A Google Project Zero (GPZ) bug hunter who specializes in iPhone security has revealed a nasty bug in iOS that allowed an attacker within Wi-Fi range to gain "complete control" of an Apple phone.
GPZ is a security research group in Google tasked with finding vulnerabilities in all popular software spanning Microsoft's Windows 10 to Google Chrome and Android as well as Apple's iOS and macOS.
Ian Beer, a GPZ hacker who specializes in iOS hacks, says the vulnerability he found during the first COVID-19 lockdown this year allowed an attacker within Wi-Fi range to view all an iPhone's photos and emails, and copy all private messages from Messages, WhatsApp, Signal and so on in real time.
"For 6 months of 2020, while locked down in the corner of my bedroom surrounded by my lovely, screaming children, I've been working on a magic spell of my own...a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity," he writes.
Apple fixed the bug ahead the the launch of Privacy-Preserving Contact Tracing, which arrived in iOS 13.5 in May.
Beer, who regularly finds critical flaws in iOS and macOS, is using his bug to stress to iPhone owners that they may have a false sense of security when it comes to thinking about adversaries.
"The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I'm fine," notes Beer.
"Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."
The contact-tracing connection Beer highlights is important because the bug he found was in an iOS feature called AWDL or Apple Wireless Direct Link – a proprietary Apple peer-to-peer networking protocol used for features like Apple AirPlay and the iOS-to-macOS file-sharing feature AirDrop.
AWDL is used in all Apple iOS and macOS devices. Researchers last year found serious flaws in the protocol that allowed an attacker on a network to intercept and change files being sent over AirDrop. The most concerning part of that batch of AWDL flaws was that they allowed an attacker to track an iPhone user's location with a high degree of accuracy. Apple fixed those AWDL bugs last May in iOS 12.3, tvOS 12.3, watchOS 5.2.1, and macOS 10.14.5.
The details of the flaw itself are important, but Beer is using his exploit to make a bigger point about the economics of software exploits.
As Beer notes, there are professional exploit brokers that sell iOS exploits to governments.
"Unpatched vulnerabilities aren't like physical territory, occupied by only one side. Everyone can exploit an unpatched vulnerability," notes Beer.
"It's important to emphasize … that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone," he continues.
"They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on."
The AWDL bug itself was due to the common category of memory security flaws, which Beer describes as a "fairly trivial buffer overflow" due to programming errors Apple developers made in in C++ code in Apple's XNU (X is Not Unix) kernel. Microsoft and Google have found that memory vulnerabilities make up the vast majority of flaws in software.
In this case, Beer didn't need a series of vulnerabilities in iOS to take control of a vulnerable iPhone, unlike the three iOS bugs Apple patched in iOS 14.2 last month. In other words, the one Beer found is highly valuable because of its relative simplicity to use.
"This entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write," he writes.