Serious Apple iOS Exploit Enabled Nearby Device Takeover'Zero-Click Exploit' Hacked 'Any Device in Radio Proximity' via Wi-Fi
Until May, all Apple iOS devices were vulnerable to a "zero-click exploit" that would have allowed hackers to remotely gain complete control.
Using the exploit, attackers would have been able to "view all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time," says security researcher Ian Beer, who discovered and reported the exploit and underlying vulnerabilities to Apple.
Apple patched the vulnerabilities with the May 20 release of iOS 13.5. That came prior to Apple and Google adding an "exposure notification system in service of privacy-preserving contact tracing" to their operating systems to help battle the COVID-19 pandemic.
It's unclear if these vulnerabilities may have been previously exploited via real-world attacks. In addition, Apple did not disclose the threat with the release of 13.5, but vendors typically do not do so, to give users time to upgrade. And that's why the exploit now described by Beer is a "perfect example" of why users need to keep all in-use mobile devices updated, tweets Alan Woodward, a visiting professor of computer science at England's University of Surrey.
Google Project Zero
Switzerland-based Beer is a security researcher with Google Project Zero, which hunts for zero-day vulnerabilities.
Beer says that, after six months of research, he successfully built "a wormable, radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity."
In total, he found and reported to Apple "not one but two more remotely exploitable, radio-proximity zero-day vulnerabilities" during his research. At least one of those flaws appears to have also been found by other researchers, but not necessarily used for exploit purposes.
Multiple Exploits Found - and Patched
On Tuesday, Beer published a demo showing how he was able to "remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction," using a flaw in Apple's Wireless Direct Link, aka AWDL, which iOS uses for AirDrop, AirPlay and gaming connections.
In a 30,000-word post to the Google Project Zero site, Beer describes "the entire process to go from this basic demo to successfully exploiting this vulnerability in order to run arbitrary code on any nearby iOS device and steal all the user data."
Beer built several exploits, the most serious of which can be executed using a Mac laptop plus a Raspberry Pi 4 Model B computer to run the Linux exploit as well as drivers for his Wi-Fi dongles.
The video shows a victim, running the YouTube app, whose device is hit by an attacker and ultimately compromised, giving the attacker full, remote access to all of a device's contents. The equipment used by Beer in his demo video produced an attack that required two minutes to execute in full, including not only brute-forcing the AWDL interface, but uploading an implant that bootstraps the installation of a larger implant, providing full takeover.
For the demo, communications between the attacker and the victim were limited by the range of consumer Wi-Fi - about 200 feet in real-world conditions, for the 5 Ghz channel he was using. But Beer says the real-world attack range could be extended if attackers chose to amplify the signal.
Basis for More Powerful Exploits
Beer's demo could have gone further in other ways, too. "With more engineering investment, there's no reason this prototype couldn't be optimized to deliver the implant in a handful of seconds," he says.
In addition, the attack could be made more powerful. For example, he notes that there are techniques that could be used to remotely enable AWDL, provided the device had been powered on and the passcode entered at least once since then. Plus, the exploit could be made wormable, meaning that each infected device automatically attacked and compromised any other infected device within range.
"Relative to the size and complexity of these codebases of major tech companies, the size of the security teams dedicated to proactively auditing their product's source code to look for vulnerabilities are very small."
— Ian Beer
That a solo researcher took six months to refine an exploit such as this belies the speed with which well-resourced teams, including nation-state hacking groups, might operate.
"It's important to emphasize up front that the teams and companies supplying the global trade in cyber weapons like this one aren't typically just individuals working alone," Beer says in his blog post (see: More Zero-Day Exploits for Sale). "They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how Bluetooth or Wi-Fi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."
Core Problem: Buffer Overflow
Ideally, of course, code bases such as the one that comprises iOS wouldn't have these types of flaws at all. But no code is perfect, especially as more programming gets added atop previous efforts. "Unfortunately, it's the same old story," Beer says, pointing to "a fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers."
Beer's conclusions read like a mission statement for Google Project Zero. Namely, small flaws can compromise the smallest or biggest of code bases used by millions of individuals.
What might firms such as Apple do differently? Beer says spending more time hunting for existing flaws in their code bases would be a good start.
"Relative to the size and complexity of these codebases of major tech companies, the size of the security teams dedicated to proactively auditing their product's source code to look for vulnerabilities are very small," he says. "Android and iOS are complete custom tech stacks. It's not just kernels and device drivers but dozens of attacker-reachable apps, hundreds of services and thousands of libraries running on devices with customized hardware and firmware."