Close Proximity iPhone Hack — CyberHoot

Google’s Project Zero cybersecurity researcher (and white-hat hacker) Ian Beer published an article in December of 2020, outlining how hackers can break into nearby iPhones to steal personal data. The vulnerability exploits a weakness in Apple’s wireless connectivity protocol Apple Wireless Direct Link (AWDL), doesn’t require any victim interaction, and results in complete control of an unpatched iPhone. In fairness to Apple, they have patched this vulnerability in iOS 13.1.1x and Mac OS 10.15.3x.

What is AWDL?

AWDL is ‘Apple Wireless Direct Link’ and is used as a networking protocol allowing Apple devices — iPhones, iPads, Macs, and Apple Watches — to form peer-to-peer data sharing. Chances are that if you own an Apple device you’re creating or connecting to these peer-to-peer networks many times a day without realizing it. AWDL is used in Airdrop file sharing, Airplay music sharing, ‘ ‘ video display sharing, or even when answering a phone call on your Apple watch. Even if you haven’t been using those features, but people nearby your device could’ve joined an AWDL network they were using without your knowledge. This Google researcher left nothing to chance by searching for and discovering another flaw in the AWDL protocol that allowed him to guarantee he could enable AWDL within any iPhone in less than 2 minutes and subsequently fully exploit the device.

The Evidence

Beer’s article concludes with a short video (below) showing him stealing a photo from his phone using a hacking kit set up in the next room:

  • He takes a photo of a “secret document” using the iPhone in one room.
  • He leaves the “user” of the phone (a giant pink teddy bear) sitting watching a YouTube video.
  • He goes next door and kicks off an automated ‘over-the-air’ attack that exploits a kernel bug on the phone.
  • The exploit uploads malware code onto the phone grants itself access to the Photo app’s data directory, reads the “secret” photo file, and uploads it to his laptop next door.
  • The phone continues working throughout this hack, with no warnings, pop-ups, or anything that might alert users to the compromise of their device.

The Difference between AWDL and Wi-Fi

Wi-Fi involves connecting to a network. At home, you plug a Wi-Fi access point (router) into your modem which creates your Wi-Fi network. The router broadcasts a network name and accepts clients on a particular channel. These password-protected Wi-Fi networks have encryption and other security measures in place to support user security. Apple’s AWDL doesn’t require users to be on the same password-protected network to establish a peer-to-peer connection. AWDL has no built-in encryption and lacks other basic security features, that results in this exploit being possible.

Exploit Caveats, or Room for Improvement

Beer noted that with proper engineering and hardware, once AWDL is enabled an entire exploit could run in a handful of seconds. Beer believes there are likely better techniques for getting AWDL enabled without using his brute force attack. Importantly, this vulnerability is wormable; a device that has been exploited could then itself be used to exploit other devices it comes into contact with.

What Should You Do to Protect Yourself?

Beer reported this vulnerability months ago to Apple and it has already been patched. If you updated your iPhone in 2020, you’re safe from this hack. The following steps should always be taken by smartphone users to reduce chances of becoming a victim:

  1. Keep Devices Up To Date
  2. Turn Off Networking Protocols by default
  3. If You’re a programmer — Be Strict With Data
  4. Don’t Assume Apple Devices and Software are free from Bugs

Originally published at https://cyberhoot.com on December 8, 2020.

A writer for CyberHoot, a cybersecurity company that helps society become more aware and more secure.