Close Proximity iPhone Hack

Posted on by
awdl apple threat

Google’s Project Zero cybersecurity researcher (and white-hat hacker) Ian Beer published an article in December of 2020, outlining how hackers can break into nearby iPhones to steal personal data. The vulnerability exploits a weakness in Apple’s wireless connectivity protocol Apple Wireless Direct Link (AWDL), doesn’t require any victim interaction, and results in complete control of an unpatched iPhone.  In fairness to Apple, they have patched this vulnerability in iOS 13.1.1x and Mac OS 10.15.3x.

What is AWDL?

AWDL is ‘Apple Wireless Direct Link’ and is used as a networking protocol allowing Apple devices – iPhones, iPads, Macs, and Apple Watches – to form peer-to-peer data sharing. Chances are that if you own an Apple device you’re creating or connecting to these peer-to-peer networks many times a day without realizing it. AWDL is used in Airdrop file sharing, Airplay music sharing, ‘Sidecar‘ video display sharing, or even when answering a phone call on your Apple watch. Even if you haven’t been using those features, but people nearby have, your device could’ve joined an AWDL network they were using without your knowledge.  This Google researcher left nothing to chance by searching for and discovering another flaw in the AWDL protocol that allowed him to guarantee he could enable AWDL within any iPhone in less than 2 minutes and subsequently fully exploit the device.

The Evidence

Beer’s article concludes with a short video (below) showing him stealing a photo from his phone using a hacking kit set up in the next room:

  • He takes a photo of a “secret document” using the iPhone in one room.
  • He leaves the “user” of the phone (a giant pink teddy bear) sitting watching a YouTube video.
  • He goes next door and kicks off an automated ‘over-the-air’ attack that exploits a kernel bug on the phone.
  • The exploit uploads malware code onto the phone grants itself access to the Photo app’s data directory, reads the “secret” photo file, and uploads it to his laptop next door.
  • The phone continues working throughout this hack, with no warnings, pop-ups, or anything that might alert users to the compromise of their device.

The Difference between AWDL and Wi-Fi

Wi-Fi involves connecting to a network. At home, you plug a Wi-Fi access point (router) into your modem which creates your Wi-Fi network. The router broadcasts a network name and accepts clients on a particular channel. These password-protected Wi-Fi networks have encryption and other security measures in place to support user security. Apple’s AWDL doesn’t require users to be on the same password-protected network to establish a peer-to-peer connection. AWDL has no built-in encryption, and lacks other basic security features, that results in this exploit being possible. 

Exploit Caveats, or Room for Improvement

Beer noted that with proper engineering and hardware, once AWDL is enabled an entire exploit could run in a handful of seconds. Beer believes there are likely better techniques for getting AWDL enabled without using his brute force attack. Importantly, this vulnerability is wormable; a device that has been exploited could then itself be used to exploit other devices it comes into contact with. 

What Should You Do to Protect Yourself?

Beer reported this vulnerability months ago to Apple and it has already been patched. If you updated your iPhone in 2020, you’re safe from this hack. The following steps should always be taken by smartphone users to reduce chances of becoming a victim: 

  1. Keep Devices Up To Date
    • The bugs at the heart of Beer’s attack chain were found, disclosed, and patched by Apple.  Similar bugs could be identified Android or other smartphones. Always patch your devices within a month of release but perhaps not the day or week or release (even vendors break things with patches).
  2. Turn Off Networking Protocols by default
    • The vulnerability is a good reminder that “less is more” because the researcher needed AWDL enabled to turn this into a true zero-click attack. Turn off your AWDL when you aren’t using it.  You should also turn off other networking protocols such as Bluetooth when not using them.
  3. If You’re a programmer – Be Strict With Data
    • It’s never a bad idea to do extra error and bug checking.
  4. Don’t Assume Apple Devices and Software are free from Bugs
    • Oftentimes users are under the false-pretense that Apple products are super secure, virus-free, and are never exploited. This is just not true.  No code ever written was free from exploit or bugs.  Read CyberHoot’s ‘Malware in Macs‘ article to learn more about Mac’s vulnerabilities. 

Watch Google Researcher Ian Beer's AWDL Exploit Demo:

Sources:

NakedSecurity – Sophos

Google – Project Zero

Additional Readings:

An iOS Zero-Click Proximity Exploit Odyssey

Malware in Macs

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.