Posted on December 3, 2020 at 5:51 PM
Project Zero, Google’s team of security analysts revealed that vulnerability in Apple’s iOS operating system kernel would have allowed hackers to breach iPhones.
The team said it quickly mended the security bug after discovering it earlier this year.
The bug, if not updated, would have given threat actors the access to have major control of any iPhone user without having direct contact or interaction with them. Apple says its security team repaired the bug and it’s no longer unsafe.
Vulnerability grants complete access to iPhone devices
Project Zero initially reported the flaw, which is called an unethical kernel memory corruption bug. A security analyst at Project Zero, Ian Beer, published a blog that provided details of the bug. While publishing the blog, he engineered a proof-of-concept exploit which he developed to show the vulnerability.
Ian Beer has found numerous security breaches over the past years in Apple products. He carried out a six months analysis earlier in the year. After his analysis, he described the process he took to the discovery in a long blog post shared on Tuesday. “This has been the longest solo exploitation project I’ve ever worked on, taking around half a year,” he pointed out.
Based on a blog post, the exploit utilized a single memory corruption bug which can be used to compromise an iPhone 11 Pro device. It can allow the bypassing of mitigations and carry out kernel memory ready as well as native code execution.
Exploit utilizes Wi-Fi-based protocol
The exploit also abuses a Wi-Fi-based mesh networking known as Apple Wireless Direct Link, which is made for connecting Apple devices in ad-hoc peer-to-peer networks.
The security researcher said he utilized Bluetooth low energy (BLE) since the exploit needs AWDL to be enabled.
The protocol was utilized to enable the targeted device for SWDL without user interactions or the threat actor having any information about the device it’s targeting.
Beer published videos to show how a threat actor could have gained access to the device remotely without having any form of prior interaction with the device. He said a threat actor within Wi-Fi range can use the phone’s calculator, using the implant deployed to the device to steal data.
According to the report, the researcher’s implant can completely access the targeted user’s information, including Keychain data, messages, emails, and photos.
Although the present form of his exploit requires a bit more time for execution, the researcher says anyone with a more sophisticated tool can gain access to the devices much faster. He said with the right tool, a threat actor could exploit the vulnerability and gained access within a few seconds.
Beer also noted that a threat actor can stay within Wi-Fi range to launch the attack. But with directional antennas using sensitive receivers and higher transmission powers, the attacker can stay in a considerable range to still launch such attacks.
Beer said Apple had already provided an update for the bug before it launched the COVID-19 contact tracing system in iOS.
Apple has also reiterated that most of its iOS users have their devices regularly updated, so a vast majority of them will not be exposed to the attacks.
A sophisticated hacker could have exploited the flaw in seconds
Beer also said no threat actor has exploited the bug but asserted that Mark Down, co-founder of Azimuth Security, quickly noticed the patch implementation by Apple.
Azimuth is a security firm, based in Australia, which provides hacking tools to intelligence agencies and law enforcement.
He said although it took him six months to research and discover the vulnerabilities, it doesn’t mean another research team would have taken that long for the research. Beer further pointed out that some team of collaborating experts have more complex resources than he can offer.
Some research teams can have hardware like symbols files, leaked source code, special cables, and development devices. He explained that they are not individuals working alone, but collaborating experts with their specialization.
Although multiple attacks were developed by the project Zero researchers to understand the bug, the most advanced is the Wormble radio-proximity exploit, which allowed them to get full control of the iPhone 11 pro.