Enlarge /. That's a lot of screen.
Earlier this year, Apple fixed one of the most breathtaking iPhone vulnerabilities of all time: a memory corruption bug in the iOS kernel that allowed attackers to access the entire device remotely – over WiFi, with no user interaction required. Oh, and exploits were wormable – meaning that exploits near radios could be retransmitted from one nearby device to another without requiring user interaction.
This fatal Wi-Fi package was developed by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit that he had single-handedly developed for six months. Other security researchers noticed this almost immediately.
Beware of dodgy WiFi packages
"This is fantastic work," said Chris Evans, a semi-retired security researcher and executive and founder of Project Zero, in an interview. “It's really pretty serious. The fact that you don't actually have to interact with your phone for this to apply to you is really scary. This attack is just that you go with them, the phone is in your pocket, and someone comes in over wifi with some seedy wifi packets. "
Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple proprietary mesh network protocol that allows things like Airdrop to work. Since the drivers are in the kernel – one of the most privileged parts of an operating system –
AWDL errors had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be broadcast wirelessly without any notification that something is wrong.
"Imagine the sense of power an attacker with such an ability must feel," wrote Beer. "As we all put more and more souls into these devices, an attacker can obtain a treasure trove of information about an unsuspecting target."
Bier developed various exploits. The most advanced one installs an implant that has full access to the user's personal information, including emails, photos, messages, passwords, and crypto keys stored in the keychain. The attack uses a laptop, a Raspberry Pi and some commercially available WiFi adapters. It takes about two minutes to install the prototype implant, but Beer said that with more work, a better-written exploit could deliver it in "seconds." Exploits only work on devices that are within Wi-Fi range of the attacker.
Below is a video of the exploit in action. The victim's iPhone 11 Pro is in a room separated from the attacker by a closed door.
AWDL Implant Demo
According to Beer, Apple fixed the vulnerability prior to the launch of the COVID-19 interfaces for contact tracing in iOS 13.5 in May. The researcher said he had no evidence that the vulnerability was ever exploited in the wild, although he noted that at least one exploit vendor was aware of the critical flaw in May, seven months prior to today's release. Apple numbers show that the vast majority of iPhones and iPads are updated regularly.
The beauty and impressive thing about the hack is that it relies on a single flaw to wirelessly access secrets hidden in what is arguably the toughest and most secure consumer device in the world. If a single person could do all of this in six months, just think about what a better equipped hacking team could do.