It’s been called the ‘scariest iPhone hack ever.’ According to a recent Ars Technica article, “Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device – over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable – meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed.”
“This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google’s vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice.”
You can see the demonstration here:
The BBC reports the hack was possible because Apple’s devices use a technology called Apple Wireless Direct Link.
Ian exploited this network to show how hackers could gain access to a device from a distance. He explains in his blog post how he was able to complete the hack, which – again – he spent six months investigating.
According to Ian, Apple patched this specific vulnerability “before the launch of Privacy-Preserving Contact Tracing in iOS 13.5 in May 2020”.
Mobile threats are scary, real, and here to stay
Ian writes, “The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine. Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”
The reality is, paid professionals with time and resources are taking advantage of vulnerabilities, developing malicious apps, creating phishing campaigns and more, all in the name of stealing data, passwords, information and intelligence all found on mobile devices.
As of September, we had already recorded more mobile app breaches, failures, and data leaks than all of 2019. We detected a 6x increase in phishing sites from 1Q to 2Q/2020 alone and scammers – masquerading as more than 25 different companies, brands and government agencies – used 265 Google Forms in an effort to steal user passwords and credentials.
Why are we seeing these increases in mobile cybercrime? Unfortunately, the bad guys know that many mobile devices – unlike laptops and desktops – are unprotected endpoints.These unprotected endpoints contain the same content as their protected brethren and are now the de facto platform for productivity in business.
How Zimperium Helps Customers Today
Ian’s POC shows how attackers are getting more and more creative in expanding their entry points to a device, to ultimately achieve persistence (the objective of any attack like this).
Based on available information, Zimperium zIPS, powered by Zimperium’s machine learning-based engine, z9, helps protect customers by identifying at-risk devices and active threats trying to leverage vulnerabilities like the one used in this example. Specifically
- At-risk Devices: Administrators can use Zimperium zConsole to find all devices that are on vulnerable OS versions (pre 13.5), or by specific CVE and trigger customer definable response actions.
- Active Threats: If an exploit like Ian’s alters the system to gain persistence (e.g., elevate privileges or further compromise the device), z9 would detect the attack.
To learn more about Zimperium and why we are the global leader in mobile security, please contact us.
Author- Kern Smith
Blog post: https://blog.zimperium.com/
Local Zimperium State Government Account Executive