Security Market Segment LS
Thursday, 03 December 2020 09:51

Researcher details iOS flaw that enabled click-free info stealing Featured

Researcher details iOS flaw that enabled click-free info stealing Image by mohamed Hassan from Pixabay

A researcher from Google's Project Zero security team has written a detailed account of how he discovered a a memory corruption bug in the kernel of Apple's iOS operating system and then figured out numerous ways of using this flaw to attack other iPhones.

Ian Beer's detailed blog post said he was unsure whether anyone else had been able to exploit this flaw - which was notified to Apple and patched some time ago - but pointed out that he had noticed a tweet from Australian security ace Mark Dowd about Apple having patched the flaw.

Dowd is the founder of Sydney-based Azimuth Security, a company that was acquired by US-based defence contractor L3 Intelligence in September 2018.

In February 2018, Dowd's firm was reported to be involved in playing a crucial role in helping spies and law enforcement break into smartphones and also supplying them with zero-day exploits.

Beer said he had spent six months to find the flaw and perfect his remote exploit. Despite the amount of difficulty and labour involved, he said the takeaway was not that someone could not do something similar because of the time and effort involved.

"The takeaway from this project should not be: no-one will spend six months of their life just to hack my phone, I'm fine," he wrote. "Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."

This demo shows the attacker successfully exploiting a victim iPhone 11 Pro device located in a different room through a closed door.

Beer said he had found the vulnerabilities after Apple shipped a beta build of iOS in which function name symbols were not stripped from the kernelcache.

He said he had been looking the cross-refeernces made by the debugger IDA to the function memmove.

Having function names made it possible to search even a binary blob that was more than 30MB to see how everything fitted together, Beer pointed out.

"What bits of code are exposed to attackers? What sanity checking is happening and where? What execution context are different parts of the code running in?" Beer asked.

"In this case, this particular driver is also available on MacOS, where function name symbols are not stripped."

The function name that attracted his attention was IO80211AWDLPeer::parseAwdlSyncTreeTLV. He had no idea what AWDL was at that point in time. "But I did know that TLVs (Type, Length, Value) are often used to give structure to data, and parsing a TLV might mean it's coming from somewhere untrusted," Beer said. "And the 80211 is a giveaway that this probably has something to do with Wi-Fi. Worth a closer look."

The second thing that stood out to him was the error message string: ""Peer %02X:%02X:%02X:%02X:%02X:%02X: PATH LENGTH error hc %u calc %u\n"

Beer also examined the control flow graph. "Reading the code a bit more closely it appears that although the log message contains the word 'error' there's nothing which is being treated as an error condition here. IO80211Peer::logDebug isn't a fatal logging API, it just logs the message string," he said.

"Tracing back the length value which is passed to memmove, regardless of which path is taken we still end up with what looks like an arbitrary u16 value from the input buffer (rounded down to the nearest multiple of 6) passed as the length argument to memmove.

"Can it really be this easy? Typically, in my experience, bugs this shallow in real attack surfaces tend to not work out. There's usually a length check somewhere far away; you'll spend a few days trying to work out why you can't seem to reach the code with a bad size until you find it and realise this was a CVE from a decade ago. Still, worth a try."

He described AWDL as being "an Apple-proprietary mesh networking protocol designed to allow Apple devices like iPhones, iPads, Macs and Apple Watches to form ad-hoc peer-to-peer mesh networks".

He then located a defect in the TLV data handling code, built an AWDL driver stack to create malicious packets, found out how to get these packets past safety checks in other locations, learnt how to turn the buffer overflow into heap corruption that was controllable, and testing his findings with 13 different Wi-Fi adaptors to discover a way to carry out a successful attack.

Beer wanted to convert his findings into a way of staging a zero-click attack where the victim merely had to be using their phone in order to be a target.

To do this, he had also to find a way whereby an attacker could pretend to be offering files to share via AirDrop and to make it possible to steal arbitrary files from the victim's device.

He has put up a video showing how the attack works, though summarising these complext findings into a short video is well nigh impossible.

Thanks to Sophos security guru Paul Ducklin whose breakdown of the massive write-up made my job of writing this up a lot easier.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Web Analytics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News