A hack that let an attacker take full remote control of iPhones without user interaction is bad enough. One that can also then spread automatically from one iPhone to the next is practically unheard of. But a report published this week by Ian Beer of Google’s Project Zero bug-hunting team lays out a sinister yet elegant roadmap for how an attacker could have done just that before Apple released fixes in May.
Beer’s entire attack stems from a simple, well-known type of vulnerability—a memory corruption bug—in the iOS kernel, the privileged core of an operating system that can access and control pretty much everything. The genius of the attack, though, is that the bug was exploitable through an iPhone’s Wi-Fi features, meaning that an attacker just needed some antennas and adapters to launch the assault whenever they chose, compromising any nearby iOS device.
“It’s very interesting research and super unique as well,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “Close access network attacks like this aren’t something you hear about every day.”
The vulnerability, which Apple patched back in May, involved a flaw in one of the kernel drivers for Apple Wireless Direct Link, the proprietary mesh networking protocol Apple uses to offer slick over-the-air features like AirDrop and Sidecar. AWDL is built on industry Wi-Fi standards, but allows multiple devices to exchange data directly rather than sending it back and forth over a typical Wi-Fi network with a router, modem, and internet service provider as intermediaries.
But Beer discovered vulnerabilities in AWDL that would let a hacker send a specially crafted Wi-Fi packet that would cause an iPhone to crash and install malware on it. From there, the attacker would have full access to the device’s data, the ability to monitor its activity in real-time, and even potentially access extra-sensitive components like the microphone and camera, or the passwords and encryption keys in Apple’s Keychain. The attack is also “wormable,” which means that a victim device could spread the infection to other vulnerable iPhones or iPads. Apple’s watchOS was also vulnerable and received a patch.
An Apple spokesperson emphasized in a statement to WIRED that such exploits would be limited by the need for physical proximity. With cheap, general purpose equipment, though, Beer was still able to launch his attacks from an adjacent room through a closed door. The hacker and victim devices do not need to be on the same Wi-Fi network for the attack to work. And with directional antennas and other more powerful gear, Beer estimates that the range could potentially increase to hundreds of meters.
In his write-up of the attack, Beer says there is no indication that the vulnerabilities he found were ever exploited in the wild, but he did note that at least one exploit broker seemed to have been aware of the flaw before Apple released the patch in May.
Though the vulnerability has been patched for months now and has likely proliferated to the majority of iOS devices around the world, the finding raises important questions about the security of AWDL, which is on all the time, whether users realize it or not, unless a device is in Airplane Mode. In a series of tweets on Tuesday, Beer pointed out that AWDL has been used as an anti-censorship tool, for example during the 2019 Hong Kong protests when people used AirDrop to shared banned content with each other. But he emphasized that because the protocol is proprietary, the vetting and oversight is entirely up to Apple.
“Having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested,” Beer wrote.
