Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

12/3/2020
08:35 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Google Security Researcher Develops 'Zero-Click' Exploit for iOS Flaw

A new patched memory corruption vulnerability in Apple's AWDL protocol can be used to take over iOS devices that are in close proximity to an attacker.

Google Project Zero security researcher Ian Beer has developed an exploit showing how an attacker can take complete control over nearby iPhone devices without any user interaction.

The zero-click exploit takes advantage of a now patched memory corruption issue in iOS and gives attackers a way to cause any iOS device that is in radio proximity to the attacker to reboot. An adversary can use the exploit to view photos, read email, copy private messages, drop malware, and monitor everything that happens on a victim iOS device in real time, Beer said in a technical paper this week.

Related Content:

Apple Patches 24 Vulnerabilities Across Product Line

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

According to Beer, the vulnerability his exploit takes advantage of lies in Apple Wireless Device Link (AWDL), a peer-to-peer wireless connectivity protocol that iOS devices use to communicate with each other.

Beer discovered the vulnerability (CVE-2020-3843) in November 2019 and reported it to Apple, which addressed the issue with its release of iOS 13.3.1. At the time, Apple described the issue as enabling an adversary to shut off or reboot systems or to corrupt kernel memory. Apple addressed the bug via a fix that implemented improved input validation. The vulnerability is wormable — meaning a device that has been exploited can then be used to exploit other vulnerable devices.

Beer's latest exploit shows how attackers can exploit the memory corruption issue to inject a malicious payload into kernel memory in a staged fashion and run it as root to take control of a vulnerable device.

"With just this one issue, I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write," he said. For the exploit to work, Beer assumed that a victim device would have at least one App Store app installed

In his paper, Beer described AWDL as enabled by default and "exposing a large and complex attack surface to everyone in radio proximity." An attacker with specialist equipment could extend the range from which an attack could be carried out to hundreds of meters or more, he said. For instance, to demonstrate his exploit on an iPhone 11 Pro device, Beer used just one Raspberry Pi and two off-the-shelf Wi-Fi adaptors that in total cost less than $100.

Beer explained how, even if AWDL was disabled on a user's iOS device, an attacker could enable it using what are known as Bluetooth low energy (BLE) advertisements. These are signals that an iOS device sends out to other nearby iOS devices when it wants to share a file via AirDrop, for instance.

To demonstrate his exploit, Beer showed how an attacker could forcibly activate the AWDL interface, exploit the buffer overflow vulnerability, gain access to a nearby iPhone 11 Pro with YouTube installed on it, and then steal a photo from it. The whole process took around two minutes, but with enough engineering, the payload could be implanted on a vulnerable device in a "handful of seconds," Beer said.

"The attack leverages a flaw in Apple's proprietary radio protocol used to connect iPhones directly to other iPhones or Apple products for services such as AirDrop," says Eugene Kolodenker, senior security researcher at Lookout's apps research team. "Even if AirDrop is not enabled, this attack is able to bypass this restriction and force AirDrop to be enabled momentarily to deliver the exploit."

Though attackers require close proximity to a victim to execute the exploit, it does give them an avenue to steal data from a target device without any user interaction, he says.

Brandon Hoffman, chief information security officer at Netenrich, describes Beer's work as significant because it shows how an attacker could completely bypass all of Apple's iOS security measures. At the same time, the proximity an attacker would require to a target device is a mitigating factor, he says.

"Certainly the reboot mechanism can be triggered by using higher powered antennae," he says. "However, in order to steal the data, the phone would have to transmit back. Therein lies the limitation."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31476
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
CVE-2021-31477
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
CVE-2021-32690
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
CVE-2021-32691
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
CVE-2021-32243
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).