According to an article by ARS Technica, Apple patched one of the most dangerous vulnerabilities in the iPhone’s history earlier this year after it was discovered by a Google employee. The fault in question was a memory corruption bug in the iOS kernel that inadvertently allowed hackers to gain remote access to the entire phone over WiFi. What’s more, unlike most vulnerabilities, which require some sort of user action – clicking on a link, disabling some security feature, etc. – this required no user interaction at all.
The ingenious attack was designed by Ian Beer, a researcher at Google’s vulnerability research arm, Project Zero. Beer detailed the WiFi packet attack in a blog post published on Tuesday. He explained how he spent 6 months developing the exploit and described the vulnerability in detail.
The attack works by tacking advantage of a buffer overflow bug in a driver for AWDL, Apple’s proprietary mesh networking protocol used for things like Airdrop. The drivers for AWDL can be found in the iOS kernel, which has access to almost every part of the iOS system. Therefore an attack which can exploit these drivers could possibly wreak havoc due to amount of unrestricted access it would grant the attacker. Moreover, the AWDL parses WiFi packets, allowing hackers to take advantage of the bug wirelessly, without ever being in direct contact with the phone. To make matters even worse, the exploit developed by Beer is wormable, meaning it can be duplicated and spread to nearby devices on the same network.
Other researchers have taken notice of Beer’s extraordinary work to find the vulnerability. “This is a fantastic piece of work,” Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. “It really is pretty serious. The fact you don’t have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you’re walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets.”