A new vulnerability in Apple's iOS operating system for mobile devices may render iPhones and iPads prone to denial-of-service (DoS) attacks, a security vendor said.
SkyCure's Yair Amit said the company's researchers are working with those in Apple to fix the flaws in iOS 8.
"Basically, by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. With our finding, we rushed to create a script that exploits the bug over a network interface," Amit said.
Worse, the company said that under certain conditions, some devices "fall into a repeatable reboot cycle, rendering them useless."
Even if victims know the attack comes from a Wi-Fi network, "they can’t disable the Wi-Fi interface in the repeated restart state," it added.
"As SSL is a security best practice and is utilized in almost all apps in the Apple app store, the attack surface is very wide. We knew that any delay in patching the vulnerability could lead to a serious business impact: an organized denial of service (DoS) attack can lead to big losses," Amit added.
The company discovered the potential threat while preparing for a demonstration of a network-based attack.
It said that when the router was set to a specific configuration, apps of iOS devices connected to the router started to crash.
Skycure said it has reported the issue to Apple.
'No iOS Zone'
SkyCure noted it disclosed another vulnerability, "WiFiGate." as early as 2013.
With the vulnerability, attackers could create their own network, and force external devices to automatically connect to them.
"Combining techniques such as WiFiGate or Karma attacks with this new discovery can allow an attacker to form a 'No iOS Zone,'" the company said.
"Envision a small device, which automatically captures any iOS device in range and gets it to join a fake network. Then, it issues the attack and crashes attacked iOS devices again and again. Victims in range cannot do anything about it. Think about the impact of launching such an attack on Wall Street, or maybe at the world’s busiest airports, or at large utility plants. The results would be catastrophic," it said.
Solutions
For now, SkyCure suggested that:
- users disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting.
- upgrade to the latest iOS 8.3 update, which might have fixed a few of the mentioned threats.
More from: http://www.gmanetwork.com/news/story/475506/scitech/technology/iphones-ipads-vulnerable-to-dos-cyberattacks