Now would be a good time to update to the latest version of iOS, with researchers now revealing how to brick any iPad, and possibly any iPhone, on the same Wi-Fi network.
It turns out that the link bug Apple fixed in iOS 9.3.1 was not the only reason iPhone and iPad owners should have updated their software.
iOS 9.3.1 is also the only version immune to a denial-of-service vulnerability that can be triggered by setting the date on an iOS device to January 1, 1970.
Researcher Zach Straley in February revealed in a YouTube post how this attack could be carried out manually on an iPhone. He showed that if an attacker had physical possession of the device and rolled the date back that far, the iPhone would crash, although it could still be restored after a reset.
But there was also another, worse scenario that two researchers revealed this week. As noted by Krebsonsecurity, security researchers Patrick Kelley and Matt Harrigan wondered whether the 1/1/1970 bug attack could be automated and launched without physical access.
Now that iOS 9.3.1 has been out for two weeks, they’ve decided to reveal, reportedly under agreement with Apple, how that can attack can be mounted, offering a sharp reminder of the risks of connecting to an untrusted Wi-Fi network.
The method involves spoofing Apple’s network time protocol (NTP) server with a device, in this case a Raspberry Pi, on the same Wi-Fi network as a vulnerable iOS device.
“Using a custom Raspberry Pi setup built by Kelley, a Wi-Fi access point resembling a commonly trusted network spoofs Apple’s NTP servers to pass the 1/1/1970 date to the device,” Harrigan, who is CEO of security firm PacketSled, wrote.
“This starts a chain reaction of software instability, resulting in observed temperatures up to 54°C… which is hot enough to brick a device.”
As the pair note in a video demonstration of the attack on an iPad, anyone running an iOS older than 9.3.1 should update immediately.
Also, unlike the manual rollback method, which could be restored by resetting the device, the researchers claim the NTP method actually bricks the device for good, due to heat damage caused to the battery.
After rigging up the attack network, the bogus Apple NTP server sends out bad NTP responses. Once a device trusts the malicious network, it’s time and date is reset to December 31, 1969, 23:59:00 and rolls over to 1970 and degrades from there.
The good news for iPhone owners is that it’s more difficult to exploit the vulnerability on their devices.
That’s because, as Harrigan and Kelley told Krebsonsecurity, iPhones get their network time updates over GSM, which would require setting up a malicious mobile network. While that’s not impossible, it is more difficult.