Google researcher demonstrates iPhone exploit with Wi-Fi takeover

The vulnerability, patched in May, let potential hackers get complete access to nearby iOS devices.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
Apple iPhone 8 drop test shattered back

To take advantage of the vulnerability, a hacker would only have needed to be within Wi-Fi range of a person's iPhone.

James Martin/CNET

Apple had a security vulnerability that could have allowed potential hackers to get complete access to a person's iPhone -- everything from viewing photos to monitoring activities in real time -- without the victim ever needing to click on any suspicious links or download malware

While most malware requires hackers to trick people in some way, like through a disguised email or an app pretending to be beneficial, this iOS exploit only needed the victim to be within Wi-Fi range, Ian Beer, a security researcher with Google's Project Zero, explained in a blog post on Tuesday.  

These types of vulnerabilities are considered the biggest threats to companies like Apple. At the Black Hat cybersecurity conference in 2019, Apple started offering $1 million bug bounties for researchers who could present a flaw that didn't require victims to click on anything and gave full access. 

In a video, Beer showed how a Raspberry Pi setup with store-bought Wi-Fi adapters could steal photos from an untouched iPhone in a different room within five minutes. In another clip, Beer demonstrated how the same vulnerability could let him repeatedly reboot 26 iPhones at the same time. 

"Imagine the sense of power an attacker with such a capability must feel," Beer said in his post. "As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target."

The security flaw was fixed in May, in the same patch through which Apple introduced its notification exposure tools on iOS devices

A snapshot of user adoption of the latest Apple software from around that time showed that the majority of users were already on current versions of iOS and thus protected against the issue, Apple said in a statement. "Also, it's good to note that this does require relatively close proximity as it needs to be within WiFi range to work."

See also: iPhone 12 vs. iPhone 11: All the big differences and whether you should upgrade

Apple vulnerabilities are rare because of the company's investments in security and its closed-off App Store. In 2019, Beer's team discovered another iOS vulnerability that allowed hacked websites to send malware to visitors. The hack was used by the Chinese government to track and spy on Uighur Muslims

Beer said he had spent about six months looking into the security vulnerability. He explained that the weak links came from Apple's proprietary mesh network AWDL, which allows iOS devices to easily connect to each other, like your Apple Watch linking to your iPhone, for example. 

The network didn't have built-in encryption, and Beer was able to exploit a single memory corruption to take over devices as new as the iPhone 11 Pro . He explained that the flaw came from a "fairly trivial buffer overflow programming error in C++ code" that allowed for untrusted data to pass through over Wi-Fi signals. 

Typically, vulnerabilities work off each other like pieces of a puzzle -- finding one flaw leads to another until you're able to get the big picture. Getting complete access through a single exploit is part of what makes Beer's discovery so impressive. 

Beer said that he hasn't seen any evidence that the flaw was exploited by others before it had been patched, but about 13% of all iPhone users are still vulnerable to this issue. While the flaw has been fixed, Beer noted that it likely won't be the last time an issue like this comes up for Apple -- pointing out that he was able to find this exploit on his own. 

"As things stand now in November 2020, I believe it's still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones," Beer said.

Watch this: iPhone 12 Mini review: There's a lot to like for a phone so small