Back in February, you may have heard about a bug that bricked any iPhone or iPad when you manually reset the device's date to January 1, 1970. But you also probably ignored the flaw, because nobody's fooling you.
Well, a new trick revealed yesterday (April 12) exploits this vulnerability on a larger scale, crippling iOS devices (especially iPads and iPods) in 15 to 20 minutes by overheating them and destroying their batteries. This vulnerability was patched by Apple with iOS 9.3.1 at the end of March, so we recommend users update their devices immediately.
It turns out that some iOS devices can be tricked into rolling back the clock to 1970 automatically, because all iOS devices check their time and date against network time protocol (NTP) servers on a very frequent basis. When security researchers Patrick Kelley and Matt Harrigan heard about the 1970 bug, they created their own fake NTP server, which can fool Apple devices that depend on Wi-Fi for Internet connections into resetting the date and effectively committing suicide.
The exploits works because iOS devices, like most mobile devices, will automatically attempt to join Wi-Fi networks that have the same names as one they've previously used. Kelley and Harrigan would need only to give their malicious NTP server a common name, such as "attwifi" — the title of many Starbucks free Wi-Fi networks — to trick iPads and iPod Touch models to sign on and get wrecked.
However, iPhones that have active cellular service are less at risk because they "get their time" from their cellular carriers. It might be possible to replicate this attack using a fake cellular tower, but it wouldn't be terribly easy.
Kelley and Harrington told independent security reporter Brian Krebs that when they tested their attack in real life, any "iPads that were brought within range of the test ... network rebooted, and began to slowly self-destruct."
That's not hyperbole: The researchers noticed that changing the system time to before the creation date of iOS code led to the test iPad overheating to 130 degrees Fahrenheit, and made its clock tick backwards from Jan. 1, 1970. (Midnight on that date was the beginning of "Unix time," and many digital devices literally count the seconds from then to tell time.)
During the middle of their testing, Harrigan noticed that the tablets had jumped back from 1970 to 1968 after 15 minutes of testing.
"It finally stopped at 1965, and by that time [the iPad] was about the temperature I like my steak served at," Harrigan told Krebs.
Harrigan and Kelley claimed all they needed to create the malicious NTP server was a Raspberry Pi microcomputer and some code of their own.
Harrigan is the president and CEO of the security firm PacketSled, and Kelley a senior penetration tester at Critical Assets, another security firm, in the San Diego area. The two researchers let Apple know of their discovery and waited for the company to fix the bug before they went public with the information.
Kelley and Harrigan say the vulnerability was patched in iOS 9.3.1, though Apple's release notes for the update are very opaque and do not mention any security updates.