Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS Exploit Allows ‘Unfettered Access’ to iPhone User Data Over Wi-Fi

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Project Zero has disclosed the details of an iOS exploit that allows an attacker to hack iPhones remotely over Wi-Fi and steal sensitive data, without any user interaction.

The exploit was uncovered by Google Project Zero researcher Ian Beer — who over the past year has found numerous critical vulnerabilities in Apple products — as a result of a six-month analysis conducted earlier this year. The expert described his findings and the process that led to the discovery in a lengthy blog post published on Tuesday.

According to Beer, the exploit leverages a single memory corruption vulnerability that can be used against an iPhone 11 Pro device to bypass mitigations and achieve native code execution and kernel memory reading and writing.iPhone 11 Pro exploit details

The exploit abuses Apple Wireless Direct Link (AWDL), a Wi-Fi based mesh networking protocol designed for connecting Apple devices in ad-hoc peer-to-peer networks.

Since the exploit requires AWDL to be enabled, the researcher used a technique involving Bluetooth low energy (BLE) advertisements to force the targeted device to enable AWDL without any user interaction and without the attacker having too much information about the targeted device. AWDL can also be remotely enabled, for example, by sending a voicemail, but that requires knowledge of the target’s phone number.

Beer’s exploit leveraged a buffer overflow vulnerability in AWDL to remotely gain access to a device and execute an implant as root. He has published videos showing how an attacker who is within Wi-Fi range can launch the calculator on a phone, and how they can use the deployed implant to steal user data. The expert pointed out that the implant has full access to the targeted user’s information, including photos, emails, messages, and keychain data.

While his exploit in its current form takes a couple of minutes to execute, he believes that with more resources it could be reduced to just a few seconds. Moreover, while an attacker needs to be in Wi-Fi range to launch an attack, the researcher noted that “with directional antennas, higher transmission powers and sensitive receivers the range of such attacks can be considerable.

Advertisement. Scroll to continue reading.

Beer said Apple patched the vulnerability before the launch of its COVID-19 contact tracing system in iOS 13.5 in May. Apple pointed out that a vast majority of iOS users keep their devices up to date so they should no longer be vulnerable to attacks.

The researcher said he was not aware of any attacks exploiting the vulnerability, but pointed out that the patch implemented by Apple was quickly noticed by Mark Dowd, co-founder of Azimuth Security, a small Australian company that provides hacking tools to law enforcement and intelligence agencies.

“This has been the longest solo exploitation project I’ve ever worked on, taking around half a year,” Beer explained. “But it’s important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren’t typically just individuals working alone. They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.”

*updated to clarify that the attacker needs to be in Wi-Fi range to launch an attack, and with information from Apple on users keeping their devices updated

Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.