Get the Lowest Prices anywhere on Macs, iPads and Apple Watches: Apple Price Guides updated November 22nd
 

 

Researchers leverage SSL bug to crash Apple devices over Wi-Fi in 'No iOS Zone' attack

A bug in iOS's secure sockets layer (SSL) library could allow an attacker to force apps— or in some cases, the entire device— to crash if users connect to a malicious Wi-Fi hotspot, security researchers demonstrated this week.




The attack, discovered by Skycure researchers Yair Amit and Adi Sharabani, takes advantage of an issue with iOS's parsing of SSL certificates. By sending a specially-crafted certificate to a device via a Wi-Fi hotspot, the duo was able to repeatedly crash both individual apps and iOS itself.

A modified version of the attack was able to induce a perpetual reboot cycle, effectively rendering an iPhone useless as long as it was in range of the affected hotspot.

Amit and Sharabani have reported the issue to Apple, and say they are working with the company on a fix. Some of the root causes may have already been addressed in iOS 8.3, and users are urged to update if possible.

SSL is a foundational cryptographic technology that underpins many secure network communications techniques, but its age has begun to show in recent years. The infamous "gotofail" bug grew from a vulnerability in Apple's SSL library, and the company recently ended support for SSL 3.0 after that version— the most recent— was found vulnerable to attack.