Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Back in February, you may have heard about a bug that bricked any iPhone or iPad when you manually reset the device's date to January 1, 1970. But you also probably ignored the flaw, because nobody's fooling you.
Well, a new trick revealed yesterday (April 12) exploits this vulnerability on a larger scale, crippling iOS devices (especially iPads and iPods) in 15 to 20 minutes by overheating them and destroying their batteries. This vulnerability was patched by Apple with iOS 9.3.1 at the end of March, so we recommend users update their devices immediately.
It turns out that some iOS devices can be tricked into rolling back the clock to 1970 automatically, because all iOS devices check their time and date against network time protocol (NTP) servers on a very frequent basis. When security researchers Patrick Kelley and Matt Harrigan heard about the 1970 bug, they created their own fake NTP server, which can fool Apple devices that depend on Wi-Fi for Internet connections into resetting the date and effectively committing suicide.
MORE: Best Antivirus Protection for PC, Mac and Android
The exploits works because iOS devices, like most mobile devices, will automatically attempt to join Wi-Fi networks that have the same names as one they've previously used. Kelley and Harrigan would need only to give their malicious NTP server a common name, such as "attwifi" — the title of many Starbucks free Wi-Fi networks — to trick iPads and iPod Touch models to sign on and get wrecked.
However, iPhones that have active cellular service are less at risk because they "get their time" from their cellular carriers. It might be possible to replicate this attack using a fake cellular tower, but it wouldn't be terribly easy.
Kelley and Harrington told independent security reporter Brian Krebs that when they tested their attack in real life, any "iPads that were brought within range of the test ... network rebooted, and began to slowly self-destruct."
That's not hyperbole: The researchers noticed that changing the system time to before the creation date of iOS code led to the test iPad overheating to 130 degrees Fahrenheit, and made its clock tick backwards from Jan. 1, 1970. (Midnight on that date was the beginning of "Unix time," and many digital devices literally count the seconds from then to tell time.)
During the middle of their testing, Harrigan noticed that the tablets had jumped back from 1970 to 1968 after 15 minutes of testing.
"It finally stopped at 1965, and by that time [the iPad] was about the temperature I like my steak served at," Harrigan told Krebs.
Harrigan and Kelley claimed all they needed to create the malicious NTP server was a Raspberry Pi microcomputer and some code of their own.
Harrigan is the president and CEO of the security firm PacketSled, and Kelley a senior penetration tester at Critical Assets, another security firm, in the San Diego area. The two researchers let Apple know of their discovery and waited for the company to fix the bug before they went public with the information.
Kelley and Harrigan say the vulnerability was patched in iOS 9.3.1, though Apple's release notes for the update are very opaque and do not mention any security updates.
