Researcher Ian Beer from Google Project Zero took 6 months to figure out the radio-proximity exploit of a memory corruption bug that was patched in May.
Details tied to a stunning iPhone vulnerability were disclosed by noted Google Project Zero researcher Ian Beer. Apple patched the vulnerability earlier this year.
Few details, until now, were known about the bug that could have allowed a threat player to completely take over any iPhone within the near vicinity. The hack could have been performed over the air without even interacting with the victim’s device.
Beer said he spent 6 months working out the “wormable radio-proximity exploit” during a time when quarantines due to the COVID-19 virus were in effect & he was “locked down in the corner” of his bedroom. On Tues. he published a blog post explaining his discovery & the hack.
Specifically, he was able to remotely trigger an unauthenticated kernel memory corruption vulnerability that causes all iOS devices in radio-proximity to reboot, with no user interaction.
This issue existed because of a protocol in contemporary iPhone, iPad, Macs & Apple Watches called Apple Wireless Direct Link (AWDL), Beer explained in his post. The protocol creates mesh networks for features such as AirDrop & Sidecar so these devices can connect & serve their appointed function–such as beam photos & files to other iOS devices, in the case of AirDrop.
“Chances are that if you own an Apple device you’re creating or connecting to these transient mesh networks multiple times a day without even realising it,” Beer noted in his post.
Until then, however, the bug could have allowed someone to “view all the photos, read all the email, copy all the private messages & monitor everything which happens on an iPhone in real-time” without clicking on anything, Beer observed. The hack would only work with devices within WiFi range, he commented.
Beer detailed 3 different exploits—the most advanced of which that ultimately performed all of these functions – using a Raspberry Pi & WiFi adapters that he purchased off the shelf.
Installing a prototype implant that can fully access the device took Beer all of 2 minutes, but he suggested he could have likely pulled it off in a “handful of seconds” with a better exploit.
The researcher admitted that he never saw an evidence of the vulnerability being exploited in the world. Moreover, since it took him 6 months to explain the hack, it is likely it existed unnoticed by threat players.
However, just because it was not exploited & is fixed now, does not trivialise its existence, Beer observed.
“One person working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with,” he explained in his post.
“Imagine the sense of power an attacker with such a capability must feel. As we all pour more & more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.”
Beer also noted the range of such attacks also could easily have been boosted using directional antennas, higher transmission powers & sensitive receivers.
Researchers from Google Project Zero have traditionally been adept at finding flaws in Apple products, but lately they have been particularly active in pointing out issues that exist in their key rival’s devices.
Prior to Beer’s latest disclosure, Project Zero researchers identified 3 zero-day vulnerabilities in only the last month that affected iOS & iPad, all of which Apple has now patched.