Google Project Zero researcher Ian Beer has published his research into an iOS vulnerability that allowed him to develop an exploit to remotely take control of iPhones over Wi-Fi using AirDrop. Specifically, Apple Wireless Direct Link (AWDL).
Beer reported the issue to Apple and he said it was fixed before the launch of Apple’s “Privacy Preserving Contact Tracing” application programming interface (API), otherwise known as the Google-Apple Exposure Notification (GAEN) API.
Apple introduced the GAEN API with iOS 13.5, which was released on 20 May 2020.
Beer described his exploit as “a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.”
“Wormable” means that you can use iPhones exploited with this attack to attack other iPhones. “Radio-proximity” means that you have to be within Wi-Fi range of the phone for the attack to work.
Beer noted that the attacker does not need to be on the same Wi-Fi network as the victim.
The exploit is also undetectable to the average user, as the iPhone remains usable throughout the attack.
Bonus bugs – remotely rebooting iPhones in Wi-Fi range
While researching the bug he discovered in AWDL, Beer inadvertently came across two other vulnerabilities which allowed him to remotely restart iPhones within Wi-Fi range.
A video showing this exploit in action is embedded below.
For his proof-of-concept attack using the vulnerabilities he had discovered, Beer used an iPhone 11 Pro running iOS 13.3.
The additional hardware used for the attack was built using a Raspberry Pi and off-the-shelf Wi-Fi adaptors.
Beer showed how he was able to enable AWDL on the iPhone through an attack on AirDrop using the device’s Bluetooth Low Energy interface.
He explained that the target device has 100 randomly-generated contacts and that the attacker must brute-force the hash of a contact, which is only two bytes long.
“Brute-force” refers to trying every combination to ultimately determine the correct one. Two bytes gives you a maximum of 65,536 combinations to try — an easy task even for relatively slow computers.
After performing the brute force attack against AirDrop’s Bluetooth Low Energy interface and enabling AWDL on the iPhone, the attacker can finally try to exploit the vulnerability in AWDL itself.
For this, Beer used a technique called heap grooming.
This is a type of attack that relies on causing a program to overrun the memory it has been allocated. By shaping or “grooming” the memory the program overruns into, the attacker can essentially run whatever program code they want on the victim’s iPhone.
In this case, it also lets the attacker gain access to all of the private data stored on the device.
During the demonstration of his exploit, Beer shows how he was able to copy a newly captured photo from the iPhone, to the laptop he was using to execute the attack.
The target iPhone remains usable throughout the attack. The implication: if you had been a victim of this kind of attack you would never know.
Beer’s video of the attack in action is embedded below.