Security flaws fall on a wide spectrum of severity. On the one end, there are issues that are so exceedingly minor as to hardly warrant any attention, and on the other end, there are flaws that are end-of-the-world, destructive oversights. The iOS flaw uncovered by Skycure researchers Yair Amit and Adi Sharabani, sorry to say, lands in the destructive category.
It has to do with a vulnerability in iOS 8’s handling of secure socket layer (SSL) certificates. As the researchers demonstrated at the RSS Conference in San Francisco this week, certificates manipulated by hackers can lead Internet-connected apps on iPhones and iPads to crash repeatedly, eventually causing the entire operating system to crash. The problem with SSL certificates is coupled with a bug that lets malicious programmers force iOS devices to connect to a Wi-Fi network of their choosing, which makes for a seriously disruptive hack.
The researchers call it a “No iOS Zone.” Theoretically, an attacker could create a fake network, automatically capture any iOS device in range, and then release the malformed code, causing some connected iPhones and iPads to endlessly reboot. As long as the worst-affected devices are in range of the signal, the cycle is inescapable — It’s impossible to reach the Wi-Fi settings menu before shutoff begins again.
In the interest of preventing would-be mischief makers from wreaking havok, Skycure’s withholding the attack’s technical details. In a blog post published Tuesday, the firm says it’s reported the security flaw to Apple, but in the interim, recommends iPhone and iPad users disable Wi-Fi except when absolutely needed. The post also recommends updating to iOS 8.3, which seems to include a few mitigatory measures.
Skycure’s report comes on the heels of a separate disclosure from SourceDNA. The security firm detailed a flaw in 1,500 iOS apps that could be exploited by hackers to steal sensitive information such as credit card numbers and encrypted passwords. Like Skycure, the SourceDNA suggested iPhone, iPad, and Mac users turn off Wi-Fi in public unless necessary.