[ad_1]
A massive Apple security flaw allowed an attacker to take full remote control of iPhones within WiFi range. They could download all the data to the phone and even activate the iPhone’s cameras and microphones to provide real-time spying capabilities.
The vulnerability wasn’t just a theoretical risk – a leading Google security researcher was able to demonstrate the capabilities by taking full remote control of an iPhone in another room …
The astonishing exploit was demonstrated by Google Project Zero security researcher Ian Beer. The project is designed to identify vulnerabilities and notify companies before the bad guys can discover and exploit them. Chris Evans, founder of Project Zero, said ArsTechnica What is scary about this is that it works without any user interaction and leaves no clue that your privacy was violated.
This attack is just that you are walking around, the phone is in your pocket and via Wi-Fi someone is just breaking in with some unreliable Wi-Fi packets.
There is some good news in the mix. Beer said he hasn’t found any evidence that it was exploited in the wild by hackers and of course gave Apple time to fix the issues before sharing the details. But it’s still amazing that such a huge security hole ever existed.
How could a vulnerability allow such extensive control of an iPhone without physical access to it and without user interaction? Because the flaw was in a network protocol called Apple Wireless Direct Link (AWDL). And AWDL can do a lot of things, including sending any photos or files stored on an iPhone.
AWDL is an Apple proprietary mesh network protocol designed to allow Apple devices such as iPhones, iPads, Macs, and Apple Watches to form ad-hoc peer-to-peer mesh networks. Chances are, if you own an Apple device, you are creating or connecting to these transient mesh networks multiple times a day without even realizing it.
If you’ve ever used Airdrop, streamed music to your Homepod or Apple TV via Airplay, or used your iPad as a secondary display with Sidecar, then you’ve been using AWDL. And even if you haven’t been using those features, if those close to you have, it’s very possible that your device joined the AWDL mesh network they were using anyway.
Beer’s blog post explaining how the vulnerability arose, and how he was able to discover and exploit it, is extensive and technical. The story began in 2018.
One of Apple’s security measures is to remove the function name symbols from iOS, so there are no clues as to what they do. But in 2018, Apple shipped a beta version of iOS without doing so. Having the names provides all kinds of clues, and Beer said one feature in particular caught his eye.
The name of the function:
IO80211AWDLPeer::parseAwdlSyncTreeTLVAt this point, I had no idea what AWDL was. But you knew that TLVs (type, length, value) are often used to structure data, and parsing a TLV could mean that it comes from an untrusted place. And the 80211 is an indication that it probably has something to do with WiFi.
Once you googled and found out what AWDL, you knew what your line of attack would be. Eventually it was able to generate fake AWDL data that would make any iPhone within WiFi range respond.
The work that this required was in itself quite amazing. In total, it took him six months to overcome each of the barriers he encountered along the way. However, in the end, he was able to successfully prove it by taking over an iPhone 11 Pro in the next room. You can see the video demo below, which uses a Raspberry Pi and some common WiFi adapters, controlled by a MacBook Air.
This demo shows the attacker successfully exploiting a victim’s iPhone 11 Pro device located in a different room through a closed door. The victim is using the Youtube application. The attacker forces the AWDL interface to activate and then successfully exploits the AWDL buffer overflow to gain access to the device and run an implant as root. The implant has full access to the user’s personal data, including emails, photos, messages, key rings, etc. The attacker proves this by stealing the most recently taken photo. Implant delivery takes around two minutes, but with increased investment in engineering there is no reason why this prototype cannot be optimized to deliver the implant in a few seconds.
Beer was the same researcher who previously detailed ‘one of the biggest attacks against iPhone users’ in the form of hacked websites that distribute iOS malware. In 2018, it accused Apple of doing a poor job of fixing the many vulnerabilities it had reported to the company, but the iPhone maker fixed this one, unsurprisingly, sometime before iOS 13.5.
FTC: We use revenue generating automobile affiliate links. More.
Check out 9to5Mac on YouTube for more news from Apple:
