Earlier this year, Apple fixed one of the most breathtaking vulnerabilities of the iPhone ever – a memory corruption in the iOS kernel that allowed attackers to remotely access the entire device – over Wi-Fi, without the user having to do anything. Oh, and exploits were wormable – meaning exploits near radio could spread from one nearby device to another, again without user intervention.
This death-exploit’s Wi-Fi package was created by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. In a 30,000-word post published Tuesday afternoon, Beer described the vulnerability and proof-of-concept exploit he single-handedly developed for six months. Almost immediately, fellow security researchers took notice.
Beware of unreliable Wi-Fi packages
“This is a fantastic piece of work,” Chris Evans, a semi-retired security researcher and manager and the founder of Project Zero, said in an interview. “It’s really pretty serious. The fact that you don’t really need to communicate with your phone to turn this off on you is really scary. In this attack you just walk by, the phone is in your pocket and via WiFi someone just comes in with a few unreliable WiFi packages. “
Beer’s attack worked by using a buffer overflow bug in a driver for AWDL, Apple’s proprietary mesh network protocol that makes things like Airdrop work. Since drivers reside in the kernel – one of the most privileged parts of any operating system – the
AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be sent over the air with nothing wrong.
“Imagine the sense of power an attacker with such ability must feel,” Beer wrote. “As we all put more and more of our soul into these devices, an attacker can gather a wealth of information about an unsuspecting target.”
Beer developed various exploits. The most advanced installs an implant that has full access to the user’s personal data, including emails, photos, messages and passwords and crypto keys stored in the keychain. It takes about two minutes to install the prototype implant, but Beer said that with more work, a better-written exploit could deliver it in “a handful of seconds.”
Below is a video of the exploit in action. The victim’s iPhone 11 Pro is in a room separated from the attacker by a locked door.
Beer said Apple fixed the vulnerability before the COVID-19 contact tracking interfaces launched in iOS 13.5 in May. The researcher said he has no evidence that the vulnerability has ever been exploited in the wild, although he noted that at least one operator knew about the critical bug in May, seven months before today’s reveal.
The beautiful and impressive thing about the hack is that it relies on a single bug to wirelessly access secrets locked in what is arguably the world’s most hardened and secure consumer device. If one person could do all of this in six months, think about what a hacking team with better resources can do.