Researchers Warn of Wi-Fi Vulnerability in iOS 8
A specially crafted SSL certificate can be used to crash iOS apps, and even the entire operating system.
Skycure researchers recently uncovered a new vulnerability in iOS 8.
While setting up a new wireless router, the researchers discovered that iOS apps on iPhones and iPads in the area started crashing suddenly when those devices connected to the new router.
"Elisha and Roy from our research team started to analyze the crashes further and identified the source of the problem," Skycure co-founder Yair Amit wrote in a blog post discussing the flaw. "Basically, by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will."
"An even more interesting impact of the SSL certificate parsing vulnerability is that it actually affects the underlying iOS operating system," Amit added. "With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless."
Skycure has reported the issue to Apple, though since the vulnerability hasn't yet been confirmed as fully fixed, they aren't providing any more technical details on the specifics of the flaw.
Amit recommends taking the following steps to avoid being impacted by the flaw:
- Users should disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting.
- The latest iOS 8.3 update might have fixed a few of the mentioned threats -- users are highly advised to upgrade to the latest version.
- In general, users should avoid connecting to any suspicious "free" Wi-Fi network.
Guillaume Ross, senior security consultant for strategic services at Rapid7, told eSecurity Planet by email that Skycure's discovery should serve as a reminder to be careful in connecting to Wi-Fi hotspots.
"While this vulnerability can allow an attacker to crash an application or a device, there were and will be other vulnerabilities that would allow an attacker in control of the Wi-Fi network to read, modify and snoop on network traffic in general," Ross said.
"When using any network that you do not own, such as at a hotel, airport or coffee shop, make sure you use a VPN service to encrypt the data coming from your device, and reduce the odds of someone being able to snoop or manipulate it, to steal information or impact your device," Ross added. "Users should also ensure they install iOS updates rapidly, and companies should monitor user activity to identify at risk users with old, known vulnerable versions."
A recent eSecurity Planet article examined the 10 top threats for mobile devices.
Photo courtesy of Shutterstock.