Earlier this year, Apple patched a severe security loophole in an iOS feature that could have allowed attackers to remotely gain complete control over any iPhone within Wi-Fi range. However, details about the flaw, which was fixed months ago, were sparse until now.
In a blog post of no fewer than 30,000 words, Google Project Zero researcher Ian Beer described how, over a six-month period, he created a radio-proximity exploit that would grant him total control over an iPhone in his vicinity. The exploit allowed him to access all the data stored on the device, including photos, emails, private messages, Keychain passwords, as well as monitor everything happening on the device in real time.
The vulnerability was wormable for good measure, hence any attacks exploiting it could have spread from device to device with no need for user interaction. Beer, however, added that there was no evidence to suggest that the vulnerability was ever exploited in the wild.
The flaw resides in the Apple Wireless Direct Link (AWDL) protocol, which is used for peer-to-peer network communications between iOS devices and powers features like AirDrop or SideCar. Beer described it as “a fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” He also went on to add that the whole exploit uses just a single memory corruption vulnerability, which he exploited to compromise a flagship iPhone 11 Pro device.
Beer also shared a video demonstrating the attack:
In a series of tweets, Beer also explained that the range and distance of the attacks could be extended using readily available equipment:
“AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity. With specialist equipment the radio range can be hundreds of meters or more. You don’t need a fancy setup though. This exploit just uses a Raspberry Pi and two off-the-shelf WiFi adaptors for a total cost under $100.” While AWDL is enabled by default, Beer also found a way to remotely enable it even if it was off, utilizing the same attack.
Beer reported the vulnerability to Apple a year ago, almost to the day. The flaw was fixed as CVE-2020-3843 in iOS 13.1.1/MacOS 10.15.3 in January of this year, said Beer. It’s safe to say that a vast majority of iOS users run one of the system’s newer versions, as also confirmed by Apple for The Verge. At any rate, if you haven’t done so far, do yourself a favor and apply the updates as soon as possible.
Apple also patched three actively exploited zero-day flaws last month, which were also, incidentally, reported by Google Project Zero researchers.