The details of an iOS exploit that enables an attacker to hack iPhones remotely over Wi-Fi and steal sensitive data without any user interaction have been disclosed by Google Project Zero.
Google Project Zero analyst Ian Beer, who has discovered several crucial bugs in Apple products over the past year, found the vulnerability as a result of a six-month analysis conducted earlier this year. In a lengthy blog post published on Tuesday, the specialist outlined his observations and the mechanism that contributed to the discovery.
The exploit leverages a single memory corruption vulnerability, according to Beer, that can be used against an iPhone 11 Pro computer to bypass mitigation and to execute native code and read and write kernel memory.
The exploit violates Apple Wireless Direct Connection (AWDL), a mesh networking protocol based on Wi-Fi intended to connect Apple devices to ad-hoc peer-to-peer networks.
Since the vulnerability requires AWDL to be activated, the investigator used a strategy involving low-energy Bluetooth (BLE) ads to cause the targeted system to activate AWDL without any user intervention and without too much knowledge about the targeted device being visible to the attacker. For example, AWDL can also be enabled remotely by sending a voicemail, but that requires knowledge of the phone number of the target.
Beer’s exploit leveraged a vulnerability to buffer overflow in AWDL to obtain access to a computer remotely and run an implant as root. He has released videos demonstrating how an intruder can activate the calculator on a phone and how they can steal user information with the implant deployed. The expert found out that the implant has full access to records, including photographs, addresses, texts, and keychain information, of the intended person.
Although it takes a couple of minutes to perform his exploit in its current shape, he assumes it could be reduced to just a few seconds with more money.
Beer said that before the launch of its COVID-19 contact tracing system on iOS 13.5 in May, Apple patched the vulnerability.
The researcher said that he was not aware of any attacks exploiting the vulnerability, but pointed out that Mark Dowd, co-founder of Azimuth Security, a small Australian company that provides hacking tools to law enforcement and intelligence agencies, quickly noticed the patch implemented by Apple.
“Beer explained, “This was the longest solo exploitation project I’ve ever worked on which took about half a year. But it is important to stress upfront that the teams and businesses that supply cyberweapons like this to the global trade are typically not just individuals working alone. They are well-resourced and focused teams of professionals working together, each with their own expertise. They do not start with absolutely no indication of how Bluetooth or wifi works. They also have access to information and hardware that I simply don’t have, like devices for development, special cables, leaked source code, files with symbols, and so on.