[Update 04/28/2015] In the past week, we have been working with Apple security team to complete their testing on the subject and are pleased to inform that Apple has confirmed that iOS 8.3 addresses the “No iOS Zone” vulnerability mentioned below. Users are highly advised to update their iOS to the latest version to avoid exploits related to this vulnerability.
In today’s RSA Conference presentation, (Tuesday, April 21, 2015 | 3:30 PM – 4:20 PM | West | Room: 2001) Adi Sharabani, CEO and my fellow co-founder at Skycure, and I covered the lifecycle of vulnerabilities and vendor pitfalls. We also shared some details about a vulnerability our team recently identified in iOS 8 — a vulnerability that we are currently working with Apple to fix.
In this post, I’d like to share a few anecdotes from our vulnerability research process:
How it all started
Skycure is a leader in mobile threat defense solutions. As offense is a crucial part of any defense solution, our research team frequently performs experiments to check how mobile devices behave in various scenarios. One day, during preparation for a demonstration of a network-based attack, we bought a new router. After setting the router in a specific configuration and connecting devices to it, our team witnessed the sudden crash of an iOS app.
[connect_embed_youtube:NhiTfsWUp30]
After a few moments, other people started to notice crashes. Pretty quickly, we realized that only iOS users were suffering from crashes.
QA Issue or Security Exposure?
To many, the iOS app crashes may seem simply like a quality issue. In most cases, people would just install a different firmware and move on.
However, we needed to dig deeper. We believe that incidents dismissed often as QA issues sometimes underlie an actual threat. Elisha and Roy from our research team started to analyze the crashes further and identified the source of the problem. Basically, by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. With our finding, we rushed to create a script that exploits the bug over a network interface. As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide. We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service (DoS) attack can lead to big losses.
[connect_embed_youtube:i2tYdmOQisA]
Again, we’ve reported the issue to Apple per our responsible disclosure process. As the vulnerability has not been confirmed as fully fixed yet, we’ve decided to refrain from providing additional technical details, in order to make sure iOS users are not exposed to the exploit caused by this vulnerability.
Impact on iOS
An even more interesting impact of the SSL certificate parsing vulnerability is that it actually affects the underlying iOS operating system. With heavy use of devices exposed to the vulnerability, the operating system crashes as well. Even worse, under certain conditions, we managed to get devices into a repeatable reboot cycle, rendering them useless.
[connect_embed_youtube:PmgI0LaFYLA]
The aforementioned is interesting in particular, as it puts the victim’s device in an unusable state for as long as the attack impacts a device. Even if victims understand that the attack comes from a Wi-Fi network, they can’t disable the Wi-Fi interface in the repeated restart state as shown in the video.
No iOS Zone
In 2013, we disclosed another vulnerability, which we called WiFiGate. In a nutshell, the impact was that an attacker could create their own network, and force external devices to automatically connect to it. Combining techniques such as WiFiGate or Karma attacks with this new discovery can allow an attacker to form a “No iOS Zone”. Envision a small device, which automatically captures any iOS device in range and gets it to join a fake network. Then, it issues the attack and crashes attacked iOS devices again and again. Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic.
Fortunately, we keep a close eye on all the mobile threats and exploits around the world using our Mobile Threat Intelligence platform and have not yet seen any exploit related to this vulnerability. Users can always download a free version of Skycure available on both platforms (iOS and Android) to detect any active threat or attack on their device.
Remediation
Users might be able to avoid this vulnerability exploit in a number of ways:
- Users should disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting.
- The latest iOS 8.3 update might have fixed a few of the mentioned threats–users are highly advised to upgrade to the latest version.
- In general, users should avoid connecting to any suspicious “FREE” Wi-Fi network.
Acknowledgements
Thanks to Elisha Eshed and Roy Iarchy in the Skycure research team for their continued great work. I would also like to thank Apple’s security team for their cooperation and continued commitment to the security of Apple’s user base.
To learn more about the latest threats on mobile devices, attend RSA Conference featured webcast with Skycure’s Adi Sharabani and Yair Amit. Register for The Four Horsemen of Mobile Security webcast that takes place on June 24th at 10am PT.