Report Incident

News > iOS Exploit Allows 'Unfettered Access' to iPhone User Data Over Wi-Fi

10 Nov 2020

Google Details iPhone Zero-Click Exploit Allowing Theft of User Data, Including Photos, Emails

Google Project Zero has disclosed the details of an iOS exploit that allows an attacker to hack iPhones remotely over Wi-Fi and steal sensitive data, without any user interaction.

The exploit was uncovered by Google Project Zero researcher Ian Beer — who over the past year has found numerous critical vulnerabilities in Apple products — as a result of a six-month analysis conducted earlier this year. The expert described his findings and the process that led to the discovery in a lengthy blog post published on Tuesday.

According to Beer, the exploit leverages a single memory corruption vulnerability that can be used against an iPhone 11 Pro device to bypass mitigations and achieve native code execution and kernel memory reading and writing.

The exploit abuses Apple Wireless Direct Link (AWDL), a Wi-Fi based mesh networking protocol designed for connecting Apple devices in ad-hoc peer-to-peer networks.

Since the exploit requires AWDL to be enabled, the researcher used a technique involving Bluetooth low energy (BLE) advertisements to force the targeted device to enable AWDL without any user interaction and without the attacker having too much information about the targeted device. AWDL can also be remotely enabled, for example, by sending a voicemail, but that requires knowledge of the target’s phone number.

Beer’s exploit leveraged a buffer overflow vulnerability in AWDL to remotely gain access to a device and execute an implant as root. He has published videos showing how an attacker who is within Wi-Fi range can launch the calculator on a phone, and how they can use the deployed implant to steal user data. The expert pointed out that the implant has full access to the targeted user’s information, including photos, emails, messages, and keychain data.

While his exploit in its current form takes a couple of minutes to execute, he believes that with more resources it could be reduced to just a few seconds. Moreover, while an attacker needs to be in Wi-Fi range to launch an attack, the researcher noted that “with directional antennas, higher transmission powers and sensitive receivers the range of such attacks can be considerable.”

Beer said Apple patched the vulnerability before the launch of its COVID-19 contact tracing system in iOS 13.5 in May. Apple pointed out that a vast majority of iOS users keep their devices up to date so they should no longer be vulnerable to attacks.

The researcher said he was not aware of any attacks exploiting the vulnerability, but pointed out that the patch implemented by Apple was quickly noticed by Mark Dowd, co-founder of Azimuth Security, a small Australian company that provides hacking tools to law enforcement and intelligence agencies.

“This has been the longest solo exploitation project I've ever worked on, taking around half a year,” Beer explained. “But it's important to emphasize up front that the teams and companies supplying the global trade in cyberweapons like this one aren't typically just individuals working alone. They're well-resourced and focused teams of collaborating experts, each with their own specialization. They aren't starting with absolutely no clue how bluetooth or wifi work. They also potentially have access to information and hardware I simply don't have, like development devices, special cables, leaked source code, symbols files and so on.”

*updated to clarify that the attacker needs to be in Wi-Fi range to launch an attack, and with information from Apple on users keeping their devices updated