At RSA Conference 2015, the co-founders of security firm Skycure revealed an attack on Apple devices which could continuously cause apps, and the mobile operating system itself to crash, leaving users in a “No iOS Zone.”
The attack is possible through an SSL certificate parsing vulnerability that affects iOS 8, offering attackers a wide net to cast upon victims since secure sockets layer (SSL) is used by most apps in Apple's app store. On Tuesday afternoon, Adi Sharabani, CEO of Skycure, and Yair Amit, CTO at the company, told attendees that, while the firm had been working with Apple to fix the vulnerability, the issue is still not confirmed as resolved.
Sharabani and Amit noted that Apple's recent iOS 8.3 release addresses some, but not all attack possibilities introduced by the flaw.
During their presentation, the co-founders showed that by creating a bogus SSL certificate and exploiting the issue, an attacker could easily get users to connect to a spurious Wi-Fi network. Sharabani and Amit explained that many users have Wi-Fi auto-connect enabled on their devices so they can automatically connect to nearby networks – which could turn out to be malicious.
In a follow-up blog post published Wednesday, Amit warned that the SSL certificate parsing bug could be used for organized denial-of-service attacks in locations where critical business is conducted, such as on Wall Street or at utility plants, where “results would be catastrophic,” he wrote. The attack would work as long as victims remained in range, or connected, to the hotspot set up by the attacker.
"With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless," Amit said of the attack.
To avoid exploitation, he advised users to implement the latest iOS 8.3 update, which fixes some of the threats they discussed, and to avoid connecting to suspect “Free” Wi-Fi networks. Skycure reported the issue to Apple last October, and will update its blog when the issue is fully resolved.
