Details tied to a stunning iPhone vulnerability were disclosed by noted Google Project Zero researcher Ian Beer. Apple patched the vulnerability earlier this year. But few details, until now, were known about the bug that could have allowed a threat actor to completely take over any iPhone within a nearby vicinity. The hack could of been preformed over the air without even interacting with the victimâs device.
Beer said he spent six months figuring out the âwormable radio-proximity exploitâ during a time when quarantines due to the COVID-19 virus were in effect and he was âlocked down in the cornerâ of his bedroom. On Tuesday he published a blog post detailing his discovery and the hack.
Specifically, he was able to remotely trigger an unauthenticated kernel memory corruption vulnerability that causes all iOS devices in radio-proximity to reboot, with no user interaction.
The issue existed because of a protocol in contemporary iPhone, iPad, Macs and Apple Watches called Apple Wireless Direct Link (AWDL), Beer explained in his post. This protocol creates mesh networks for features such as AirDrop and Sidecar so these devices can connect and serve their appointed functionâsuch as beam photos and files to other iOS devices, in the case of AirDrop.
File Photo: Ian Beer speaking at the 2018 Black Hat USA security conference.
âChances are that if you own an Apple device youâre creating or connecting to these transient mesh networks multiple times a day without even realizing it,â Beer noted in his post.
Apple patched the bug responsible for the exploit in May with updates iOS 12.4.7 and watchOS 5.3.7, and tracked it as CVE-2020-3843 in supporting documentation.
Until then, however, the bug could have allowed someone to âview all the photos, read all the email, copy all the private messages and monitor everything which happens on [an iPhone] in real-timeâ without clicking on anything, Beer said. The hack would only work with devices within WiFi range, he said.
Beer detailed three different exploitsâthe most advanced of which that ultimately performed all of these functionsâusing a Raspberry Pi and WiFi adapters that he purchased off the shelf. Installing a prototype implant that can fully access the device took Beer about two minutes, but he said he could have likely pulled it off in a âhandful of secondsâ with a better exploit.
The researcher acknowledged that he never saw an evidence of the vulnerability being exploited in the wild. Moreover, since it took him six months to figure out the hack, itâs likely it existed unnoticed by threat actors.
However, just because it was not exploited and is fixed now does not trivialize its existence, Beer observed.
âOne person working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users theyâd come into close contact with,â he said in his post. âImagine the sense of power an attacker with such a capability must feel. As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.â
Beer also noted the range of such attacks also could easily have been boosted using directional antennas, higher transmission powers and sensitive receivers.
Researchers from Google Project Zero have traditionally been adept at finding flaws in Apple products, but lately they have been particularly active in pointing out issues that exist in their key rivalâs devices. Prior to Beerâs last disclosure, Project Zero researchers identified three zero-day vulnerabilities in only the last month that affected iOS and iPad, all of which Apple has patched.
_Put Ransomware on the Run: Save your spot for âWhatâs Next for Ransomware,â a _FREE Threatpost webinar_ on Dec. 16 at 2 p.m. ET. Find out whatâs coming in the ransomware world and how to fight back. _
_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _Register here_ for the Wed., Dec. 16 for this LIVE webinar._
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3843
googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
media.threatpost.com/wp-content/uploads/sites/103/2018/08/09015258/Ian-Beer.jpg
support.apple.com/en-us/HT211176
threatpost.com/apple-bug-code-execution-iphone/159332/
threatpost.com/apple-macos-flaw/142443/
threatpost.com/apple-patches-bugs-zero-days/161010/
threatpost.com/newsletter-sign/
threatpost.com/unpatched-apple-vulnerabilities-latest-google-project-zero-disclosures/110605/
threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar
threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar