Google Project Zero expert Ian Beer has demonstrated an exploit to hack iPhone and other iOS devices remotely and without user interaction.
The underlying critical vulnerability CVE-2020-3843, discovered by the researcher, made it possible to remotely steal sensitive data from any device in the Wi-Fi hotspot without any user’s interaction.
The exploit, which Bier worked on alone for six months, allows “to view all photos, read all e-mail, copy all private messages and track everything that happens [on the device] in real time.”
Since Apple engineers fixed the problem back in the spring of this year (within the framework of iOS 13.3.1, macOS Catalina 10.15.3 and watchOS 5.3.7), and the researcher has now disclosed details of the problem and even demonstrated an attack in action.
The video below shows how, using an iPhone 11 Pro, Raspberry Pi, and two Wi-Fi adapters, the researcher were capable of remotely reading and writing of random kernel memory. Beer used all of this to inject shellcode into kernel memory through exploiting the victim process, escaping the sandbox, and retrieving user data.
Essentially, a potential attacker needed to attack the AirDrop BTLE infrastructure in order to enable the AWDL interface. This was done through brute-force hash values of the contact (after all, usually users provide AirDrop with access only to their contacts), and then an AWDL buffer overflow.
As a result, it was possible to gain access to the device and run malware with root privileges, which gave the attacker complete control over the user’s personal data, including email, photos, messages, iCloud data, as well as passwords and cryptographic keys from the Keychain, and much more.
Even worse, such an exploit could have the potential of a worm, that is, it could spread from one device to another “by air” and again without user intervention.
Beer notes that this vulnerability was not exploited by cybercriminals, but the hacking community and “exploit vendors seem to be interested in the released fixes.”
I also wrote that Researcher remotely hacked iPhone using only one vulnerability.
And always remember that US authorities can hack the iPhone, but may have difficulties with Android.