Google Security Researcher Develops Zero-Click Exploit for iOS Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


Google Security Researcher Develops Zero-Click Exploit for iOS Flaw


A new patched memory corruption vulnerability in Apples AWDL protocol can be used to take over iOS devices that are in close proximity to an attacker.



Google Project Zero security researcher Ian Beer has developed an exploit showing how an attacker can take complete control over nearby iPhone devices without any user interaction.
The zero-click exploit takes advantage of a now patched memory corruption issue in iOS and gives attackers a way to cause any iOS device that is in radio proximity to the attacker to reboot. An adversary can use the exploit to view photos, read email, copy private messages, drop malware, and monitor everything that happens on a victim iOS device in real time, Beer said in a technical paper this week.
According to Beer, the vulnerability his exploit takes advantage of lies in Apple Wireless Device Link (AWDL), a peer-to-peer wireless connectivity protocol that iOS devices use to communicate with each other.
Beer
discovered
the vulnerability (
CVE-2020-3843
) in November 2019 and reported it to Apple, which addressed the issue with its release of iOS 13.3.1. At the time,
Apple described the issue
as enabling an adversary to shut off or reboot systems or to corrupt kernel memory. Apple addressed the bug via a fix that implemented improved input validation. The vulnerability is wormable — meaning a device that has been exploited can then be used to exploit other vulnerable devices.
Beers latest exploit shows how attackers can exploit the memory corruption issue to inject a malicious payload into kernel memory in a staged fashion and run it as root to take control of a vulnerable device.
With just this one issue, I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write, he said. For the exploit to work, Beer assumed that a victim device would have at least one App Store app installed
In his paper, Beer described AWDL as enabled by default and exposing a large and complex attack surface to everyone in radio proximity. An attacker with specialist equipment could extend the range from which an attack could be carried out to hundreds of meters or more, he said. For instance, to demonstrate his exploit on an iPhone 11 Pro device, Beer used just one Raspberry Pi and two off-the-shelf Wi-Fi adaptors that in total cost less than $100.
Beer explained how, even if AWDL was disabled on a users iOS device, an attacker could enable it using what are known as Bluetooth low energy (BLE) advertisements. These are signals that an iOS device sends out to other nearby iOS devices when it wants to share a file via AirDrop, for instance.
To demonstrate his exploit, Beer showed how an attacker could forcibly activate the AWDL interface, exploit the buffer overflow vulnerability, gain access to a nearby iPhone 11 Pro with YouTube installed on it, and then steal a photo from it. The whole process took around two minutes, but with enough engineering, the payload could be implanted on a vulnerable device in a handful of seconds, Beer said.
The attack leverages a flaw in Apples proprietary radio protocol used to connect iPhones directly to other iPhones or Apple products for services such as AirDrop, says Eugene Kolodenker, senior security researcher at Lookouts apps research team. Even if AirDrop is not enabled, this attack is able to bypass this restriction and force AirDrop to be enabled momentarily to deliver the exploit.
Though attackers require close proximity to a victim to execute the exploit, it does give them an avenue to steal data from a target device without any user interaction, he says.
Brandon Hoffman, chief information security officer at Netenrich, describes Beers work as significant because it shows how an attacker could completely bypass all of Apples iOS security measures. At the same time, the proximity an attacker would require to a target device is a mitigating factor, he says.
Certainly the reboot mechanism can be triggered by using higher powered antennae, he says. However, in order to steal the data, the phone would have to transmit back. Therein lies the limitation.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Google Security Researcher Develops Zero-Click Exploit for iOS Flaw