Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

iOS Exploit Allows ‘Unfettered Access’ to iPhone User Data Over Wi-Fi

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Project Zero has disclosed the details of an iOS exploit that allows an attacker to hack iPhones remotely over Wi-Fi and steal sensitive data, without any user interaction.

The exploit was uncovered by Google Project Zero researcher Ian Beer — who over the past year has found numerous critical vulnerabilities in Apple products — as a result of a six-month analysis conducted earlier this year. The expert described his findings and the process that led to the discovery in a lengthy blog post published on Tuesday.

According to Beer, the exploit leverages a single memory corruption vulnerability that can be used against an iPhone 11 Pro device to bypass mitigations and achieve native code execution and kernel memory reading and writing.iPhone 11 Pro exploit details

The exploit abuses Apple Wireless Direct Link (AWDL), a Wi-Fi based mesh networking protocol designed for connecting Apple devices in ad-hoc peer-to-peer networks.

Since the exploit requires AWDL to be enabled, the researcher used a technique involving Bluetooth low energy (BLE) advertisements to force the targeted device to enable AWDL without any user interaction and without the attacker having too much information about the targeted device. AWDL can also be remotely enabled, for example, by sending a voicemail, but that requires knowledge of the target’s phone number.

Beer’s exploit leveraged a buffer overflow vulnerability in AWDL to remotely gain access to a device and execute an implant as root. He has published videos showing how an attacker who is within Wi-Fi range can launch the calculator on a phone, and how they can use the deployed implant to steal user data. The expert pointed out that the implant has full access to the targeted user’s information, including photos, emails, messages, and keychain data.

While his exploit in its current form takes a couple of minutes to execute, he believes that with more resources it could be reduced to just a few seconds. Moreover, while an attacker needs to be in Wi-Fi range to launch an attack, the researcher noted that “with directional antennas, higher transmission powers and sensitive receivers the range of such attacks can be considerable.

Beer said Apple patched the vulnerability before the launch of its COVID-19 contact tracing system in iOS 13.5 in May. Apple pointed out that a vast majority of iOS users keep their devices up to date so they should no longer be vulnerable to attacks.

The researcher said he was not aware of any attacks exploiting the vulnerability, but pointed out that the patch implemented by Apple was quickly noticed by Mark Dowd, co-founder of Azimuth Security, a small Australian company that provides hacking tools to law enforcement and intelligence agencies.

“This has been the longest solo exploitation project I’ve ever worked on, taking around half a year,” Beer explained. “But it’s important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren’t typically just individuals working alone. They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.”

*updated to clarify that the attacker needs to be in Wi-Fi range to launch an attack, and with information from Apple on users keeping their devices updated

Related: Spyware Delivered to iPhone Users in Hong Kong Via iOS Exploits

Related: Apple Patches Recent iPhone Jailbreak Zero-Day

Related: Apple: Security Report on iPhone Hack Created ‘False Impression’

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet