Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS Exploit Allows ‘Unfettered Access’ to iPhone User Data Over Wi-Fi

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Project Zero has disclosed the details of an iOS exploit that allows an attacker to hack iPhones remotely over Wi-Fi and steal sensitive data, without any user interaction.

The exploit was uncovered by Google Project Zero researcher Ian Beer — who over the past year has found numerous critical vulnerabilities in Apple products — as a result of a six-month analysis conducted earlier this year. The expert described his findings and the process that led to the discovery in a lengthy blog post published on Tuesday.

According to Beer, the exploit leverages a single memory corruption vulnerability that can be used against an iPhone 11 Pro device to bypass mitigations and achieve native code execution and kernel memory reading and writing.iPhone 11 Pro exploit details

The exploit abuses Apple Wireless Direct Link (AWDL), a Wi-Fi based mesh networking protocol designed for connecting Apple devices in ad-hoc peer-to-peer networks.

Since the exploit requires AWDL to be enabled, the researcher used a technique involving Bluetooth low energy (BLE) advertisements to force the targeted device to enable AWDL without any user interaction and without the attacker having too much information about the targeted device. AWDL can also be remotely enabled, for example, by sending a voicemail, but that requires knowledge of the target’s phone number.

Beer’s exploit leveraged a buffer overflow vulnerability in AWDL to remotely gain access to a device and execute an implant as root. He has published videos showing how an attacker who is within Wi-Fi range can launch the calculator on a phone, and how they can use the deployed implant to steal user data. The expert pointed out that the implant has full access to the targeted user’s information, including photos, emails, messages, and keychain data.

While his exploit in its current form takes a couple of minutes to execute, he believes that with more resources it could be reduced to just a few seconds. Moreover, while an attacker needs to be in Wi-Fi range to launch an attack, the researcher noted that “with directional antennas, higher transmission powers and sensitive receivers the range of such attacks can be considerable.

Advertisement. Scroll to continue reading.

Beer said Apple patched the vulnerability before the launch of its COVID-19 contact tracing system in iOS 13.5 in May. Apple pointed out that a vast majority of iOS users keep their devices up to date so they should no longer be vulnerable to attacks.

The researcher said he was not aware of any attacks exploiting the vulnerability, but pointed out that the patch implemented by Apple was quickly noticed by Mark Dowd, co-founder of Azimuth Security, a small Australian company that provides hacking tools to law enforcement and intelligence agencies.

“This has been the longest solo exploitation project I’ve ever worked on, taking around half a year,” Beer explained. “But it’s important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren’t typically just individuals working alone. They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.”

*updated to clarify that the attacker needs to be in Wi-Fi range to launch an attack, and with information from Apple on users keeping their devices updated

Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.