A hack that let an attacker take full remote control of iPhones without user interaction is bad enough. One that can also then spread automatically from one iPhone to the next is practically unheard of. But a report published this week by Ian Beer of Google's Project Zero bug-hunting team lays out a sinister yet elegant roadmap for how an attacker could have done just that before Apple released fixes in May.
Beer's entire attack stems from a simple, well-known type of vulnerability—a memory corruption bug—in the iOS kernel, the privileged core of an operating system that can access and control pretty much everything. The genius of the attack, though, is that the bug was exploitable through an iPhone's Wi-Fi features, meaning that an attacker just needed some antennas and adapters to launch the assault whenever they chose, compromising any nearby iOS device.
"It’s very interesting research and super unique as well," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "Close access network attacks like this aren’t something you hear about every day."
The vulnerability, which Apple patched back in May, involved a flaw in one of the kernel drivers for Apple Wireless Direct Link, the proprietary mesh networking protocol Apple uses to offer slick over-the-air features like AirDrop and Sidecar. AWDL is built on industry Wi-Fi standards, but allows multiple devices to exchange data directly rather than sending it back and forth over a typical Wi-Fi network with a router, modem, and internet service provider as intermediaries.
But Beer discovered vulnerabilities in AWDL that would let a hacker send a specially crafted Wi-Fi packet that would cause an iPhone to crash and install malware on it. From there, the attacker would have full access to the device's data, the ability to monitor its activity in real-time, and even potentially access extra-sensitive components like the microphone and camera, or the passwords and encryption keys in Apple's Keychain. The attack is also "wormable," which means that a victim device could spread the infection to other vulnerable iPhones or iPads. Apple's watchOS was also vulnerable and received a patch.
An Apple spokesperson emphasized in a statement to WIRED that such exploits would be limited by the need for physical proximity. With cheap, general purpose equipment, though, Beer was still able to launch his attacks from an adjacent room through a closed door. The hacker and victim devices do not need to be on the same Wi-Fi network for the attack to work. And with directional antennas and other more powerful gear, Beer estimates that the range could potentially increase to hundreds of meters.
In his write-up of the attack, Beer says there is no indication that the vulnerabilities he found were ever exploited in the wild, but he did note that at least one exploit broker seemed to have been aware of the flaw before Apple released the patch in May.
Though the vulnerability has been patched for months now and has likely proliferated to the majority of iOS devices around the world, the finding raises important questions about the security of AWDL, which is on all the time, whether users realize it or not, unless a device is in Airplane Mode. In a series of tweets on Tuesday, Beer pointed out that AWDL has been used as an anti-censorship tool, for example during the 2019 Hong Kong protests when people used AirDrop to shared banned content with each other. But he emphasized that because the protocol is proprietary, the vetting and oversight is entirely up to Apple.
"Having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested," Beer wrote.
As Beer points out, researchers from TU Darmstadt's Secure Mobile Networking Lab in Germany have done significant work reverse engineering and evaluating AWDL in the last couple of years. Lab member Alexander Heinrich says he understands why companies like Apple want to keep their intellectual property from competitors. But he adds that there is a particular security tradeoff when it comes to protocols like AWDL that are accessible virtually all the time.
"It takes us weeks if not months until we can start looking at security issues," Heinrich told WIRED. "Before that we need to reverse all the details to understand those protocols. And the problem here is that the user does not really have an option to deactivate it to ensure his device security. As a user you can never know when AWDL is used."
Even similar protocols that are public, like the Bluetooth standard, still have weaknesses because of their complexity.
"We've tested other wireless protocols, including Bluetooth on iOS, and found some vulnerabilities, so Ian's findings are definitely something we imagined would be possible," says Jiska Classen, another TU Darmstadt researcher. "But testing wireless protocols is really not that easy."
In general, researchers looking at Beer's findings were simply impressed by how powerful, and sinister, the attack is—all without the need for a hacker to trick their victim into clicking a link, downloading a malicious attachment, or doing anything else. The work is yet another reminder of how valuable "interaction-less" or "zero click" attacks are for malicious hackers, and how important it is to have extra scrutiny on any device feature that is built to accept external inputs at any moment, like messaging services, the phone, Bluetooth pairing, or Wi-Fi.
"What a magical bug," says Patrick Wardle, principal security researcher at the Mac management firm Jamf. One that hopefully doesn't portend other issues in Apple's closely-held AWDL code.