Google Uncovers iPhone Exploit That Can Steal Data Over Wi-Fi
Apple liked to talk a large game when it comes to security on the iPhone, but it’s as vulnerable as any other company to unforeseen bugs. Sometimes, these bugs are minor and easy to repair with public disclosure. In other cases, the bugs are a threat to user data and need to be patched in secret. That’s the case for any recent update that fixed a significant Wi-Fi exploit. According to Ian Beer of Google’s Project Zero security team, the flaw allowed him to steal photos from the iPhone just by pointing a Wi-Fi antenna at it.
According to Beer, he discovered the flaw earlier this year and spent 6 months developing an exploit around it. The attack uses a buffer overflow bug in AWDL, that is Apple’s custom mesh networking protocol that enables iPhones, iPads, Apple Watches, and Macs to form ad-hoc wireless connections. This is a core area of the iOS and macOS software stack, so exploiting it gave Beer access to all the phone’s data.
Beer posted a complete rundown of the hack around the Project Zero blog, that they can perform because the flaw was reported to Apple early in 2021, allowing the iPhone maker to unveil patches in May to bar the attack. The article is exhaustively detailed, clocking in at 30,000 words. There’s additionally a video demo below, which won’t take quite as long to digest.
The attack relies on a Raspberry Pi and off-the-shelf Wi-Fi adapters. It took serious amounts of find the right mixture of hardware. Beer notes we wanted to send poisoned AWDL packets over common 5GHz Wi-Fi channels, and not all antennas allows him to do that. Also, he needed to produce a network stack driver that could interface with Apple’s software, and then learn how to turn the core buffer overflow bug right into a “controllable heap corruption.” That’s what gave him control of the unit.
As you can observe in the video, the whole thing happens remotely with no interaction from the user. It takes a few minutes to break into the phone, but he’s able to successfully retrieve a photo in the device. Depending on the strength of the Wi-Fi antenna, Beer says this same attack could work from the great distance.
It might be tempting to say any attack that takes six months to develop and 30,000 words to fully explain isn't a real threat, but Beer highlights he did this alone. If your single engineer can create an exploit in 6 months that compromises sensitive data on the billion phones, that is a problem. Thankfully, this bug is bound. It’s the next we must worry about.