iOS 9, the operating system that Apple is making available for download today to its mobile device users, comes with more than new usability and functionality features. It also resolves a vulnerability that can be exploited over Apple’s over-the-air file sharing technology, AirDrop.
Discovered by Australian researcher Mark Dowd, the vulnerability affects all devices running on iOS 7 or later and can be exploited to hijack iPhones to run malicious code on them. An attacker could exploit the security flaw when in Bluetooth range of an affected device either to install malware of for lock-screen bypass, Dowd says.
AirDrop bug can be used to target people wirelessly in close proximity. Also useful for lock-screen bypass
— mdowd (@mdowd) September 16, 2015
The researcher published a proof-of-concept video showing that the exploit works even if the owner of the iPhone rejects the incoming AirDrop file and says that Mac OS X Yosemite and later versions are vulnerable to the attack as well.
According to Dowd, an attacker could carry out a directory traversal attack to exploit AirDrop and modify the configuration files so that the iOS device would accept any application that features an Apple enterprise certificate. Such certificates are issued only to legitimate developers, but cybercriminals often trade them on the black market, which prompted Apple to update the app sideloading process in iOS 9.
Dowd used the AirDrop flaw to install a provisioning profile for his app and altered Springboard, the program that manages the iOS homescreen, so that the phone would see it as coming from a trusted developer, thus skipping the pop up that appears when an application coming from a new developer is run for the first time, Forbes explains.
Dowd copied malware files into the directory when third-party apps are located and modified the iOS Springboard (home screen) so that his application would replace the default Phone program in iOS. When carrying out the AirDrop attack, the malicious app was copied to the iPhone even if the download was not accepted and the device was rebooted.
Users should update to the new platform release as soon as possible, though they can also protect their devices by keeping AirDrop off and ensuring that no one turns it on from the lockscreen.
“This vulnerability clearly highlights that remote access to devices has always been and still is a major risk,” Adam Ely, co-founder of Bluebox, told SecurityWeek. “Users must be careful allowing others to connect to their devices as mobile devices are not as secure as people often think. Luckily, in this case disabling airdrop will prevent this issue.”
