Apple last May patched a vulnerability in the Apple Wireless Direct Link (AWDL) protocol that can be remotely exploited to steal data from an iPhone and access its camera or microphone, without any user interaction.
In a highly technical blog post, researcher Ian Beer of Google Project Zero said that after discovering the flaw, he spent the next six months creating a "wormable radio-proximity exploit" that "allows me to gain complete control over any iPhone in my vicinity," provided that he's within the device's Wi-Fi range.
AWDL is a mesh networking protocol that helps enable features like AirDrop, which allows device owners to send files to each other over the air. Beer noted that when Apple applied its fix to the protocol, it did not go unnoticed by at least one major exploit vendor who tweeted about the development.
"You don't notice a fix like that without having a deep interest in this particular code," said Beer, though he found no evidence that the vulnerability was ever exploited in the wild.
Still, "This looks like a good indication that the vulnerabilities were known and potentially sold on the market," said Eugene Kolodenker, staff security intelligence engineer at mobile security company Lookout.
Even if he was the first to exploit the bug, Beer said there's still an important lesson to be learned: Don't assume that there aren't hackers out there patient and deliberate enough to figure out how to bypass your mobile device's defenses, however robust they may be. "One person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with," Beer wrote, referring to himself.
Beer categorized the vulnerability as a "fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers." And last May, an Apple security advisory referred to the bug, designated CVE-2020-3843, as a memory corruption issue that can be remotely exploited to "cause unexpected stem termination or corrupt kernel memory."
For his exploit, Beer used a Raspberry Pi and off-the-shelf Wi-Fi adapters, to, within roughly two minutes, remotely install an implant capable of stealing emails, photos, messages and keychain details from an iPhone 11 Pro he placed in a separate room. Once exploited, a device could then be used to similarly attack other nearby devices.
"With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write," wrote Beer, noting that with stronger engineering and hardware, he could have accomplished the same exploit in seconds. With directional antennas, higher transmission powers and sensitive receivers, he could have pulled off an attack from a larger distance.
It's rare to find a single vulnerability that doesn't need to be chained with other bugs in order to take over a device. But Beer is confident it won't be the last to be discovered. "As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," he wrote.
And there may be more vulnerabilities to find in AWDL as well. "AWDL is a proprietary and undocumented protocol by Apple. Without documentation it is difficult for security researchers to audit the protocol," said Kolodenker. "As with most code, further bugs may exist in the implementation."
In the case of Beer's discovery, AWDL doesn't even have to be on for the exploit to work, as the attacker can force the AWDL to activate. Moreover, "AWDL can be remotely enabled on a locked device using the same attack, as long as it's been unlocked at least once after the phone is powered on," Beer noted.
To further strengthen defenses and mitigations against future device exploits, Beer suggested "a long-term strategy and plan for how to modernize the enormous amount of critical legacy code that forms the core of iOS." He also pointed to the need for "a short-term strategy for how to improve the quality of new code" that includes "broad, automated testing; code review for critical, security sensitive code; and high-quality internal documentation so developers can understand where their code fits in the overall security model."
Beer also recommended "a renewed focus on vulnerability discovery using more than just fuzzing. This means not just more variant analysis, but a large, dedicated effort to understand how attackers really work and beat them at their own game by doing what they do better."
