A researcher from Google’s Project Zero team of security experts exploited a bug in the iOS kernel and took over iPhones over Wi-Fi without requiring any user interaction. Apple has fixed the problems.
Google Project Zero employee Ian Beer describes how he managed to produce his zero-click radio proximity exploitation in six months . In a video, he demonstrates how he can take over an iPhone 11 Pro with iOS 13.3 in another room using a MacBook Air in one room.
As far as hardware is concerned, he only uses WiFi adapters and a RaspBerry Pi. The iOS device does not have to be on the same Wi-Fi network as the attacker’s device, but it must be within Wi-Fi range. The investigator can extract passwords, photos, Keychain keys and other data from an iOS device with his attack.
The proof-of-concept is one of several exploits that Beer developed. He shows that an exploit obtains read and write capabilities to the kernel in seconds and achieves full access in minutes. The basis of the vulnerability lies with a bug in the driver for Apple Wireless Direct Link or AWDL. This is Apple’s technology for setting up mesh networks with devices. Among other things, the functions Sidecar, to use the iPad as a second screen, and Airdrop, for wireless file sharing, use AWDL.
Beer’s exploit used, among other things, the brute forcing of a 2-byte SHA256 hash, which an Apple device broadcasts low-energy via Bluetooth at Airdrop. Partly because of this, he managed to switch on AWDL remotely. According to him, this is also possible if the iOS device is locked. He also claims the exploit is wormable : a successfully attacked device could then spread it further to nearby iOS devices.
Apple fixed the vulnerabilities, and according to Beer, at least that happened before the company added its Privacy-Preserving Contact Tracing functionality to iOS 13.5 in May of this year.