Earlier this year, Apple fixed one of the iPhone’s most amazing vulnerabilities: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device – via Wi-Fi, without the need for user interaction at all. Oh, and the exploits were dewormable – meaning that radio proximity exploits could redistribute from one nearby device to another without user interaction.
This death Wi-Fi package was invented by Ian Beer, a researcher at Project Zero, Google’s vulnerability research component. In a post published Tuesday afternoon on 30,000 words, Beer described the vulnerability and misuse of proof of concept, which he spent six months developing with one hand. Colleagues from security scientists noticed it almost immediately.
Beware of risky Wi-Fi packages
“It’s a fantastic work,” said Chris Evans, a semi-retired security researcher and executive and founder of Project Zero. “It’s really serious.” The fact that you don’t really have to communicate with your phone to run it on you is really quite scary. The only attack is that you go with you, you have your phone in your pocket and someone just deworms some risky Wi-Fi packets via Wi-Fi. “
Beer’s attack worked by exploiting a buffer overrun in the driver for AWDL, Apple’s proprietary network protocol that makes things like Airdrop work. Because the drivers are located in the kernel – one of the most privileged parts of any operating system – in
The AWDL bug had the potential for serious hackers. And because AWDL analyzes Wi-Fi packets, exploits can be transmitted over the air without an indication that something is wrong.
“Imagine the feeling of strength an attacker with such an ability must feel,” Beer wrote. “As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information about an unsuspecting target.”
Beer has developed several different exploits. The most advanced of these installs an implant that has full access to the user’s personal data, including emails, photos, messages and passwords, and crypto keys stored in the keychain. It takes about two minutes to install a prototype implant, but Beer said that with more work, a better-written exploit could deliver it in a “handful of seconds.”
Below is a video from the exploit in action. IPhone 11 For victims is in a room that is separated from the attacker by a closed door.
Beer said that Apple fixed the vulnerability before launching the COVID-19 contact tracking interface, which was introduced in iOS 13.5 in May. The researcher said he had no evidence that the vulnerability was ever exploited in the wild, although he noted that at least one abuse vendor was aware of a critical flaw in May, seven months before today’s release.
The beauty and impact of a hacker is that it relies on a single mistake to wirelessly access secrets locked in what is probably the toughest and most secure consumer device in the world. If one person could do it in six months, think of a hacker team with better resources.