Training Article for Robin

In this week’s RSA 2015 session entitled “Mobile Vulnerabilities: From Data Breach to Complete Shutdown,” the co-founders of Skycure took aim at iOS and its increasing number of network security vulnerabilities – notably, an iOS SSL certificate parsing bug capable of crashing almost any app, demonstrated here:

https://www.youtube.com/watch?v=i2tYdmOQisA

While SSL bugs are running rampant lately – see Heartbleed, Cupid, Poodle and FREAK – Skycure took advantage of this particular iOS SSL bug to wreak havoc on Apple iPhone and iPad users by totally disabling vulnerable devices. Here’s how:

• First, an Evil Twin tool such as Karma or carrier-default hotspot settings can be used to forcibly auto-connect a victim Apple iOS device to a malicious AP.
• Second, when the victim launches any app that uses SSL, the malicious AP can exploit the certificate parsing bug to trigger a crash, entering an endless crash/reboot cycle.

In short, this attack turns the vicinity surrounding such a malicious WiFi AP into a “No iOS Zone.” Once this DoS attack starts, there is no escaping it. Because the reboot cycle is continuous, it is not even possible to disable Wi-Fi or enable Airplane Mode to break out of this DoS attack.

According to Skycure, this bug was reported to Apple more than six months ago. Although Skycure believes that iOS 8.3 addresses at least some of the flaws which enable this attack, this attack has not yet been confirmed as fixed. As a result, presenters declined to give further technical details, instead directing attendees to https://www.skycure.com/blog for status updates.

Until a full fix is widely-deployed, Skycure recommends that users take the following actions:

• As always, be wary of connecting to any suspicious free Wi-Fi network.
• Physically move away or disconnect from dodgy APs -- presumably before running any iOS app that invokes SSL.
• Immediately install Apple iOS 8.3 and later iOS patches to permanently fix this bug.

Unfortunately, this is easier said than done. It appears that iOS includes pre-defined Carrier Bundles, intended to facilitate auto-connection with each carrier’s Wi-Fi hotspot network. For example, an iOS device purchased from AT&T will auto-connect to the “attwifi” SSID, without the user having to add this connection. Skycure dubbed this phenomenon WiFiGate, further detailed here:

https://www.skycure.com/blog/wifigate-h ... i-attacks/

As a result, an iOS user who never consciously attempts to connect to any Wi-Fi hotspot may still be vulnerable to the “No iOS Zone” attack. And hackers wishing to launch this attack can simply run a malicious AP with any of these known SSIDs. Fortunately, the devil still lies in the details – in this case, knowing more about this SSL bug than has been published to date.

What can enterprises do to deter this DoS attack? First, use a WIPS to watch for Karma or APs that beacon known hotspot SSIDs in unexpected places – this serves as the proverbial “canary in the coal mine,” alerting admins to the threat before victims are attacked. Second, use MDM to lock down Wi-Fi settings where feasible and enforce timely iOS updates, narrowing the window of opportunity for attack. Finally, educate iOS device users about this new attack and its symptoms, providing instructions for infected device remediation. With luck, “No iOS Zone” will remain theoretical until patched by Apple – but given the potential severity of this DoS attack, it makes sense to proactively leverage existing WIPS and MDM tools to reduce risk.

To view this RSA 2015 presentation, visit https://www.rsaconference.com/events/us ... o-complete