Remember the bug that would brick an iOS device when the date on the device was set to January 1, 1970? While iOS 9.3 fixed that bug, researchers have found an offshoot of that bug that can remotely brick a device as soon as it connects to a Wi-Fi hotspot. Krebs on Security reports the exploit uses a combination of two weaknesses present in iOS 9.3 and earlier.
“… security researchersPatrick Kelley and Matt Harrigan wondered: Could they automate the exploitation of this oddly severe and destructive date bug? The researchers discovered that indeed they could, armed with only $120 of electronics (not counting the cost of the bricked iDevices), a basic understanding of networking, and a familiarity with the way Apple devices connect to wireless networks.”
The first factor contributing to the exploit is the fact that iOS devices will automatically reconnect to known Wi-Fi hotspots, this is what allows it to automatically hop onto your home network, or grab a Wi-Fi connection at your local coffee shop. iOS relies on the SSID of a Wi-Fi router to do this. The exploit takes advantage of this by spoofing the name of a known Wi-Fi hotspot.
The second contributing element of the exploit is that iOS devices check and update their time and date settings by connecting to Network Time Protocol (NTP) servers. All it takes to set the date to January 1, 1970 on a targeted device is to create a hotspot with a known name, (the researchers used “attwifi”, which is the hotspot name at any Starbucks), and then point the device to their own NTP server, which was posing as time.apple.com to reset the date.
The result? The iPads that were brought within range of the test (evil) network rebooted, and began to slowly self-destruct. It’s not clear why they do this, but here’s one possible explanation: Most applications on an iPad are configured to use security certificates that encrypt data transmitted to and from the user’s device. Those encryption certificates stop working correctly if the system time and date on the user’s mobile is set to a year that predates the certificate’s issuance.
9to5Mac notes that while the bug was related to, but was not identical to, the already fixed 1970 bug, iOS 9.3 didn’t fix the problem. However, security researchers Patrick Kelley and Matt Harrigan, being the good guys they are, reported their findings to Apple before telling anyone else. The company asked them to keep it on the down low until it was fixed, and then promptly fixed it in the iOS 9.3.1 update.
Harrigan and Kelley, say the hardware they used to execute this attack amounted to little more than a common Raspberry Pi device with some custom software installed.