Finding a bug in the TLV data handling code.This sort of code is often a source of dangerous programming blunders. This function name implies the presence of complex kernel-level code that is directly exposed to untrusted data sent from other devices. The funky name that started it all was IO80211AWDLPeer::parseAwdlSyncTreeTLV, where TLV refers to type-length-value, a way of packaging complex data at one end for deconstructing (parsing) at the other, and AWDL is short for Apple Wireless Direct Link, the proprietary wireless mesh networking used for Apple features such as AirDrop. Spotting a kernel variable name that sounded risky. It’s hard to do justice to Beer’s magnum opus in a brief summary like this, but here is a (perhaps recklessly oversimplified) description of just some of the hacking skills he used: In short, finding bugs is vital patching them is critical learning from our mistakes is important but we must nevertheless continue to evolve our cybersecurity defences at all times. To be clear: Beer, via Google, did report the original bug promptly, and as far as we know no one else had figured it out before he did, so there is no suggestion that this bug was exploited by anyone in real life.īut the point is that it is reasonable to assume that once a kernel-level buffer overflow has been discovered, even in the face of the latest and greatest exploit mitigations, a determined attacker could produce a dangerous exploit from it.Įven though security controls such as address space layout randomisation and pointer authentication codes increase our cybersecurity enormously, they’re not silver bullets on their own.Īs Mozilla rather drily puts it when fixing any memory mismangement flaws in Firefox, even apparently mild or arcane errors that the team couldn’t or didn’t figure out how to exploit themselves: “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.” Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with. The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine. Well, Beer gives the answer himself, right at the start of his article: You may, of course, be wondering why Beer bothered to take a bug he’d found and already reported, yet went to so much effort to weaponise it, to use the paramilitary jargon common in cybersecurity. To give you an idea of just how much effort went into the 5-minute “teddy bear’s data theft picnic” video above, and as a fair warning if you are thinking of studying Beer’s excellent article in detail, bear in mind that his blog post runs to more than 30,000 words – longer than the novel Animal Farm by George Orwell, or A Christmas Carol by Charles Dickens. The other sort-of-good news is that it took Beer, by his own admission, six months of detailed and dedicated work to figure out how to exploit his own bug. So if you have updated your iPhone in the past few months, you should be safe from this particular attack. (According to Beer’s report: “ This specific issue was fixed before the launch of Privacy-Preserving Contact Tracing in iOS 13.5 in May 2020.“) The good news is that the core vulnerability that Beer relied upon is one that he himself found many months ago, reported to Apple, and that has already been patched. The phone continues working normally throughout, with no warnings, pop-ups or anything that might alert the user to the hack.The exploit sneakily uploads malware code onto the phone, grants itelf access to the Photo app’s data directory, reads the “secret” photo file and invisibly uploads it to his laptop next door.He goes next door and kicks off an automated over-the-air attack that exploits a kernel bug on the phone.He leaves “user” of the phone (a giant pink teddy bear, as it happens) sitting happily watching a YouTube video.He takes a photo of a “secret document” using the iPhone in one room.Indeed, Beer’s article concludes with a short video showing him automatically stealing a photo from his own phone using hacking kit set up in the next room: The exploit sequence he figured out really does allow an attacker to break into a nearby iPhone and steal personal data – using wireless connections only, and with no clicks needed by, or warnings shown to, the innocently occupied user of the device. The article itself has a perfectly accurate and interesting title, namely: An iOS zero-click radio proximity exploit odyssey.īut it’s headlines like the one we’ve used above that capture the practical essence of Beer’s attack. Well-known Google Project Zero researcher Ian Beer has just published a blog post that is attracting a lot of media attention.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |