Written by Joe Warminsky
If there’s one thing to read this week about Apple security, it’s researcher Ian Beer’s massive, spirited and highly detailed account of how he developed a powerful tool for breaking into nearby iPhones.
The piece, “An iOS zero-click radio proximity exploit odyssey,” earned Beer high praise for his persistence in working out the attack, as well as thorough reporting of how he did it. He posted the magnum opus Tuesday on the blog for Google Project Zero, the tech giant’s team of zero-day hunters.
Beer — known as one of the most skilled iOS hackers around — makes some things clear up top: The vulnerability was reported to Apple before the company launched coronavirus contact-tracing technology on iPhones in May. And no one should ever be lulled into a false sense of security, he says, when it comes to mobile devices.
“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” he wrote, including the emphasis. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”
The result was a “wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity,” Beer writes. “View all the photos, read all the email, copy all the private messages and monitor everything which happens on there in real-time.”
The bug affects Apple Wireless Direct Link (AWDL), a protocol used in iPhone features such as AirDrop, where one device is close to another. Beer posted a 15-second clip on YouTube showing the exploit in action, as well as a longer video demonstrating an attack on a device in a different room through a closed door.
“So what went so wrong that it was possible? Unfortunately, it’s the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers,” Beer writes. “In fact, this entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device.”
Beer then proceeds to lucidly and deeply describe his work, while also explaining how an iPhone might end up with such a bug to begin with. And he points to steps Apple could take to improve device security, including modernizing “the enormous amount of critical legacy code that forms the core of iOS.” (Here’s a Twitter thread where he summarizes much of the Project Zero post.)
The research quickly caught the attention of cybersecurity researchers and government officials. Rob Joyce, a senior adviser at the National Security Agency, tweeted high praise for Beer’s project.
Wow. An iOS exploit that doesn’t involve chaining multiple vulnerabilities together is quite an accomplishment. https://t.co/ZccMcVTIch
— Rob Joyce (@RGB_Lights) December 2, 2020
Cybersecurity researcher Mike Murray compared the report to an epic moment in mathematics.
This paper reads like the story of when Andrew Wiles solved Fermat’s Last Theorem. Great story of how it was worked out. https://t.co/Qk84QWdgJp
— Mike Murray (@mmurray) December 2, 2020
And another researcher who often focuses on iPhones, Patrick Wardle, called it “a work of art.”
Ian’s “lockdown project” is a work of art 🤩
…while his insights are spot on:
“As things stand now in November 2020, I believe it’s still quite possible for a motivated attacker with just one vulnerability to …completely, remotely compromise top-of-the-range iPhones” 🥲 https://t.co/KgxYjlDfnw
— patrick wardle (@patrickwardle) December 2, 2020