SecureMac, Inc.

New iOS exploit can hack iPhones wirelessly

December 7, 2020

A researcher at Google’s Project Zero has just announced a zero-click iOS exploit capable of wirelessly hacking nearby iPhones. As iOS exploits go, this one is a pretty big deal!

New iOS exploit can hack iPhones wirelessly

A researcher at Google’s Project Zero has just announced a zero-click iOS exploit capable of wirelessly hacking nearby iPhones. As iOS exploits go, this one is a pretty big deal! In this article, we’ll introduce you to the researcher, explain what the exploit can do and how it works; and tell you how you can stay safe.

Who developed this iOS exploit?

The exploit was developed by British security researcher Ian Beer, and was the culmination of a solo project that took him about six months to complete. Beer is a well-respected figure in the iOS security community, and has discovered and reported a number of significant iOS vulnerabilities to Apple over the years. He currently works for Google’s Project Zero, a group of researchers tasked with finding security vulnerabilities across multiple platforms. He laid out his work in a massive and technically detailed 30,000-word post on the Project Zero blog, and also commented on the project through his personal Twitter account.

What can the exploit do?

This iOS exploit allows an attacker to gain full access to a nearby iPhone. It does this wirelessly, and without requiring any interaction on the part of the victim. In other words, this isn’t one of those things where you have to click on a sketchy link, or say yes to installing a malicious app — it all happens automatically, without any warning that something unusual is occurring on the target device! 

According to Beer, the exploit would give an attacker “unfettered access to user data”, including the ability to access “emails, private messages, photos, contacts” and to “stream the camera and audio live”. 

If that sounds bad, it’s because it is bad. And it’s important to remember that Beer is a security researcher, not a malicious actor, meaning that the exploit he built was only intended to show how a real-world attack could happen. In his words, the final exploit was still “pretty rough around the edges”, and an actual attacker, if they were well-resourced and motivated enough, might be able to use the same vulnerability to develop an even more effective and dangerous exploit.

How does the exploit work?

According to Beer’s write-up, the exploit was made possible by a single memory corruption vulnerability: a flaw in a part of the iOS kernel that handles Apple Wireless Direct Link (AWDL) networking. AWDL is Apple’s own mesh networking protocol, used to create ad hoc networks between devices in close physical proximity to one another. In practical terms, AWDL is what lets you share files with nearby devices via AirDrop, or use Sidecar to turn your iPad into a second display.

The vulnerability itself was described by Beer as “a fairly trivial buffer overflow programming error in C++ code in the kernel”. The word “buffer” in the context of computer security refers to a chunk of memory that has been allocated for the temporary storage of data. It shouldn’t be possible to give the buffer an input that exceeds or “overflows” the allocated memory space, because such an input would fill up the buffer with data and then continue writing excess data to other (incorrect) memory areas. 

In many cases, that would simply cause a crash, but if there is a serious enough vulnerability, an attacker can sometimes send a malicious input that actually includes some code: code that then gets executed on the target system, and can result in a compromise. Normally, programmers put checks in place to make sure that inputs can’t exceed the size of their buffers; but sometimes they make mistakes when they implement these precautions, resulting in a buffer overflow vulnerability. 

Is this a threat to iOS users?

Project Zero is committed to responsible disclosure, so Beer informed Apple of the vulnerability behind his exploit long before he went public with it. In his blog post, he stated that the issue in question was fixed before the launch of iOS 13.5, way back in May 2020. If you’ve updated iOS recently, you should not be at risk from the vulnerability used in the exploit. 

However, in terms of the overall iOS threat landscape, the picture is somewhat less reassuring. Beer’s work shows how difficult it has become for Apple to secure the massive and aging iOS code base — and how easily a sufficiently skilled attacker can discover a previously unknown vulnerability and exploit it. 

Anyone reading his blog post might suppose that this was a one-of-a-kind exploit, and a feat that very few people could pull off, but Beer stresses that this isn’t really the case: 

“The teams and companies supplying the global trade in cyberweapons … aren’t typically just individuals working alone. They’re well-resourced and focused teams of collaborating experts, each with their own specialization. They aren’t starting with absolutely no clue how Bluetooth or Wi-Fi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on”. 

How can I stay safe?

Here are some basic steps you can take to protect yourself from this exploit (and others like it).

  1. 1

    If you haven’t updated iOS in a while, now would be a good time! To reiterate, the vulnerability that Beer was writing about was patched months ago, so most users shouldn’t have to worry about this. But if you know you’re way overdue for an update, or if you just want to check to see if your device has any available updates waiting to be installed, go to Settings > General > Software Update to see if there are any new updates for you.

  2. 2

    True zero-day vulnerabilities are very hard (if not impossible) to defend against, but many people fall victim to exploits for vulnerabilities that already have security patches, simply because they haven’t been updating their devices in a timely fashion! To keep this from happening, we recommend setting up automatic updates for all of your devices. On iOS, go to Settings > General > Software Update > Automatic Updates. Here you will see toggle switches for Download iOS Updates and Install iOS Updates. Set both of these switches to On, and going forward, your device will automatically update itself overnight, just as long as it’s charging and connected to Wi-Fi.

  3. 3

    Beer’s exploit used Bluetooth signals to get nearby devices to enable the vulnerable AWDL protocol. We’ve seen Bluetooth security issues in the past, and there have also been some privacy concerns about companies like Facebook asking for Bluetooth access on mobile devices. Bluetooth can be extremely useful, but given the potential problems, if you’re not using it, or if you don’t use it very often, it may be prudent to disable Bluetooth on your iOS device and only turn it on when you really need it. To do this, simply go to Settings > Bluetooth and toggle the switch to Off.

  4. 4

    Remember that as secure as iOS is (and generally speaking, it is quite secure), no platform is immune to vulnerabilities … or exploits. As Beer remarked in his post, “The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine. Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.” This doesn’t mean that we should be paranoid or afraid when we use our iOS devices — but we shouldn’t be complacent either, and we should always remember that good cybersecurity requires a multi-faceted approach. Whatever vulnerabilities our OS may have, we can go a long way to reducing our overall risk by keeping up to date on security news; following best practices for passwords, updates, and network security; and learning how to spot phishing and social engineering attacks.

Get the latest security news and deals