If your company’s employees use mobile Apple computing devices, they should immediately update to the latest version of the company’s mobile operating system called iOS 9.3.1. Those who fail to perform the update will face a number of automated threats that could cause their mobile devices to become unresponsive or useless.

Apple Devices

These threats were first exposed in a YouTube video posted by cybersafety researcher Zach Straley. He found that mobile Apple devices can be “bricked” by setting iPad or iPhone dates back to January 1, 1970. Apple patched the problem, yet the mere fact that it exists proves that it is quite easy to automate attacks over networks. Such an attack could impact anyone who wanders into the vicinity of a hostile wireless network.

Cybersecurity researchers Matt Harrigan and Patrick Kelley exploited the “date bug” further. They found that Apple’s mobile products are engineered to automatically hop onto wireless networks that they recognize from past use. However, this connection is performed with a fairly weak authentication level. If a mobile device connects to a wireless network called “Airport” or “Hotspot”, it will likely automatically connect to other open networks that share the same name. WiFi networks are designed in such a manner to facilitate use as it doesn’t make sense to force repeat customers to re-type the same password repeatedly to access wireless networks.

The problem with the typical WiFi setup is that it creates an opportunity for hackers to wreak havoc. All a hacker has to do is open a network with a common name such as “City, “attwifi”, “Airport” or “Hotspot” in an area where plenty of people hop onto the web. The hacker can then amplify his malicious wireless signal to lure users into his trap. Harrigan and Kelley replicated such a scheme in their real-life tests to prove just how vulnerable our web-connected mobile devices really are. Their wireless networks actually forced mobile Apple devices to download date and time updates from an NTP time server. All they had to do was instruct mobile devices to reset their date and time to January 1, 1970 and these devices became paralyzed.

Why is it possible for such a malicious trap to be set? The vast majority of iPad applications are designed to make use of security certificates to encrypt data sent to and from a device. These encryption certificates ceased to function properly once the date and time of the mobile device was set to a year that predates the issuance of the certificate. According to Kelley and Harrigan, the result of such a date/time resetting is absolute chaos. Applications running on these mobile devices competed so vigorously for resources that they overwhelmed device processors. It only took a few minutes for an iPad to reach a temperature of 130 degrees Fahrenheit. The date and time then proceeded to count backwards until reaching 1965. Thankfully, Harrigan and Kelley worked with Apple to time the announcement of their findings to prevent malicious hackers from ruining mobile devices before Apple could release a patch.

If your organization uses Apple mobile devices running iOS 9.3.1 or earlier, you MUST be aware of this “autobrick” threat. A hacker with rather simple hardware such as a Raspberry Pi device along with some customized software will be able to “brick” mobile devices without this update. Any device affected by the issue should be restored to iOS 9.3 or later. Apple users should continue to update to the latest version of iOS to prevent such “autobrick” threats from popping up in the future.