While iOS devices may generally suffer less from malware than competing smartphone platforms, that doesn’t mean there aren’t security risks. At this week’s RSA security conference, researchers demonstrated a flaw that allows a maliciously configured Wi-Fi access point to crash an iPhone–without the phone even joining that network.
Yair Amit of security firm Skycure, along with a pair of his colleagues, discovered that iOS devices were crashing when trying to connect to a new router. After some investigation they concluded that the problem lay in Secure Sockets Layer (SSL), the system that underlies secure web communication. With a specially crafted cryptographic certificate, a bug could be triggered which causes the iPhone to crash whenever an app attempts an encrypted web connection–something that many apps do in order to maintain security.
In certain circumstances, Amit and his team were able to cause an iPhone to go into an endless cycle of reboots, rendering it essentially unusable.
While it might seem like the simple answer here is not to connect to unknown Wi-Fi access points–good common-sense advice in general–Skycure’s researchers found a way to exploit the vulnerability without users explicitly telling their devices to join a network.
To do so, they used a second exploit they’d discovered back in 2013, where devices that run on certain mobile phone carriers are pre-configured to join carrier-specific Wi-Fi networks. For example, in the US, AT&T allows subscribers to use its ‘attwifi’ network for free; other carriers like Bell in Canada, SingTel in Singapore, Swisscom in Switzerland, and so on have similar set ups. These Wi-Fi network names are stored in the operating system itself, and can’t be directly accessed or edited by users. So simply naming a router’s network ‘attwifi’ will force iOS devices running on AT&T’s network to try and connect to the network automatically–thus potentially triggering the reboot bug.
The bug doesn’t do any permanent damage, but it is effectively a cheap–albeit somewhat limited–cell phone jammer.
Skycure says it’s submitted the vulnerability to Apple and is working with the company to fix it. They haven’t published the full information about the exploit to prevent it being used in the wild.