want to hear?
Time Travelling by Anonymous Coward · 2016-04-14 03:51 · Score: 1

Apple customer complaint: "Every time my phone tries to time travel, it overheats the battery and then bricks!" Apple Genius: "It's really simple. Time traveling requires infinite amount of energy, which your phone tries to pull from the battery. Unfortunately Apple batteries don't provide such amount of power at this point. Have a nice day!"
How was this discovered? by magarity · 2016-04-14 03:58 · Score: 1

Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?
1. Re:How was this discovered? by darkain · 2016-04-14 04:07 · Score: 1
  
  Simple, someone was just testing edge cases. https://en.wikipedia.org/wiki/...
2. Re:How was this discovered? by marciot · 2016-04-14 05:43 · Score: 1
  
  Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?
  Obviously someone whose software license has expired.
Question on iOS and NTP by acoustix · 2016-04-14 04:06 · Score: 1

Does the rouge network need to dnsmasq time.apple.com? Or could this be accomplished by just passing on a DHCP option on the network to trust a local NTP server? Obviously setting up a dnsmasq makes the exploit more difficult.
Roughly have of the iOS devices that are controlled by my BES12 server are running versions older than 9.3.1.

--
"A plan fiendishly clever in its intricacies"- Homer Simpson
1. Re:Question on iOS and NTP by myowntrueself · 2016-04-14 05:12 · Score: 1
  
  Does the rouge network need to dnsmasq time.apple.com? Or could this be accomplished by just passing on a DHCP option on the network to trust a local NTP server? Obviously setting up a dnsmasq makes the exploit more difficult.
  Roughly have of the iOS devices that are controlled by my BES12 server are running versions older than 9.3.1.
  Redirecting DNS traffic, or NTP for that matter, is not difficult. No need for DHCP, a simple iptables rule will do this in about one line...
  
  --
  In the free world the media isn't government run; the government is media run.
"Insane" NTP servers by AF_Cheddar_Head · 2016-04-14 04:17 · Score: 1

Doesn't the NTP specification have something about how devices are supposed to ignore NTP updates that are X number of minutes different than the current time the device has?
Why don't the Apple IOS devices do this?
1. Re:"Insane" NTP servers by bruce_the_loon · 2016-04-14 04:46 · Score: 1
  
  Interestingly enough, CentOS 6, and therefore probably RHEL 6, has a ntpdate startup service as well as an ntpd startup service. As suggested by the name, the ntpdate service executes the ntpdate cli to force a full time sync with the servers in ntpd.conf.
  That isn't there in CE5. And at least it is off by default, but someone decided it was a good thing to force a time resync at boot.
  IOS probably followed this model for some reason.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
2. Re:"Insane" NTP servers by bruce_the_loon · 2016-04-23 01:32 · Score: 1
  
  Base minimum Centos 6 doesn't have ntp installed, but the RPM is in the base repository and doing a yum install ntpd gives me both, and an ntpd.conf.
  
  --
  Trying to become famous by taking photos. Visit my homepage please.
It was trivially obvious. by tlambert · 2016-04-14 04:20 · Score: 1

Sure, this sounds like a nasty bug but how did someone go about discovering it? Is this some tinfoil hat theory that setting the date to 1970 keeps the NSA from snooping your calls?
It was mostly discovered because it's trivially obvious that any method of setting the date on the iPhone is functionally equivalent to any other method of setting the date, and that as such, you can exploit the bug from any time set method that the device supports.
We even discussed this in several forums already, and the fix is to update to 9.3.1, since they are only exploiting a bug that already existed. Further, it still only exists on 64 bit iPhones (32 bit iPhones are "safe"), and it can also be exploited by emulating a cell tower, instead of emulating a WiFi hot spot that the iPhone already trusts, since all cell phones pretty much trust the time stamp sent by cell towers.
Not at all ironically, you have to asymptotically approach the time, as well, since NTP has built in protections against a large time drift in the first place; the cell tower attack technically doesn't use NTP, and so would not have this "problem".
Pretty much, this is a "nothing to see here".
Slow news day before income tax day, anyone?
Also... by tlambert · 2016-04-14 04:23 · Score: 1

Also...
No danger of fire or permanent bricking, either. 50 C is far lower than the flashpoint of anything but an accelerant, and drain or disconnect the battery, and the problem goes away, just like before.
Re:This should be trivial to fix. by MrNiceguy_KS · 2016-04-14 06:18 · Score: 1

IF NEW.DATE CURRENT DATE - 2, goto INVALID.DATE
then the invalid date subroutine ignores further attempts to alter the date.
FTFY
So if you set someone's date forward 15 years, they can't set it back?

--
Redundancy is good And also good.
Re:Trusting SSIDs by matt_hs · 2016-04-14 07:36 · Score: 1

So how do you decide which DHCP parameters to ignore? In this case, you ignore the NTP servers. What if another bug is found such that a DHCP address of 128.128.128.128/8 causes it to HCF? What if a bug is found when 127.0.0.1 and 127.255.255.255 are given as DNS servers? Point being, which DHCP parameters do you ignore until the SSID is verified?
Re:Wow by Anonymous Coward · 2016-04-14 07:39 · Score: 1

"Permanently and irreversibly bricked", as in "plug it into your computer, start it in recovery mode, and restore your most recent backup".
I prefer THIS 1970 bug by havana9 · 2016-04-15 00:14 · Score: 1

I prefer this 1970 bug, of course!