Using a zero-click exploit, an attacker could have taken complete control of any iPhone within Wi-Fi range in seconds
Earlier this year, Apple patched a severe security loophole in an iOS feature that could have allowed attackers to remotely gain complete control over any iPhone within Wi-Fi range. However, details about the flaw, which was fixed months ago, were sparse until now.
In a blog post of no fewer than 30,000 words, Google Project Zero researcher Ian Beer described how, over a six-month period, he created a radio-proximity exploit that would grant him total control over an iPhone in his vicinity. The exploit allowed him to access all the data stored on the device, including photos, emails, private messages, Keychain passwords, as well as monitor everything happening on the device in real time.
The vulnerability was wormable for good measure, hence any attacks exploiting it could have spread from device to device with no need for user interaction. Beer, however, added that there was no evidence to suggest that the vulnerability was ever exploited in the wild.
The flaw resides in the Apple Wireless Direct Link (AWDL) protocol, which is used for peer-to-peer network communications between iOS devices and powers features like AirDrop or SideCar. Beer described it as “a fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.” He also went on to add that the whole exploit uses just a single memory corruption vulnerability which he exploited to compromise a flagship iPhone 11 Pro device.
Beer also shared a video demonstrating the attack:
[embedded content]
