Thursday, 03 December 2020 09:51

Researcher details iOS flaw that enabled click-free info stealing Featured

0
Shares
By
Image by mohamed Hassan from Pixabay

A researcher from Google's Project Zero security team has written a detailed account of how he discovered a a memory corruption bug in the kernel of Apple's iOS operating system and then figured out numerous ways of using this flaw to attack other iPhones.

Ian Beer's detailed blog post said he was unsure whether anyone else had been able to exploit this flaw - which was notified to Apple and patched some time ago - but pointed out that he had noticed a tweet from Australian security ace Mark Dowd about Apple having patched the flaw.

Dowd is the founder of Sydney-based Azimuth Security, a company that was acquired by US-based defence contractor L3 Intelligence in September 2018.

In February 2018, Dowd's firm was reported to be involved in playing a crucial role in helping spies and law enforcement break into smartphones and also supplying them with zero-day exploits.

Beer said he had spent six months to find the flaw and perfect his remote exploit. Despite the amount of difficulty and labour involved, he said the takeaway was not that someone could not do something similar because of the time and effort involved.

"The takeaway from this project should not be: no-one will spend six months of their life just to hack my phone, I'm fine," he wrote. "Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."

This demo shows the attacker successfully exploiting a victim iPhone 11 Pro device located in a different room through a closed door.

Beer said he had found the vulnerabilities after Apple shipped a beta build of iOS in which function name symbols were not stripped from the kernelcache.

He said he had been looking the cross-refeernces made by the debugger IDA to the function memmove.

Having function names made it possible to search even a binary blob that was more than 30MB to see how everything fitted together, Beer pointed out.

"What bits of code are exposed to attackers? What sanity checking is happening and where? What execution context are different parts of the code running in?" Beer asked.

"In this case, this particular driver is also available on MacOS, where function name symbols are not stripped."

The function name that attracted his attention was IO80211AWDLPeer::parseAwdlSyncTreeTLV. He had no idea what AWDL was at that point in time. "But I did know that TLVs (Type, Length, Value) are often used to give structure to data, and parsing a TLV might mean it's coming from somewhere untrusted," Beer said. "And the 80211 is a giveaway that this probably has something to do with Wi-Fi. Worth a closer look."

The second thing that stood out to him was the error message string: ""Peer %02X:%02X:%02X:%02X:%02X:%02X: PATH LENGTH error hc %u calc %u\n"

Beer also examined the control flow graph. "Reading the code a bit more closely it appears that although the log message contains the word 'error' there's nothing which is being treated as an error condition here. IO80211Peer::logDebug isn't a fatal logging API, it just logs the message string," he said.

"Tracing back the length value which is passed to memmove, regardless of which path is taken we still end up with what looks like an arbitrary u16 value from the input buffer (rounded down to the nearest multiple of 6) passed as the length argument to memmove.

"Can it really be this easy? Typically, in my experience, bugs this shallow in real attack surfaces tend to not work out. There's usually a length check somewhere far away; you'll spend a few days trying to work out why you can't seem to reach the code with a bad size until you find it and realise this was a CVE from a decade ago. Still, worth a try."

He described AWDL as being "an Apple-proprietary mesh networking protocol designed to allow Apple devices like iPhones, iPads, Macs and Apple Watches to form ad-hoc peer-to-peer mesh networks".

He then located a defect in the TLV data handling code, built an AWDL driver stack to create malicious packets, found out how to get these packets past safety checks in other locations, learnt how to turn the buffer overflow into heap corruption that was controllable, and testing his findings with 13 different Wi-Fi adaptors to discover a way to carry out a successful attack.

Beer wanted to convert his findings into a way of staging a zero-click attack where the victim merely had to be using their phone in order to be a target.

To do this, he had also to find a way whereby an attacker could pretend to be offering files to share via AirDrop and to make it possible to steal arbitrary files from the victim's device.

He has put up a video showing how the attack works, though summarising these complext findings into a short video is well nigh impossible.

Thanks to Sophos security guru Paul Ducklin whose breakdown of the massive write-up made my job of writing this up a lot easier.


Subscribe to ITWIRE UPDATE Newsletter here

Now’s the Time for 400G Migration

The optical fibre community is anxiously awaiting the benefits that 400G capacity per wavelength will bring to existing and future fibre optic networks.

Nearly every business wants to leverage the latest in digital offerings to remain competitive in their respective markets and to provide support for fast and ever-increasing demands for data capacity. 400G is the answer.

Initial challenges are associated with supporting such project and upgrades to fulfil the promise of higher-capacity transport.

The foundation of optical networking infrastructure includes coherent optical transceivers and digital signal processing (DSP), mux/demux, ROADM, and optical amplifiers, all of which must be able to support 400G capacity.

With today’s proprietary power-hungry and high cost transceivers and DSP, how is migration to 400G networks going to be a viable option?

PacketLight's next-generation standardised solutions may be the answer. Click below to read the full article.

CLICK HERE!

WEBINAR PROMOTION ON ITWIRE: It's all about webinars

These days our customers Advertising & Marketing campaigns are mainly focussed on webinars.

If you wish to promote a Webinar we recommend at least a 2 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://www.itwire.com/itwire-update.html and Promotional News & Editorial.

This coupled with the new capabilities 5G brings opens up huge opportunities for both network operators and enterprise organisations.

We have a Webinar Business Booster Pack and other supportive programs.

We look forward to discussing your campaign goals with you.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Latest from Sam Varghese

Related items

More in this category: « Windows ransomware attackers teaming up with those selling access: claim Okta gains Comcare as customer after meeting security standard »
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top