Steer Clear of iOS 8’s Infinite Loop

A flaw in iOS 8 allows hackers essentially to crash apps that perform SSL communications whenever they like. Skycure reported the bug at the RSA security conference held last week, advising owners of iOS devices to upgrade to iOS 8.3.

Apple this week confirmed that iOS 8.3 addresses the vulnerability, according to Skycure.

An attack would involve specially crafting an SSL certificate to regenerate a bug. SSL is used in almost all apps in the iTunes App Store, which means pretty much every device user running iOS 8 could be at risk.

The flaw is an SSL parsing vulnerability that affects iOS itself, and heavy use of affected devices will crash the OS, Skycure said.

Further, under certain conditions, affected devices can be put into a reboot loop, which locks them up. If the attack’s coming through a WiFi network, victims can’t disable the WiFi interface to stop it. They’re stuck in what Skycure has dubbed a “No iOS Zone.”

However, “we have not seen any instances [of exploits based on this vulnerability] in the wild,” Skycure CEO Adi Sharabani told TechNewsWorld.

The No iOS Zone

Combining the iOS 8 SSL vulnerability with WiFiGate, which Skycure disclosed in 2013, or with the Karma tool, would let attackers form a No iOS Zone.

Attackers could automatically recruit any iOS device in range into what essentially would be a mobile botnet that could launch denial of service attacks on target iOS devices.

The possibility of such an attack is real, according to Simone Margaritelli, a developer and security researcher at Zimperium.

“I recently used a Karma attack against my updated iOS device, and it worked like a charm,” he told TechNewsWorld.

Victims can’t do anything about the No iOS Zone, Skycure said.

Follow the Money

“Mobile malware and WiFi hacks like the No iOS Zone are on the rise, driving a multibillion-dollar market opportunity for mobile security companies,” said Steve Morgan, CEO of Cybersecurity Ventures.

“This is like the early days of antivirus, when the vendors were leapfrogging each other in the media as they each scurried to be the first one to report a bug,” he told TechNewsWorld. “Companies … who report a bug initially are poised for growth.”

Nothing to Fear but Fear Itself?

Attacks exploiting the iOS 8 SSL vulnerability “will happen, but I would be much more worried about the prevalence of bugs in iOS that allow malicious apps or malicious websites to run code on the devices,” said Marble Security CEO Dave Jevans.

“In the one month between the release of iOS 8.2 and iOS 8.3, Apple fixed 37 iOS security bugs, one of which also allowed denial of service attacks over the air,” he told TechNewsWorld.

“There were also nine security bugs fixed that were related to malicious apps or websites taking over devices or running unauthorized code on them. The myth that iOS is secure is just that — a myth,” Jevans added.

The iOS 8 SSL vulnerability Skycure found is “similar to the Darwin Nuke flaw discovered by Kaspersky,” said Jimmy Shah, senior director of research at Zimperium.

The current threat level for the vulnerability is low, he told TechNewsWorld, because “DoS is not persistent, and no code execution is involved.”

Staying Safe

Users whose iOS devices keep on crashing or rebooting should disconnect from a troublesome WiFi network or change their location, Skycure recommended, and they should upgrade to version 8.3 post haste.

Users of iOS devices can enable the OS’s “Ask to join networks” feature to protect themselves, Zimperium’s Shah suggested.

“Android and iOS are constantly improving their security mechanisms,” he remarked. Although iOS is generally believed to be the more secure of the two, “in reality [they] are equally secured, with pluses and minuses for each.”

Richard Adhikari

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels