Earlier this year, Apple had one of the most astounding iPhone bugs ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device over Wi-Fi, without need for user interaction. Moreover, exploits were wormable—meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed.
This deadly Wi-Fi exploits package was designed by Ian Beer, inventor of Google’s vulnerability research firm, Project Zero. In a 30,000-word post published Tuesday afternoon, Beer described six months of unaided vulnerability and concept-proof exploitation. Almost immediately, fellow security researchers took notice.
the exploit makes it possible to “view all the photos, read all the email, copy all the private messages and monitor everything which happens on [the device] in real-time,” said Beer from Project Zero.
The vulnerability stems from a “fairly trivial buffer overflow programming error” in a Wi-Fi driver associated with Apple Wireless Direct Link (AWDL), a proprietary mesh networking protocol developed by Apple for use in AirDrop, AirPlay, among others, enabling easier communications between Apple devices.
“This is a fantastic piece of work,” Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. “It really is pretty serious. The fact you don’t have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you’re walking along, the phone is in your pocket, and over Wi-Fi, someone just worms in with some dodgy Wi-Fi packets.”
“Imagine the sense of power an attacker with such a capability must feel,” Beer wrote. “As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.”
Beer developed several different exploits, as a part of Project Zero. The most advanced one installs an implant that has full access to the user’s personal data, including emails, photos, messages, and passwords and crypto keys stored in the keychain.
The attack used laptops, raspberry pie, and some commercially available Wi-Fi adapters. It takes about two minutes to install a prototype implant, but Beer said that with more work, better-written exploits can get it done in “a few seconds.” Exploitation only works on devices that are within the attacker’s Wi-Fi range.
Although there’s no evidence that the vulnerability was exploited in the wild, the researcher noted that “exploit vendors seemed to take notice of these fixes.”