No-Click iPhone Wi-Fi Exploit is one of the most mind-boggling hacks ever

Earlier this year, Apple fixed one of the most mind-boggling iPhone vulnerabilities of all time: a memory corruption bug in the iOS kernel that allowed attackers to gain remote access to the entire device. , via Wi-Fi, without any user intervention. Oh, and the exploits were deworming – meaning the radio proximity exploits could spread from nearby device to nearby device, again, without any user interaction.

This deadly exploit Wi-Fi package was designed by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. In a 30,000-word article published Tuesday afternoon, Beer described the vulnerability and proof-of-concept exploit he spent six months developing on his own. Almost immediately, fellow security researchers noticed.

Beware of questionable Wi-Fi packages

“It’s a fantastic job,” Chris Evans, semi-retired security researcher and executive and founder of Project Zero, said in an interview. “It’s really pretty serious. The fact that you don’t have to really interact with your phone for this to trigger on you is really pretty scary. This attack is just as you walk, the phone is in your pocket, and over Wi-Fi someone is content to sneak in with questionable Wi-Fi packages. “

Beer’s attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple’s proprietary mesh network protocol that makes things like Airdrop work. Since drivers reside in the kernel, one of the most privileged parts of any operating system, the
The AWDL flaw had the potential for serious hacks. And because AWDL scans Wi-Fi packets, exploits can be transmitted over the air, with no indication that something is wrong.

“Imagine the feeling of power that an attacker with such an ability must feel,” Beer wrote. “As we all pour more and more of our souls into these devices, an attacker can gain a treasure of information about an unsuspecting target.”

Beer has developed several different feats. The most advanced installs an implant that has full access to the user’s personal data, including emails, photos, messages, passwords and cryptographic keys stored in the keychain. It takes about two minutes to install the prototype implant, but Beer said that with more work, a better written achievement could deliver it in “seconds.”

Below is a video of the feat in action. The victim’s iPhone 11 Pro is in a room separated from the attacker by a closed door.

Beer said Apple patched the vulnerability before the launch of the COVID-19 contact tracing interfaces placed in iOS 13.5 in May. The researcher said he had no evidence the vulnerability had ever been exploited in the wild, although he noted that at least one exploit vendor was aware of the critical bug in May, seven months before. today’s disclosure.

The beauty and awesomeness of the hack is that it relies on a single bug to wirelessly access the secrets locked in what is arguably the world’s toughest and most secure consumer device. If one person could do all of this in six months, think about what a better-resourced hacking team is capable of doing.