Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

12/3/2020
08:35 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Security Researcher Develops 'Zero-Click' Exploit for iOS Flaw

A new patched memory corruption vulnerability in Apple's AWDL protocol can be used to take over iOS devices that are in close proximity to an attacker.

Google Project Zero security researcher Ian Beer has developed an exploit showing how an attacker can take complete control over nearby iPhone devices without any user interaction.

The zero-click exploit takes advantage of a now patched memory corruption issue in iOS and gives attackers a way to cause any iOS device that is in radio proximity to the attacker to reboot. An adversary can use the exploit to view photos, read email, copy private messages, drop malware, and monitor everything that happens on a victim iOS device in real time, Beer said in a technical paper this week.

Related Content:

Apple Patches 24 Vulnerabilities Across Product Line

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

According to Beer, the vulnerability his exploit takes advantage of lies in Apple Wireless Device Link (AWDL), a peer-to-peer wireless connectivity protocol that iOS devices use to communicate with each other.

Beer discovered the vulnerability (CVE-2020-3843) in November 2019 and reported it to Apple, which addressed the issue with its release of iOS 13.3.1. At the time, Apple described the issue as enabling an adversary to shut off or reboot systems or to corrupt kernel memory. Apple addressed the bug via a fix that implemented improved input validation. The vulnerability is wormable — meaning a device that has been exploited can then be used to exploit other vulnerable devices.

Beer's latest exploit shows how attackers can exploit the memory corruption issue to inject a malicious payload into kernel memory in a staged fashion and run it as root to take control of a vulnerable device.

"With just this one issue, I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write," he said. For the exploit to work, Beer assumed that a victim device would have at least one App Store app installed

In his paper, Beer described AWDL as enabled by default and "exposing a large and complex attack surface to everyone in radio proximity." An attacker with specialist equipment could extend the range from which an attack could be carried out to hundreds of meters or more, he said. For instance, to demonstrate his exploit on an iPhone 11 Pro device, Beer used just one Raspberry Pi and two off-the-shelf Wi-Fi adaptors that in total cost less than $100.

Beer explained how, even if AWDL was disabled on a user's iOS device, an attacker could enable it using what are known as Bluetooth low energy (BLE) advertisements. These are signals that an iOS device sends out to other nearby iOS devices when it wants to share a file via AirDrop, for instance.

To demonstrate his exploit, Beer showed how an attacker could forcibly activate the AWDL interface, exploit the buffer overflow vulnerability, gain access to a nearby iPhone 11 Pro with YouTube installed on it, and then steal a photo from it. The whole process took around two minutes, but with enough engineering, the payload could be implanted on a vulnerable device in a "handful of seconds," Beer said.

"The attack leverages a flaw in Apple's proprietary radio protocol used to connect iPhones directly to other iPhones or Apple products for services such as AirDrop," says Eugene Kolodenker, senior security researcher at Lookout's apps research team. "Even if AirDrop is not enabled, this attack is able to bypass this restriction and force AirDrop to be enabled momentarily to deliver the exploit."

Though attackers require close proximity to a victim to execute the exploit, it does give them an avenue to steal data from a target device without any user interaction, he says.

Brandon Hoffman, chief information security officer at Netenrich, describes Beer's work as significant because it shows how an attacker could completely bypass all of Apple's iOS security measures. At the same time, the proximity an attacker would require to a target device is a mitigating factor, he says.

"Certainly the reboot mechanism can be triggered by using higher powered antennae," he says. "However, in order to steal the data, the phone would have to transmit back. Therein lies the limitation."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.