New iOS Threat Capable of “Bricking” iPhones and iPads

If you haven’t updated your iPhone or iPad to the most current version of iOS—iOS 9.3.1—you should make it a priority to do so. That was the advice of security expert Brian Krebs in an April 12 blog post about a potentially devastating new iOS threat. Interestingly, this new threat is as simple as it is dangerous—to the point where any given iPhone or iPad user could manually trip the vulnerability on their own.

To understand what Krebs is talking about, we need to look back a few months ago, specifically to a YouTube video that Zach Straley (another security researcher) posted on February 11. The video, simply titled “Don’t set your iPhone’s date to January 1, 1970! The fastest way to BRICK an iPhone,” showed how merely fiddling with an iDevice’s date and time settings can have catastrophic consequences.

In the video, Straley shows himself going against his own instruction and setting an iPhone’s date back to New Year’s Day 1970. To set the date manually back to January 1, 1970, Straley had to do a good deal of scrolling and reset his phone, which means there isn’t much chance of someone bricking their iPhone this way by accident. When Straley did reboot his device after setting the date back to 1/1/1970, it got stuck on the Apple screen, unresponsive and unable to progress through the rest of the boot process.

The good news is that Apple has amended this flaw, which only applies to iPhones of the 5S generation and after. If you update to the latest version of iOS, in other words, you’ll be in the clear and won’t ever have to worry about this bizarre New Year’s Day 1970 bug again.

The bad news is that since Straley posted his video, a pair of other researchers have figured out how to turn the vulnerability into a malicious attack. According to Krebs, Apple devices are continuously connecting with NTP (network time protocol) servers to make sure their date and time information is correct. Also, iPhones and iPads will automatically connect to wireless networks or hotspots they recognise, so long as their Wi-Fi settings are switched on.

Pairing these two features of iDevice operation, researchers were able to build hostile networks, trick nearby iPhones or iPads into thinking they recognised those networks and used NTP server connections to hoodwink the devices to turning back their clocks to January 1, 1970. The result? Bricked devices in droves. It’s easy to see how a cybercriminal might use a counterfeit server to masquerade as, say, a Starbucks network. By simply positioning the server in an area where a lot of potential users would be located, that cybercriminal would be able to destroy a lot of Apple devices.

The bottom line? Update your iPhone and switch off Wi-Fi when you aren’t using it. Even though Apple has patched this vulnerability, there is still a chance that someone will try to exploit it to take advantage of everyone who hasn’t updated to 9.3.1 yet.