A hack that letting an attacker take full remote control of iPhones without user intervention is bad enough. Which one can also automatically propagate from one iPhone to another is practically unknown. But one report published this week by Ian Beer from Google’s Project Zero Bug Hunt Team presents a grim but elegant roadmap of how an attacker could have done just that before Apple released fixes in May.
Beer’s entire attack stems from a simple and well-known type of vulnerability – a memory corruption bug – in the iOS kernel, the privileged kernel of an operating system that can access and control just about anything. . The genius of the attack, however, is that the bug was exploitable through the Wi-Fi features of an iPhone, meaning that an attacker just needed antennas and adapters to launch the assault every time. times he wanted, compromising any nearby iOS device.
“This is very interesting and super unique research as well,” says Will Strafach, longtime iOS researcher and creator of Guardian Firewall app for iOS. “Close-access network attacks like this are not something you hear about every day.”
Vulnerability, which Apple patched in May, involved a flaw in one of the kernel drivers for Apple Wireless Direct Link, the proprietary mesh network protocol that Apple uses to deliver wireless features like AirDrop and Sidecar. AWDL is built on industry Wi-Fi standards, but allows multiple devices to exchange data directly rather than sending it back and forth over a typical Wi-Fi network with a router, modem, and provider Internet services as intermediaries.
But Beer discovered vulnerabilities in AWDL that would allow a hacker to send a specially crafted Wi-Fi packet that would crash an iPhone and install malware on it. From there, the attacker would have full access to device data, the ability to monitor its activity in real time, and even potentially access extremely sensitive components like the microphone and camera, or the words of the device. pass and encryption keys in Apple’s keychain. The attack is also “deworming,” meaning that a victimized device could spread the infection to other vulnerable iPhones or iPads. Apple’s watchOS was also vulnerable and received a fix.
An Apple spokesperson stressed in a statement to WIRED that such exploits would be limited by the need for physical proximity. However, with cheap multi-purpose gear, Beer was still able to launch his attacks from an adjacent room through a closed door. The hacker and the victimized devices do not need to be on the same Wi-Fi network for the attack to work. And with directional antennas and other more powerful equipment, Beer estimates that the range could potentially reach hundreds of meters.
In writing up the attack, Beer says there is no indication that the vulnerabilities he found were ever exploited in the wild, but he noted that at least one exploit broker appeared to have been aware of the vulnerability before Apple released the patch. in May.
Although the vulnerability has been fixed for months now and probably proliferated For the majority of iOS devices around the world, the discovery raises important questions about the security of AWDL, which is on all the time whether users realize it or not, unless a device is in airplane mode. In one series In tweets on Tuesday, Beer pointed out that AWDL had been used as an anti-censorship tool, for example during the 2019 protests in Hong Kong when people were using AirDrop to share banned content with each other. But he pointed out that because the protocol is proprietary, control and oversight is entirely with Apple.
“Having such a large and privileged attack surface accessible by anyone means that the security of this code is paramount, and unfortunately the quality of the AWDL code was at times quite poor and seemingly untested,” Beer said. wrote.