Samuel Axon
Earlier this year, Apple fixed one of the most impressive iPhone vulnerabilities of all time: a memory corruption bug in the iOS kernel that allowed attackers to gain remote access to the entire device, via Wi-Fi, no need for user interaction. Oh, and the vulnerabilities were worm-sensitive, which meant radio proximity vulnerabilities could spread from nearby device to nearby device, again, without requiring user interaction.
This deadly exploitable Wi-Fi package was designed by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. in one 30,000 word message
Posted Tuesday afternoon, Beer described the vulnerability and proof of concept exploit that he spent six months developing on his own. Almost immediately, other security researchers noticed.
Beware of unreliable Wi-Fi plans
“It’s a fantastic job,” Chris Evans, semi-retired security researcher and director and founder of Project Zero, said in an interview. “It’s really quite serious. The fact that you don’t have to interact with your phone for this to activate is truly terrifying. This attack is just as you walk around, the phone is in your pocket, and over Wi-Fi someone comes in with questionable Wi-Fi packets.
Related Downloads:
Beer’s attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple’s proprietary mesh network protocol that makes things like Airdrop work. Because drivers reside in the kernel, one of the most privileged parts of any operating system, the
The AWDL flaw had the potential for serious attacks. And because AWDL scans Wi-Fi packets, exploits can be transmitted over the air, with no indication that something is wrong.
“Imagine the feeling of power that an attacker with such ability must feel,” Beer wrote. “As we all pour more and more of our souls into these devices, an attacker can gain a wealth of information about an unsuspecting target.”
Beer has developed several different feats. The most advanced installs an implant that has full access to the user’s personal data, including emails, photos, messages, passwords and cryptographic keys stored on the keychain. The attack uses a laptop, a Raspberry Pi, and commercially available Wi-Fi adapters. It takes about two minutes to install the prototype implant, but Beer said that with more work, a better-written feat could deliver it in “seconds.” Exploits only work on devices within the attacker’s Wi-Fi range.
Below is a video of the feat in action. The victim’s iPhone 11 Pro is in a room separated from the attacker by a closed door.
Demonstration of AWDL implants
Beer said Apple corrected the vulnerability before the release of the COVID-19 contact tracing interfaces installed in iOS 13.5 in May. The investigator said he had no evidence that the vulnerability was exploited in the wild, although he noted that at least one exploit vendor was aware of the critical bug in May, seven months before. today’s disclosure. Apple The figures show that the vast majority of iPhones and iPads are updated regularly.
The beauty and awesomeness of the hack is that it relies on a single mistake to wirelessly access the secrets locked in what is arguably the most robust and secure consumer device in the world. If one person could do all of this in six months, think about what a better-resourced hacking team is capable of.