iOS 9, OS X El Capitan close serious AirDrop vulnerability allowing malware infections
iOS 9 and the forthcoming OS X El Capitan address a vulnerability in Apple's AirDrop feature that could allow malware infections and the theft of sensitive data, according to a security researcher.
The technique bypasses Apple's security using a spoofed enterprise certificate, and can potentially be used against anyone within AirDrop range, Azimuth Security's Mark Dowd told Forbes. The attack forces the installation of a provisioning profile, and can alter iOS' Springboard to convince a device that the fake certificate is already trusted. This allows malware files to be copied to a directory for third-party apps -- a demonstration by Dowd further replaced Apple's native Phone app.
A hacker could use the technique even if the victim chooses to reject the AirDrop transfer. There's also no immediate evidence of harm, since a device has to be rebooted before an attack is complete.
Sandboxing should generally restrict the amount of damage any malware can do, but if coded with the right entitlements it could do things like fetch contacts and location information, or make use of a device's camera. More clever hackers could code an app able to exploit an unknown kernel vulnerability and assume full system control.
Neither iOS 9 nor El Capitan completely solve the vulnerability, Dowd said, but iOS 9 imposes an extra sandbox on AirDrop, preventing files from writing to arbitrary folders. Dowd cautioned that the flaw may also be exploitable in apps outside of AirDrop, though he is not offering details until a patch is ready.
iOS 9 was released on Wednesday, but OS X will remain exposed until El Capitan ships on Sept. 30. In the meantime, the best defense is reportedly to disable AirDrop entirely.
The technique bypasses Apple's security using a spoofed enterprise certificate, and can potentially be used against anyone within AirDrop range, Azimuth Security's Mark Dowd told Forbes. The attack forces the installation of a provisioning profile, and can alter iOS' Springboard to convince a device that the fake certificate is already trusted. This allows malware files to be copied to a directory for third-party apps -- a demonstration by Dowd further replaced Apple's native Phone app.
A hacker could use the technique even if the victim chooses to reject the AirDrop transfer. There's also no immediate evidence of harm, since a device has to be rebooted before an attack is complete.
Sandboxing should generally restrict the amount of damage any malware can do, but if coded with the right entitlements it could do things like fetch contacts and location information, or make use of a device's camera. More clever hackers could code an app able to exploit an unknown kernel vulnerability and assume full system control.
Neither iOS 9 nor El Capitan completely solve the vulnerability, Dowd said, but iOS 9 imposes an extra sandbox on AirDrop, preventing files from writing to arbitrary folders. Dowd cautioned that the flaw may also be exploitable in apps outside of AirDrop, though he is not offering details until a patch is ready.
iOS 9 was released on Wednesday, but OS X will remain exposed until El Capitan ships on Sept. 30. In the meantime, the best defense is reportedly to disable AirDrop entirely.
Comments
Yeah, I agree. I love AirDrop's functionality, but it glitches far too often for it to be completely reliable with all my content. As a sidenote, it has been particularly weird for me today getting used to the San Fransisco font again.
What about if you have it set to Contacts Only? Are you then vulnerable ONLY to attacks from Contacts (which I can tolerate) or is that enough to open you up to strangers too? Seems like a weird detail to omit from the story.
A security researcher who is holding back details until a patch is available.
Gunna have to remember this guy's name as one of the good ones.
Quote:
Neither iOS 9 nor El Capitan completely solve the vulnerability, Dowd said....
LOL...classic AppleInsider
-KeithP
The Forbes stpry says you're safe if you have Airdrop Off.
What about if you have it set to Contacts Only? Are you then vulnerable ONLY to attacks from Contacts (which I can tolerate) or is that enough to open you up to strangers too? Seems like a weird detail to omit from the story.
I think that (Contacts Only) will prevent you becoming a target, but don't quote me on that, not entirely sure. I don't have AirDrop on when I'm not near my Mac, so this isn't something I need to really get worried about.
that is a fucked up vulnerability
as opposed to a "quite nice" vulnerability? ¡