Google researcher demonstrates iPhone exploit with Wi-Fi takeover
Apple had a security vulnerability that could have allowed potential hackers to get complete access to a person’s iPhone — everything from viewing photos to monitoring activities in real time — without the victim ever needing to click on any suspicious links or download malware.
While most malware requires hackers to trick people in some way, like through a disguised email or an app pretending to be beneficial, this iOS exploit only needed the victim to be within Wi-Fi range, Ian Beer, a security researcher with Google’s Project Zero, explained in a blog post on Tuesday.
These types of vulnerabilities are considered the biggest threats to companies like Apple. At the Black Hat cybersecurity conference in 2019, Apple started offering $1 million bug bounties for researchers who could present a flaw that didn’t require victims to click on anything and gave full access.
The vulnerability has since been patched and your best course of action is to always keep your phone up-to-date with the latest operating system, and right now, for Apple iPhones that means iOS 14.
In a video, Beer showed how a Raspberry Pi setup with store-bought Wi-Fi adapters could steal photos from an untouched iPhone in a different room within five minutes. In another clip, Beer demonstrated how the same vulnerability could let him repeatedly reboot 26 iPhones at the same time.
“Imagine the sense of power an attacker with such a capability must feel,” Beer said in his post. “As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.”
The security flaw was fixed in May, in the same patch through which Apple introduced its notification exposure tools on iOS devices.
A snapshot of user adoption of the latest Apple software from around that time showed that the majority of users were already on current versions of iOS and thus protected against the issue, Apple said in a statement. “Also, it’s good to note that this does require relatively close proximity as it needs to be within WiFi range to work.”
Apple vulnerabilities are rare because of the company’s investments in security and its closed-off App Store. In 2019, Beer’s team discovered another iOS vulnerability that allowed hacked websites to send malware to visitors. The hack was used by the Chinese government to track and spy on Uighur Muslims.
Beer said he had spent about six months looking into the security vulnerability. He explained that the weak links came from Apple’s proprietary mesh network AWDL, which allows iOS devices to easily connect to each other, like your Apple Watch linking to your iPhone, for example.
The network didn’t have built-in encryption, and Beer was able to exploit a single memory corruption to take over devices as new as the iPhone 11 Pro. He explained that the flaw came from a “fairly trivial buffer overflow programming error in C++ code” that allowed for untrusted data to pass through over Wi-Fi signals.
Typically, vulnerabilities work off each other like pieces of a puzzle — finding one flaw leads to another until you’re able to get the big picture. Getting complete access through a single exploit is part of what makes Beer’s discovery so impressive.
Wow. An iOS exploit that doesn’t involve chaining multiple vulnerabilities together is quite an accomplishment. https://t.co/ZccMcVTIch
— Rob Joyce (@RGB_Lights) December 2, 2020
Beer said that he hasn’t seen any evidence that the flaw was exploited by others before it had been patched, but about 13% of all iPhone users are still vulnerable to this issue. While the flaw has been fixed, Beer noted that it likely won’t be the last time an issue like this comes up for Apple — pointing out that he was able to find this exploit on his own.
“As things stand now in November 2020, I believe it’s still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones,” Beer said.
This story was originally published on Dec. 2, 2020 by CNET a subsidiary of ViacomCBS.