iPhone Bug Allowed for Complete Device Takeover Over the Air

Apple Singapore Store

Researcher Ian Beer from Google Project Zero took six months to figure out the radio-proximity exploit of a memory corruption bug that was patched in May.

Details tied to a stunning iPhone vulnerability were disclosed by noted Google Project Zero researcher Ian Beer. Apple patched the vulnerability earlier this year. But few details, until now, were known about the bug that could have allowed a threat actor to completely take over any iPhone within a nearby vicinity. The hack could of been preformed over the air without even interacting with the victim’s device.

Beer said he spent six months figuring out the “wormable radio-proximity exploit” during a time when quarantines due to the COVID-19 virus were in effect and he was “locked down in the corner” of his bedroom. On Tuesday he published a blog post detailing his discovery and the hack.

Specifically, he was able to remotely trigger an unauthenticated kernel memory corruption vulnerability that causes all iOS devices in radio-proximity to reboot, with no user interaction.

The issue existed because of a protocol in contemporary iPhone, iPad, Macs and Apple Watches called Apple Wireless Direct Link (AWDL), Beer explained in his post. This protocol creates mesh networks for features such as AirDrop and Sidecar so these devices can connect and serve their appointed function–such as beam photos and files to other iOS devices, in the case of AirDrop.

Ian Beer

File Photo: Ian Beer speaking at the 2018 Black Hat USA security conference.

“Chances are that if you own an Apple device you’re creating or connecting to these transient mesh networks multiple times a day without even realizing it,” Beer noted in his post.

Apple patched the bug responsible for the exploit in May with updates iOS 12.4.7 and watchOS 5.3.7, and tracked it as CVE-2020-3843 in supporting documentation.

Until then, however, the bug could have allowed someone to “view all the photos, read all the email, copy all the private messages and monitor everything which happens on [an iPhone] in real-time” without clicking on anything, Beer said. The hack would only work with devices within WiFi range, he said.

Beer detailed three different exploits—the most advanced of which that ultimately performed all of these functions–using a Raspberry Pi and WiFi adapters that he purchased off the shelf. Installing a prototype implant that can fully access the device took Beer about two minutes, but he said he could have likely pulled it off in a “handful of seconds” with a better exploit.

The researcher acknowledged that he never saw an evidence of the vulnerability being exploited in the wild. Moreover, since it took him six months to figure out the hack, it’s likely it existed unnoticed by threat actors.

However, just because it was not exploited and is fixed now does not trivialize its existence, Beer observed.

“One person working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with,” he said in his post. “Imagine the sense of power an attacker with such a capability must feel. As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.”

Beer also noted the range of such attacks also could easily have been boosted using directional antennas, higher transmission powers and sensitive receivers.

Researchers from Google Project Zero have traditionally been adept at finding flaws in Apple products, but lately they have been particularly active in pointing out issues that exist in their key rival’s devices. Prior to Beer’s last disclosure, Project Zero researchers identified three zero-day vulnerabilities in only the last month that affected iOS and iPad, all of which Apple has patched.

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles