[ad_1]
A Google Project Zero (GPZ) bug hunter who specializes in iPhone security has revealed a nasty bug in iOS that allowed an attacker within Wi-Fi range to gain “complete control” of an Apple phone.
GPZ is a security research group at Google tasked with finding vulnerabilities in all popular software ranging from Microsoft’s Windows 10 to Google Chrome and Android, as well as Apple’s iOS and macOS.
Ian Beer, a GPZ hacker who specializes in iOS hacks, says that the vulnerability he encountered during the first COVID-19 crash this year allowed an attacker within Wi-Fi range to view all photos and emails from an iPhone, and copy all private messages from Messages. , WhatsApp, Signal, etc. in real time.
SEE: Android device management and troubleshooting checklist (TechRepublic Premium)
“For 6 months of 2020, while locked in the corner of my room surrounded by my adorable screaming children, I have been working on a magic spell of my own … a radio proximity exploit that allows me to gain full control over any iPhone on my neighborhood, “he writes.
Apple fixed the bug prior to the release of Contact Tracking for Privacy, which hit iOS 13.5 in May.
Beer, who regularly finds critical flaws in iOS and macOS, is using his bug to emphasize to iPhone owners that they may have a false sense of security when it comes to thinking of adversaries.
“The bottom line of this project shouldn’t be: No one will spend six months of their life just hacking my phone, I’m fine,” Beer says.
“Instead, it should be: one person, working alone in their bedroom, was able to develop a capability that would allow them to seriously engage iPhone users with whom they had been in close contact.”
The contact tracing connection that Beer highlights is important because the bug he found was in an iOS feature called AWDL or Apple Wireless Direct Link, an Apple proprietary peer-to-peer network protocol used for features like Apple AirPlay and iOS-to-macOS. AirDrop file sharing function.
AWDL is used on all Apple iOS and macOS devices. Last year, researchers found serious flaws in the protocol that allowed an attacker on a network to intercept and change files that were sent by AirDrop. The most concerning part of that batch of AWDL flaws was that they allowed an attacker to track the location of an iPhone user with a high degree of precision. Apple fixed those AWDL bugs last May in iOS 12.3, tvOS 12.3, watchOS 5.2.1, and macOS 10.14.5.
The details of the flaw itself are important, but Beer is using his exploit to make one more important point about the economics of software exploits.
As Beer points out, there are professional exploit brokers who sell iOS exploits to governments.
“Unpatched vulnerabilities are not like one-sided, physical territory. Everyone can exploit an unpatched vulnerability,” Beer says.
“It is important to emphasize … that the teams and companies supplying the global cyberweapons trade like this are not usually people working alone,” he continues.
“They are teams of well-focused and well-resourced collaborating experts, each with their own specialization. They don’t start out without the slightest idea of how bluetooth or wifi works. They also have potential access to information and hardware that I just don’t have. such as development devices, special cables, leaked source code, symbol files, etc. “
SEE: 10 tech predictions that could spell big changes in the future
The AWDL error itself was due to the common category of memory security flaws, which Beer describes as a “fairly trivial buffer overflow” due to programming errors that Apple developers made in the C ++ code in the XNU kernel (X is not Unix) from Apple. Microsoft and Google have found that memory vulnerabilities make up the vast majority of software flaws.
In this case, Beer didn’t need a series of vulnerabilities in iOS to take control of a vulnerable iPhone, unlike the three iOS bugs that Apple patched in iOS 14.2 last month. In other words, the one Beer found is very valuable due to its relative ease of use.
“This entire exploit uses a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With this issue alone I was able to overcome all mitigations to remotely get native code execution and kernel memory read and write “, said. writes.
