New iOS bug could lead to data exfiltration and full device control

by Julie Splinters - - 2020-12-02

Google Project Zero white-hat hacker reveals that anyone with the right capabilities could have spied on iPhone users

White-hacker revealed new iOS bug Data exfiltration, full control of the device, remote access possible to achieve by anyone.

Ian Beer, from Google Zero Day Project,^[1] discovered a bug that can lead to an exploit. Wi-fi flaw leading to iPhone hacking was discovered in Apple AirDrop services that are pre-installed on all iPhones. With the help of his computer and a wifi transmitter, the white-hacker was able to restart any iPhone and take over its control without the knowledge of the cell phone owners.

Apple Inc. was informed about this security issue and thus has created patches in May to fix this vulnerability. This vulnerability shouldn't go unnoticed since emails, private messages, photos can be accessible to anyone. The discoverer of this iOS exploit said:

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I'm fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with.

Due to the vulnerability, all personal data within hand's reach

The exploit was found in Apple Wireless Direct Link (AWDL) protocol that enables such Apple features as AirDrop and Sidecar.^[2] The vulnerability even let Beer turn on the AWDL function even when it was turned off on the cell phones. Although the targeted iPhones must have been in the reach of the wifi transmitter if beam antennas^[3] would have been used it could've increased the range considerably.

Exploiting the vulnerability can provide full control of the devices. During the experiment, it was possible to spy on people in real-time. One could have eavesdropped or watched whatever the unsuspecting Apple users were doing at the time. And what's worse, the iPhone users wouldn't even have known about any of this happening.

Furthermore, until this AWDL exploit wasn't patched up by Apple Inc., wrong people with the right equipment and extensive knowledge might have had access to all photos, schedule info, contacts, messages, emails, and everything else that's stored on the iPhones.

Security vulnerabilities keep on coming up in iOS devices

The AWDL exploit isn't an isolated incident with the security issues of iPhones. According to The Sun,^[4] Apple Inc. had to fix three bugs (CVE-2020-27930, CVE-2020-27932, and CVE-2020-27950) that let hackers attack these cell phones from anywhere in the world.

No details about the hacker attacks were disclosed but it's clear that all three vulnerabilities had to be used at once. One would let the attackers run malicious code on the device remotely the other one enabled access to phone content and allowed stealing it.

As reported,^[5] these zero-days can affect iPhone 6 and later, iPad Air 2 and later, iPad Mini 4 and later, iPod Touch 7th generation. All of the software of these devices must be updated to iOS 14.2 (or iPadOS 14.2 for iPad) immediately to evade being attacked.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Ian Beer. An iOS zero-click radio proximity exploit odyssey. Googleprojectzero. News and updates from the Project Zero team at Google.
^ Sean Hollister. This incredible exploit could have let hackers remotely own iPhones without even touching them. Theverge. American technology news website.
^ Directional antenna. Wikipedia. The free encyclopedia.
^ Charlotte Edwards. Update your iPhone NOW – Apple has fixed three bugs that let hackers hijack your phone from anywhere. Thesun. News, sports, celebrities and gossip.
^ Amer Owaida. Apple patches three actively exploited zero‑day flaws in iOS. Welivesecurity. IT security news, cyberthreats and research.