Researcher finds new, wirelessly exploitable vulnerability in iOS and OS X

pre iOS 9 iOS users will be vulnerable to the exploit, as will users of OS X
pre iOS 9 iOS users will be vulnerable to the exploit, as will users of OS X

An Australian security researcher has uncovered a considerable vulnerability in the current version of iOS and OS X.

The vulnerability is realised when AirDrop, a technology included in iOS and OS X, is enabled.  However, the vulnerability in the wireless file sharing technology does not need users to accept a file sent to them. It affects all versions of iOS that support AirDrop as well as OS X Yosemite and later versions.

Mark Dowd, a director and founder of Azimuth Security, the researcher who discovered the flaw, published a view of how to fully exploit it several days ago, setting the video to sly, Pink Panther like music.

If AirDrop is enabled, an attacker can send an AirDrop request, loaded with malware. But even if you don't accept the request, the damage is already done. Once the user reboots the iPhone, the malware is immediately installed.

Dowd spoke to SCMagazineUK.com, talking about why he started to look at AirDrop's vulnerabilities: “I wanted to examine AirDrop because it sounded like a potentially interesting attack surface, and I hadn't really seen any analysis or scrutiny on it from a security perspective before. So, I started looking at how it worked and that's when I came upon the flaw.”

Apple provides this for companies and bypasses official App Store security checks, potentially allowing attackers to monitor users' communications, steal data and perhaps provide access to attackers. Ars Technica has reported that “Dowd's attack works in part by exploiting a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want”.

Considering AirDrop works wirelessly, attackers could hack into these devices from public spaces or anywhere where the device in question is in range of an attacker. Dowd spoke to The Inquirer, a technology news outlet, saying “the phone does not need to be jailbroken or otherwise altered from its default state.” Dowd added that “it is useful in two attack scenarios. If they have AirDrop enabled and discoverable by everyone, you can attack them wirelessly within close proximity. If you have temporary physical access to a locked iPhone, you can also perform the attack because you can enable AirDrop from the lock screen by default.”

Despite the possibilities for exploiting this vulnerability, talking to SC, Dowd said “to my knowledge, no one has been compromised in the wild with it”.

This new vulnerability is partially fixed by the upcoming release of iOS 9 but OS X will not be fixed until version 10.11, due for release near the end of September.