The original bug would leave an iPhone unable to start after having its date set to January 1, 1970. The clock could be set to a “negative” time, rendering iOS inoperable. Apple has patched the original bug but it has since reappeared with potential to be exploited remotely.
Krebs on Security reports that security researchers Patrick Kelley and Matt Harrigan have been investigating the bug for the past few months. Using $120 of electronics, the researchers found they could exploit the date issue to brick an iOS device as soon as it connects to a malicious Wi-Fi hotspot.
Periodically, all smartphones connect to the Internet to synchronize their clock and ensure it stays accurate. NTP time servers provide the latest time and the device uses this data as a reference for its clock.
The researchers realised that if they could create a fake NTP server and convince an iOS device to connect to it then they’d have a way to force it to set its date to January 1, 1970. An iPad was used for testing as iPhones get their time from GSM signals, an alternative protocol that is harder to spoof.
An attacker could create a fake Wi-Fi network with a legitimate looking name, such as “attwifi.” By broadcasting it in a public place, the attacker could convince users to connect to it. The hotspot’s details are then saved so it can be connected to automatically in the future.
At this point, the attacker creates another Wi-Fi network with the same name. The iPad doesn’t know the difference, believing the new network is the same as the first one and automatically reconnecting to it when it comes in range. In this way, the hackers could trick the tablets into connecting to the malicious network by initially engineering it to appear legitimate and getting users connected of their own accord.
With the device connected, the hacker could monitor network usage and tamper with data transfers. Requests made to NTP time servers could be intercepted and modified. The server’s response could be replaced with the date that iOS cannot handle, January 1st 1970.
The setup worked in testing. After bringing an iPad within range of the malicious network, it rebooted itself and began to “self-destruct.” For reasons that remain unclear, the exploit triggered a series of alarming effects, making the device unusable.
After rebooting, the clock was observed to begin counting backwards, gradually decreasing all the way to 1965. As time was reversed, apps became aware of the unexplainable situation and began to behave in unpredictable ways. The resulting resource usage as every app clamoured for processing time caused the iPad to overheat, pushing it to a temperature of 130 degrees Fahrenheit, 54 Celsius.
“One thing we noticed was when we set the date on the iPad to 1970, the iPad display clock started counting backwards,” said Harrigan, president and CEO of San Diego-based security firm PacketSled. “While we were plugging in the second test iPad 15 minutes later, the first iPad said it was Dec. 15, 1968. I looked at Patrick and was like, ‘Did you mess with that thing?’ He hadn’t. It finally stopped at 1965, and by that time [the iPad] was about the temperature I like my steak served at.”
Apple hasn’t publicly commented on the discovery. In an email sent to the researchers, it said an affected device can be restored to iOS 9.3 or later using iTunes. It confirmed it has run its own tests, claiming its own device did not exceed a temperature of 45.8 Celsius.
The bug only affects devices running iOS versions older than 9.3.1. Users are advised to upgrade to the latest version. Although there is no indication that hackers are actively using the exploit, it could prove to be an easy way to brick waves of iPads. The cause of the strange clock reversal remains unknown but it could give owners a warning their device has just been attacked.
