AirDrop hole deposits stealth malware on all pre-iOS 9 Apple devices

Clicked no? No matter, hackers can replace your apps anyway – so get updating to version 9


Malicious applications can be silently installed on millions of Apple devices, replacing legitimate apps – thanks to a vulnerability tied to the popular file-transfer feature AirDrop.

The vulnerability is mitigated in iOS 9, which is available to the public from today, although it is not fully fixed, we understand. However, fans are urged to upgrade if possible.

The flaw lies in the AirDrop file-sharing function, and allows apps to be installed on devices running iOS 7 and above – or almost all Apple devices in use today. It requires only that iOS devices have AirDrop enabled for an attacker to spread their malicious apps among iOS devices.

Research director Mark Dowd of Sydney's Azimuth Security reported the flaw to Cupertino, and says malicious apps will be installed regardless of whether an AirDrop sharing request is accepted.

"The flaw is exploitable over AirDrop, which means the target has to have AirDrop enabled and reachable by everyone," Dowd tells Vulture South.

"I have been able to chain this flaw together with several other tricks on iOS to install an arbitrary app that is signed with my enterprise certificate.

"I can also install the relevant enterprise provisioning profile on the device and mark it as trusted so that running the app won't cause a 'This app is signed by XYZ corporation – do you trust them?' dialog."

Dowd says the flaw, which allows apps like Mail or Phone to be replaced, does not rely on memory corruption and is "100 percent reliable."

The accomplished researcher chained the flaw together with several other iOS tricks to install on Apple devices an arbitrary app signed with his enterprise certificate.

Attackers could also bypass Apple's code-signing with that used in the TaiG jailbreak, but only for devices running iOS 8.4 and below.

Enterprise provisioning allows, for example, IT shops to deploy in-house developed apps across staff Apple devices without having to go through the App Store.

That attack vector has been used before in the so-called Masque attacks that affect devices running iOS 8.1.3 and below. The attack required victims to approve the install process before already-installed apps could be replaced or destroyed.

Dowd's attack does not require anything beyond the activation and connection of AirDrop devices. Users who reject a request to install apps from AirDrop will still be hosed, since the exploit will have already occurred.

"The only caveat with enterprise-signed apps is that the first time your app runs on a device, it triggers a prompt that asks the user if they trust the signing entity – I circumvent this prompt," he says.

Youtube Video

AirDrop is not activated by default, but it is a popular feature that many Apple customers use. More ambitious attackers with physical access to a phone can activate the function from the lock-screen, Dowd notes.

The directory traversal vulnerability means attackers can overwrite files at arbitrary locations on the file system as the mobile user. It lies in Apple's Bom.framework library utilized by various applications for compressing and decompressing ZIP and CPIO packages and installed by default on OS X and iOS.

Specifically the flaw lies in the CPIO package decompression and is triggered by a failure to ensure that a destination path is correctly NULL-terminated. This, Dowd says, essentially allows an attacker to perform a directory traversal attack, writing – and notably overwriting – files at an arbitrary location on the file system.

Dowd suspects other OS X and iOS applications are possibly vulnerable.

Compromised phones must be first rebooted so that the new app and provisioning profile is detected by services that scan the device during boot. ®


Other stories you might like

  • AMD claims its GPUs beat Nvidia on performance per dollar
    * Terms, conditions, hardware specs and software may vary – a lot

    As a slowdown in PC sales brings down prices for graphics cards, AMD is hoping to win over the market's remaining buyers with a bold, new claim that its latest Radeon cards provide better performance for the dollar than Nvidia's most recent GeForce cards.

    In an image tweeted Monday by AMD's top gaming executive, the chip designer claims its lineup of Radeon RX 6000 cards provide better performance per dollar than competing ones from Nvidia, with all but two of the ten cards listed offering advantages in the double-digit percentages. AMD also claims to provide better performance for the power required by each card in all but two of the cards.

    Continue reading
  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading

Biting the hand that feeds IT © 1998–2022