will meet enthusiastic followers. Some people are enamored with its smooth system; some are convinced by its beautiful UI and appearance; others are eager to disassemble and install the machine and study the security mysteries...
One of the representatives of the latter is the well-known Google Project Zero security Researcher-Ian Beer. Just two days ago, he announced a major iPhone vulnerability that he discovered in six months. Using this vulnerability, it is possible to contactlessly control the mobile phone within the Wi-Fi range to obtain user privacy data. Simply put, your iPhone is lying on the table and no one touches it. As long as you are within the attack range, your emails, messages, photos, etc. may be obtained by the attacker; the microphone and camera of your phone are still It may become a tool to monitor and monitor you.
AWDL Broadcast Denial of Service (DoS) attack demonstration The
attack mainly uses kernel memory corruption vulnerabilities, which originate from the wireless direct connection protocol used by iPhone, iPad, Mac, Apple Watch, Apple TV, HomePods-Apple Wireless Direct Link (AWDL) ) Agreement. It is precisely by relying on the AWDL protocol that Apple's AirDrop, Sidecar and other functions can quickly and stably take effect. This also means that all iOS devices on may be affected by . Who would have thought that after two years have passed, AirDrop did not stop, but pulled his little partner to make things bigger~
Ian has spent six months researching the results and we can see that it is not easy to achieve an attack. . AWDL is not a custom radio protocol, but an extension based on the IEEE 802.11 (Wi-Fi) standard, combined with Bluetooth Low Energy Technology (BLE). Since AWDL is activated by Bluetooth, theoretically speaking, when a user uses Bluetooth, the AWDL interface of Apple devices within the surrounding Wi-Fi range will be activated. At this time, the attacker can use the vulnerability to control the device. However, not everyone will always turn on the device's Bluetooth function. Therefore, to achieve an attack, you need to find a way to force AWDL to be turned on.
is based on the characteristics of AWDL. After several attempts, lan Beer forced the AWDL interface to be activated by continuously sending BLE broadcasts, and then used the buffer overflow problem of the Wi-Fi driver associated with AWDL to attack the device and implanted it as a root user. Run the program. Within a few seconds after the program is started, the read and write permissions of the kernel memory can be obtained, and then user personal data can be obtained.
Fortunately, Ian said that no real attack cases have been found so far. And in May this year, before Apple updated iOS 13.5, this vulnerability has been quietly fixed.
No user interaction, forcibly use BLE broadcast to activate the AWDL interface. The AWDL exploit program can obtain kernel memory read and write permissions within a few seconds after launching. The entire end-to-end exploit process only takes about 1 minute. In the whole process of
, AWDL is the most critical part. Apple has never announced the technical details of AWDL, so many security researchers often overlook the loopholes or implementation flaws of the AWDL, the wireless direct protocol, when studying the security of Bluetooth and Wi-Fi. Once researched, it can be found that from design to implementation, AWDL has some flaws that may be used for attacks, which in turn leads to hidden dangers. , such as a man-in-the-middle attack (MitM), can intercept and modify files transmitted via AirDrop, causing the device to be implanted with malicious files; tracking the device for a long time; launching DoS denial-of-service attacks, blocking communications, etc. In short, the result is either your information was stolen or your device crashed... The complete attack process of
In the early years, Apple has always been known for its high system security. However, security researchers who are accustomed to "face up to difficulties" have discovered different vulnerabilities with solid technology, open minds, and attention to details, bringing ordinary users one step closer to security. Dance of GeekPwn 2017On the stage, there were also players who used vulnerabilities to remotely obtain root permissions to control the newly launched iPhone 8 that year. Behind this is years of accumulation and months of research.
seems to spend months researching a loophole, which is very costly. However, the effect that many prevention methods want to achieve is to extend the attack chain and increase the cost of attack, so that the attacker can get away from it. But this is not a reason for us to take it lightly. As Ian said in his blog, facing vulnerabilities that have not yet appeared in actual attack cases, there are two attitudes:
A: no one will spend 6 months attacking my phone, don’t worry;
B: a researcher is at home making tricks , You can find a way to attack nearby mobile phones and obtain information. You still have to be more cautious~
I don’t know if you choose A or B. Anyway, I have opened the phone settings, thinking about which software to delete to leave enough room for system updates...
watched my software version gradually petrify
Or maybe, you want to choose the third option to study the attack technology detail. The original document address of
:
https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
join the GeekPwn Extreme Friends Club
, and it’s awesome!
One-click triple connection, the next vulnerability discoverer is you
