This article is more than 1 year old
How a nightmare wormable, wireless, automatic hijack-a-nearby-iPhone security flaw was found and fixed
You're probably all patched by now, which is just as well
A Google security guru has published details of a critical hole in Apple's iOS that can be exploited by miscreants to hijack strangers' iPhones over the air without any user interaction.
All a hacker would need to do is transmit carefully crafted, malicious AWDL packets to a victim's handheld to gain control of it. AWDL is Apple Wireless Direct Link, Cupertino's proprietary mesh networking protocol that is based on Wi-Fi. You don't need to be on the same conventional Wi-Fi network as your victim to exploit this vulnerability, just within range.
On Tuesday, Google Project Zero's Ian Beer, who reported the flaw to Apple back on November 29, 2019, published a detailed technical account of how he found and developed an exploit the vulnerability, which he likened to a magic spell to gain remote control of the target device. He also released proof-of-concept exploit code.
A fix for the security weakness – CVE-2020-3843 aka Hairless Huron – arrived in iOS/iPadOS 13.3.1 and macOS 10.15.3, on January 28, 2020, but wasn't publicly acknowledged by Apple until February 6, 2020. Apple describes the issue thus: "A remote attacker may be able to cause unexpected system termination or corrupt kernel memory."
An additional CVE attributed to Beer, CVE-2020-9906, capable of causing memory corruption if exploited, was closed in iOS/iPadOS 13.6. It was disclosed nine days after Apple's July 15, 2020 bulletin.
Beer's writeup mentions that he found three zero-day vulnerabilities in the course of his research, but only cites two CVEs. The third appears to be CVE-2020-9844, a kernel memory bug credited to Beer that was fixed in iOS/iPadOS 13.5 in May, 2020. That's when Beer and Apple say the issue was resolved.
Neither of CVE-2020-9906 nor CVE-2020-9844 received Vulnonym names.
Stuck at home, let's go digging
Amid the COVID-19 virus lockdown, Beer said he spent six months in his bedroom working on "a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity."
The exploit allowed Beer to access photos, emails, and private messages on the target device, while monitoring it in real-time. No user interaction, such as clicking on a compromised link, is required. And wormable means that compromised devices can themselves compromise other nearby iOS devices.
Beer describes the bug he focused on as "a fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers."
And that one bug undid all of the security that should have prevented unauthorized access to the device. It granted the ability to execute arbitrary code and to read and write kernel memory. The research certainly impressed the NSA's former chief hacker Rob Joyce:
Wow. An iOS exploit that doesn’t involve chaining multiple vulnerabilities together is quite an accomplishment. https://t.co/ZccMcVTIch— Rob Joyce (@RGB_Lights) December 2, 2020
Beer said he found no evidence that the flaw was ever exploited in the wild. However, he pointed out that companies known to provide tools to help governments bypass device security have been paying attention to these sorts of wireless vulnerabilities, and may have the flaw in their arsenals.
The Register understands from folks familiar with Apple's internal handling of the bug disclosure that, as noted above, the issue was resolved in iOS 13.5, and that most users of affected products are already protected due to speed at which the customer base installs operating system updates – unlike, say, the slow-to-update Android ecosystem. It was also pointed out that that attack requires being within Wi-Fi range.
Five bag $300,000 in bug bounties after finding 55 security holes in Apple's web apps, IT infrastructureREAD MORE
On Twitter, Beer pointed out that with special radio equipment, the attack could be done from hundreds of meters away.
A potentially mitigating factor is that AWDL, used for AirDrop file sharing between devices among other things, has to be enabled for the attack to work. However, Beer points out that AWDL is enabled by default, and can be remotely enabled on a locked device as long as the device has been unlocked at least once since it was last powered on.
Beer argues that despite the potential security improvements offered by Arm's Memory Tagging Extension (MTE), Apple should spend more time modernizing critical legacy code in iOS like
vm_map.c, written in 1985 and still in use today.
He also argues for more automated testing, code reviews for code that's critical for security, better internal documentation, and looking beyond fuzzing to things like variant analysis to stay ahead of attackers. ®