Security researchers presenting at this week’s RSA Conference in San Francisco, have uncovered a whole new compelling reason to switch off your phone.
Skycure’s Yair Amit and Adi Sharabani have demonstrated a startling
vulnerability in iOS that can allow malicious hackers to crash any iOS
device within range of a WiFi hotspot.
And it doesn’t even matter if targeted devices are trying to deliberately connect to the WiFi network or not.
Yes, you heard that right. Pranksters are going to *love* this one.
The researchers have dubbed their discovery “No iOS Zone”, and explained how they uncovered the attack method when preparing a demonstration:
“One day, during preparation for a demonstration of a network-based attack, we bought a new router. After setting the router in a specific configuration and connecting devices to it, our team witnessed the sudden crash of an iOS app.”
“After a few moments, other people started to notice crashes. Pretty quickly, we realized that only iOS users were suffering from crashes.”
According to the researchers, the attack can render vulnerable iOS
devices within range so unstable that they can be forced into a constant
cycle of reboots.
Although many may view such an attack as a practical joke, the truth
is that such a “denial of service” attack could have a serious impact on
organisations reliant upon their iOS devices.
In their presentation, Amit and Sharabani could be used at political events, or by protestors in financial hubs.
The researchers released a video
of the WiFi attack in action. So, if you’ve ever wanted to watch a
movie of a phone rebooting over and over again, this is your chance.
The solution? Well, according to Sharabani, an old-fashioned approach to defence is best: run away.
After all, once your phone is constantly rebooting you won’t have a chance to turn off WiFi.
“Anyone can take any router and create a Wi-Fi hotspot that forces you to connect to their network, and then manipulate the traffic to cause apps and the operating system to crash.”
“There is nothing you can do about it other than physically running away from the attackers. This is not a denial-of-service where you can’t use your Wi-Fi – this is a denial-of-service so you can’t use your device even in offline mode.”
The researchers say that they first informed Apple of the problem in
early October 2014, and that iOS 8.3 appears to resolve some of the
issues they uncovered.
Chances are that this won’t be the last time that a serious denial of
service flaw is found in iOS. Just last month, Apple released iOS 8.2
which fixed a flaw that allowed hackers to restart iPhones by sending
them a maliciously-crafted Flash SMS.
More details of the “No iOS Zone” flaw can be found in the slide deck of the presentation given at the RSA conference.
0 comments:
Post a Comment