While some of us were locked away binge-watching our favorite TV shows on Netflix, one security researcher was figuring out how to hack an iPhone without user interaction. He came up with a way to “inject” malicious code into an iOS kernel object using peer-to-peer WiFi. It requires no action on the user’s part and is virtually undetectable.
Using about $100 worth of equipment that included a Raspberry Pi and some off-the-shelf WiFi adapters, Project Zero researcher Ian Beer developed an exploit that can highjack an iPhone over WiFi without the phone even being connected to a network. The attack requires no interaction on the part of the victim.
By broadcasting malicious WiFi packets, Beers could cause a buffer overflow in the AWDL driver. This fault, in turn, allowed him root access. The attack can work on one or even multiple iPhones simultaneously if they are within radio proximity. Even more astonishing, the exploit is “wormable,” meaning that malware can be programmed to use the same attack vector to propagate from one nearby device to another.
“For 6 months of 2020, while locked down in the corner of my bedroom surrounded by my lovely, screaming children, I’ve been working on a magic spell of my own. No, sadly not an incantation to convince the kids to sleep in until 9am every morning, but instead a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity. View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.”
“This is a fantastic piece of work,” Project Zero founder Chris Evans told Ars Technica. “It really is pretty serious. The fact you don’t have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you’re walking along, the phone is in your pocket, and over WiFi someone just worms in with some dodgy WiFi packets.”
Beers posted a couple of demos to YouTube showing the exploit in action. The first (above) is a detailed and technical look at how the attack works against a single phone. The second (below) shows him shutting down 26 iPhones of various models all at once.
“There’s something hauntingly beautiful watching all these iPhones die at slightly different times, as they get a WiFi broadcast packet of death,” Evans tweeted.
What makes the exploit particularly frightening is that once the iPhone is compromised, the attacker has full access to it without the victim’s knowledge. As long as the hacker does not do something that would alert the user, the phone will continue to operate normally.
Fortunately, there is little need to worry about encountering this exploit in the wild unless you have an older iPhone that cannot be updated to the latest versions of iOS. Beers informed Apple of the vulnerability, and developers pushed a patch way back in iOS 13.5.
If you are interested in the full technical details, Beers has a 30,000-word writeup on it posted to the Project Zero blog. It’s a long but interesting read.