iOS Wi-Fi exploit enables zero-click remote iPhone access without user knowledge

Posted:
in iOS edited December 2020
A newly discovered -- and already patched -- iOS vulnerability allowed hackers to access and gain control over nearby iPhones using a proprietary Apple wireless mesh networking protocol called AWDL.

AWDL


Discovered by security researcher Ian Beer, a member of Google's Project Zero team, the AWDL scheme enabled remote access to photos, emails, messages, real-time device monitoring, and more.

As detailed in an exhaustive technical breakdown posted to the Project Zero blog on Tuesday, Beer uncovered the mechanism behind the exploit in a 2018 iOS beta that accidentally shipped with intact function name symbols tied to the kernel cache. After poking around in Apple's code, he uncovered AWDL, a cornerstone technology that powers AirDrop, Sidecar, and other tentpole connectivity features.

From there, the researcher engineered an exploit and crafted an attack platform consisting of a Raspberry Pi 4B and two Wi-Fi adapters.

"AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity. With specialist equipment the radio range can be hundreds of meters or more," Beer explained in a tweet. Part of exploit involves forcing AWDL to activate if it was switched off.

Beer says AWDL is a "neat" technology that makes way for "revolutionary" peer-to-peer connectivity solutions, but notes that "having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested." He offers the example of a drone flying over a protest to collect information from unsuspecting iPhone users.





The process took six months to develop, but when Beer was done, he could hack any iPhone in radio proximity.

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I'm fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."

Apple patched the vulnerability in May with iOS 13.5 and a spokesperson for the company said a majority of its users are using updated software. Beer has found no evidence that the technique was used in the wild.

It is unclear if Beer's work is eligible for Apple's Bug Bounty program, but if it is, the developer said he would donate the proceeds to charity.
«1

Comments

  • Reply 1 of 28
    netroxnetrox Posts: 1,082member
    Lame crackers having nothing else to do.

    But thanks. 
    williamlondon
  • Reply 2 of 28
    lkrupplkrupp Posts: 9,554member
    Hopefully he was paid a crap-ton of money.
    seanjMplsPchadbagapplguycornchipIreneWwatto_cobrajony0
  • Reply 3 of 28
    jrcjrc Posts: 817member
    This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

    Nov 98 - earliest AI Forum registration.
    edited December 2020 watto_cobra
  • Reply 4 of 28
    MplsPMplsP Posts: 3,357member
    Kind of a scary exploit. Thankfully it's patched so unless you have an old phone that can't run iOS 13 or you haven't bothered to update your phone in the last 6 months you should be fine.
    netrox said:
    Lame crackers having nothing else to do.

    But thanks. 
    Not sure how finding a security hole that allows virtually complete access to a device is lame. We need more people like this. Every hole that is found makes security better for everyone, both on iOS and Android, and that's a good thing.

    jrc said:
    This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

    Nov 98 - earliest AI Forum registration.
    How would that help? you would need to have your phone turned on at some point and then it would be vulnerable. Not to mention you would need to go though the hassle of powering it up and down every time you took it out. If you're that paranoid, a better approach is to put it in a faraday cage when you're not using it.
    edited December 2020 chadbagPetrolDaveequality72521BombdoeStrangeDaysCloudTalkinwatto_cobrarazorpitjony0
  • Reply 5 of 28
    netrox said:
    Lame crackers having nothing else to do.

    But thanks. 
    I don't think it is lame. It is amazing he was able to do something like this.

    It was patched by Apple, but what he did will ensure that Apple is more careful with this stuff in the future. Apple probably appreciated his efforts.
    mr. hPetrolDavetokyojimuwilliamlondonwatto_cobra
  • Reply 6 of 28
    Rayz2016Rayz2016 Posts: 6,957member
    netrox said:
    Lame crackers having nothing else to do.

    But thanks. 
    Really? Did you read the article. It’s his actual job. 

    He worked on this for six months and came up with an exploit that he shared with Apple instead of going public. He then said that he’ll donate the bounty to charity. 

    In what way is he ‘lame’?

    Apple, meanwhile, left a large poorly-implemented, untested attack surface in millions of phones. Any lameness here belongs with Apple. 
    edited December 2020 mr. hPetrolDaveequality72521tenthousandthingsuraharamike1scartartMplsPtokyojimuwilliamlondon
  • Reply 7 of 28
    I think in some cases (or even many) such vulnerabilities are deliberately implemented to satisfy (secret) NSA requirements.  I don’t believe major global mega-corporations like Apple are that incompetent to miss such alarming total vulnerabilities as frequently as they do.  This one is right up there.

    I think what happens is they remain in the wild until discovered, and then they patch and replace them with other similar exploits, and sit back and wait for them to be discovered too.  They likely have prepared a bunch of NSA-demanded back doors that they can roll out quickly.

    I don’t think it explains all cases however because sometimes Apple are really slow to patch exploits and even let them remain in the wild despite being given adequate notice by security researchers.  Or perhaps that is even further evidence.

    I’m very suspicious at how lax these software can be at times.  The post is right.  If a single person can do it in his spare time in 6 months, imagine what a team of state-sponsored hackers working full-time can accomplish?
    cornchipwatto_cobra
  • Reply 8 of 28
    This article was posted hours ago and not a single post from those who would go hell and back to defend Apple’s “impenetrable” security.

    Giving all my thanks to this guy and Google’s team for improving our security.
    williamlondonlkruppsedicivalvole
  • Reply 9 of 28
    ivanhivanh Posts: 597member
    that’s why “proprietary” is so dangerous.
  • Reply 10 of 28
    s.metcalf said:
    I think in some cases (or even many) such vulnerabilities are deliberately implemented to satisfy (secret) NSA requirements.  I don’t believe major global mega-corporations like Apple are that incompetent to miss such alarming total vulnerabilities as frequently as they do.  This one is right up there.

    I think what happens is they remain in the wild until discovered, and then they patch and replace them with other similar exploits, and sit back and wait for them to be discovered too.  They likely have prepared a bunch of NSA-demanded back doors that they can roll out quickly.

    I don’t think it explains all cases however because sometimes Apple are really slow to patch exploits and even let them remain in the wild despite being given adequate notice by security researchers.  Or perhaps that is even further evidence.

    I’m very suspicious at how lax these software can be at times.  The post is right.  If a single person can do it in his spare time in 6 months, imagine what a team of state-sponsored hackers working full-time can accomplish?
    Why explain with conspiracy theory as the first go-to option when pure human error/carelessness via Occam’s Razor is common in real code all over the world, regardless of what their experience is?

    The safest (and only guaranteed) way to never create problematic code is never write any code at all. Any developer claiming they’ve never created a bug in code is one that’s not to be trusted for one of many reasons.
    BeatsbeowulfschmidtMplsPStrangeDayswatto_cobrafastasleepjony0
  • Reply 11 of 28
    BeatsBeats Posts: 2,561member
    s.metcalf said:
    I think in some cases (or even many) such vulnerabilities are deliberately implemented to satisfy (secret) NSA requirements.  I don’t believe major global mega-corporations like Apple are that incompetent to miss such alarming total vulnerabilities as frequently as they do.  This one is right up there.

    I think what happens is they remain in the wild until discovered, and then they patch and replace them with other similar exploits, and sit back and wait for them to be discovered too.  They likely have prepared a bunch of NSA-demanded back doors that they can roll out quickly.

    I don’t think it explains all cases however because sometimes Apple are really slow to patch exploits and even let them remain in the wild despite being given adequate notice by security researchers.  Or perhaps that is even further evidence.

    I’m very suspicious at how lax these software can be at times.  The post is right.  If a single person can do it in his spare time in 6 months, imagine what a team of state-sponsored hackers working full-time can accomplish?
    Why explain with conspiracy theory as the first go-to option when pure human error/carelessness via Occam’s Razor is common in real code all over the world, regardless of what their experience is?

    The safest (and only guaranteed) way to never create problematic code is never write any code at all. Any developer claiming they’ve never created a bug in code is one that’s not to be trusted for one of many reasons.

    It's always like that. He acts like iOS is a simple Pong program. This exploit took 6 months so obviously it's very advanced.

    Love that Google is working on Apple security instead of fixing their crappy knockoffs though.
    anonconformistcornchipStrangeDaystokyojimuwatto_cobrajony0
  • Reply 12 of 28
    Nifty, but does rely on the phone being “awake” and time for a hash collision to be made - so the idea of a drone flying over users in the crowd scooping up data is not a realistic scenario. 
    macpluspluscornchipwatto_cobrajony0
  • Reply 13 of 28
    JFC_PAJFC_PA Posts: 641member
    Validating why my WiFi is disabled before I leave home. 
  • Reply 14 of 28
    JFC_PA said:
    Validating why my WiFi is disabled before I leave home. 
    Yeah, you are taking good care of your hot home videos being safe. 
    cornchipwatto_cobrarazorpit
  • Reply 15 of 28
    XedXed Posts: 1,068member
    Nifty, but does rely on the phone being “awake” and time for a hash collision to be made - so the idea of a drone flying over users in the crowd scooping up data is not a realistic scenario. 
    The screen has to be awake for this to work? It looked like he used BT via AirDrop which is active regardless of whether the screen is active. 
    watto_cobra
  • Reply 16 of 28
    flydogflydog Posts: 1,015member
    jrc said:
    This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

    Nov 98 - earliest AI Forum registration.
    Why would anyone want to see your photos, videos, or emails?  Unless your phone contains the formula to cure cancer or the location of Hoffa's body, no one could care less. 
    watto_cobrajony0
  • Reply 17 of 28
    avon b7avon b7 Posts: 5,934member
    flydog said:
    jrc said:
    This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

    Nov 98 - earliest AI Forum registration.
    Why would anyone want to see your photos, videos, or emails?  Unless your phone contains the formula to cure cancer or the location of Hoffa's body, no one could care less. 
    It doesn't matter. Even if you had no fruity or sensitive information on your device, the mere thought of having it scooped up would get you riled, but imagine if whoever did it, brought your attention to the fact and tried to get you to pay for it if you wanted it deleted. Some gullible people will even pay up. 

    That's without even taking into account all the data mining that could be applied to a data trawling effort of this kind. 
  • Reply 18 of 28
    StrangeDaysStrangeDays Posts: 11,689member
    jrc said:
    This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

    Nov 98 - earliest AI Forum registration.
    Airplane mode already exists. Flip it on/off as desired.
    tokyojimuwatto_cobraRayz2016jony0
  • Reply 19 of 28
    StrangeDaysStrangeDays Posts: 11,689member

    Sarkany said:
    This article was posted hours ago and not a single post from those who would go hell and back to defend Apple’s “impenetrable” security.

    Giving all my thanks to this guy and Google’s team for improving our security.
    Can you specify who those people may be? As a software dev and frequent AI visitor, I've never seen anyone claim any system is impenetrable. Never seen that said, ever. In fact just the opposite is said -- no system is hack-proof. Apple even has events and bounty programs for this purpose. Now, people often say iOS has better security than competing platforms like Android, but you seem to be conflating these two statements. 

    Anyway, it isn't clear to me from the article wither this was patched after the exploit was proven, or before.
    williamlondonwatto_cobraRayz2016jony0
  • Reply 20 of 28
    StrangeDaysStrangeDays Posts: 11,689member
    JFC_PA said:
    Validating why my WiFi is disabled before I leave home. 
    Do you tape the camera & microphone on your phone? If not, why not -- you're leaving an attack vector open, right?
    ivanh said:
    that’s why “proprietary” is so dangerous.
    Then can you explain further why "open" Android has had more exploits and vulnerabilities over the years than the closed iOS?
    edited December 2020 watto_cobrarazorpitRayz2016
Sign In or Register to comment.