‘Evil’ Wi-Fi network can brick your iPhone (and how to stop it)

By

brick
Attack can render your iPhone as useful as a brick.
Photo: Cult of Mac/Nick Hubbard CC

A new threat targeting iOS devices has been discovered by security researchers Patrick Kelly and Matt Harrigan, promising to “brick” your iPhone or iPad if you happen to log onto malicious Wi-Fi networks.

Why would anyone log onto a malicious Wi-Fi network? Because by exploiting the auto-reconnect feature found on iOS — whereby your Apple device will automatically log into Wi-Fi networks it thinks it’s previously connected to — you might not even realize it’s happening.

Until it’s too late, of course.

As the security experts note:

“For example, to use Starbuck’s free Wi-Fi service, you’ll have to connect to a network called ‘attwifi.’ But once you’ve done that, you won’t ever have to manually connect to a network called “attwifi” ever again. The next time you visit a Starbucks, just pull out your iPad and the device automagically connects.

From an attacker’s perspective, this is a golden opportunity. Why? He only needs to advertise a fake open network called ‘attwifi’ at a spot where large numbers of computer users are known to congregate. Using specialized hardware to amplify his Wi-Fi signal, he can force many users to connect to his (evil) ‘attwifi’ hotspot. From there, he can attempt to inspect, modify or redirect any network traffic for any iPads or other devices that unwittingly connect to his evil network.”

After you’ve connected to the sinister W-iFi network, your innocent iPad or iPhone can be made to remotely set its time and date to January 1, 1970: a bug discovered earlier this year which, bizarrely, will render your Apple device so broken even a DFU restore won’t bring it back to life.

Fortunately, there’s a solution to this problem — provided you’ve not yet been targeted, that is. That solution? Update your iPhone to version 9.3.1 or newer to stop the “1970” bug being able to take hold. Until Apple comes up with a way to solve the rogue Wi-Fi problem, there’s always the chance another sort of malicious attack could take place, though.

Source: Krebs on Security

Via: The Next Web

  • Markus Stoller

    i guess this update only fixes the time bug, not that your device automatically connects to already known SSID wifi-networks. in this case a man in the middle attack is still possible…

    • Luke Dormehl

      Good point. I’ve updated the article. Thanks.

  • mjb427

    There’s no monetary benefit to the “hacker” in this situation.

    • Markus Stoller

      he can capture all unsecure traffic. he can send you a different dns reply and then you will connect to a different site, which looks the same. if you don’t check the secure connection and login to this site, he has the credentials as well.

      • mjb427

        I wasn’t replying to you, I was replying to the article.

  • Luke, Did you mean “He or She” I mean women are capable of crimes too.

    “He only needs to advertise a fake open network called ‘attwifi’ at a spot where large numbers of computer users are”