iOS Wi-Fi exploit enables zero-click remote iPhone access without user knowledge
Discovered by security researcher Ian Beer, a member of Google's Project Zero team, the AWDL scheme enabled remote access to photos, emails, messages, real-time device monitoring, and more.
As detailed in an exhaustive technical breakdown posted to the Project Zero blog on Tuesday, Beer uncovered the mechanism behind the exploit in a 2018 iOS beta that accidentally shipped with intact function name symbols tied to the kernel cache. After poking around in Apple's code, he uncovered AWDL, a cornerstone technology that powers AirDrop, Sidecar, and other tentpole connectivity features.
From there, the researcher engineered an exploit and crafted an attack platform consisting of a Raspberry Pi 4B and two Wi-Fi adapters.
"AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity. With specialist equipment the radio range can be hundreds of meters or more," Beer explained in a tweet. Part of exploit involves forcing AWDL to activate if it was switched off.
Beer says AWDL is a "neat" technology that makes way for "revolutionary" peer-to-peer connectivity solutions, but notes that "having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested." He offers the example of a drone flying over a protest to collect information from unsuspecting iPhone users.
The process took six months to develop, but when Beer was done, he could hack any iPhone in radio proximity.
Apple patched the vulnerability in May with iOS 13.5 and a spokesperson for the company said a majority of its users are using updated software. Beer has found no evidence that the technique was used in the wild.
The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I'm fine.
Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."
It is unclear if Beer's work is eligible for Apple's Bug Bounty program, but if it is, the developer said he would donate the proceeds to charity.