Google Project Zero security researcher Ian Beer has developed an exploit showing how an attacker can take complete control over nearby iPhone devices without any user interaction.
The zero-click exploit takes advantage of a now patched memory corruption issue in iOS and gives attackers a way to cause any iOS device that is in radio proximity to the attacker to reboot. An adversary can use the exploit to view photos, read email, copy private messages, drop malware, and monitor everything that happens on a victim iOS device in real time, Beer said in a technical paper this week.
According to Beer, the vulnerability his exploit takes advantage of lies in Apple Wireless Device Link (AWDL), a peer-to-peer wireless connectivity protocol that iOS devices use to communicate with each other.
Beer discovered the vulnerability (CVE-2020-3843) in November 2019 and reported it to Apple, which addressed the issue with its release of iOS 13.3.1. At the time, Apple described the issue as enabling an adversary to shut off or reboot systems or to corrupt kernel memory. Apple addressed the bug via a fix that implemented improved input validation. The vulnerability is wormable — meaning a device that has been exploited can then be used to exploit other vulnerable devices.
Beer's latest exploit shows how attackers can exploit the memory corruption issue to inject a malicious payload into kernel memory in a staged fashion and run it as root to take control of a vulnerable device.
"With just this one issue, I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write," he said. For the exploit to work, Beer assumed that a victim device would have at least one App Store app installed
In his paper, Beer described AWDL as enabled by default and "exposing a large and complex attack surface to everyone in radio proximity." An attacker with specialist equipment could extend the range from which an attack could be carried out to hundreds of meters or more, he said. For instance, to demonstrate his exploit on an iPhone 11 Pro device, Beer used just one Raspberry Pi and two off-the-shelf Wi-Fi adaptors that in total cost less than $100.
Beer explained how, even if AWDL was disabled on a user's iOS device, an attacker could enable it using what are known as Bluetooth low energy (BLE) advertisements. These are signals that an iOS device sends out to other nearby iOS devices when it wants to share a file via AirDrop, for instance.
To demonstrate his exploit, Beer showed how an attacker could forcibly activate the AWDL interface, exploit the buffer overflow vulnerability, gain access to a nearby iPhone 11 Pro with YouTube installed on it, and then steal a photo from it. The whole process took around two minutes, but with enough engineering, the payload could be implanted on a vulnerable device in a "handful of seconds," Beer said.
"The attack leverages a flaw in Apple's proprietary radio protocol used to connect iPhones directly to other iPhones or Apple products for services such as AirDrop," says Eugene Kolodenker, senior security researcher at Lookout's apps research team. "Even if AirDrop is not enabled, this attack is able to bypass this restriction and force AirDrop to be enabled momentarily to deliver the exploit."
Though attackers require close proximity to a victim to execute the exploit, it does give them an avenue to steal data from a target device without any user interaction, he says.
Brandon Hoffman, chief information security officer at Netenrich, describes Beer's work as significant because it shows how an attacker could completely bypass all of Apple's iOS security measures. At the same time, the proximity an attacker would require to a target device is a mitigating factor, he says.
"Certainly the reboot mechanism can be triggered by using higher powered antennae," he says. "However, in order to steal the data, the phone would have to transmit back. Therein lies the limitation."