Well-known Google Project Zero researcher Ian Beer has published a blog post that has received a lot of media attention.
The article itself has a completely accurate and interesting title. iOS Zero Click Wireless Proximity Exploit Odyssey..
However, it is the headlines used above that capture the practical essence of the beer attack.
The exploit sequence he understands allows an attacker to break into a nearby iPhone and steal personal data. It uses only a wireless connection and does not need to be clicked or alerted by an innocent user of the device.
Indeed, the beer article ends with Short video Show them how they automatically steal photos from their cell phones using a hacking kit installed in the next room.
- He uses his iPhone to take a picture of a “secret document” in a room.
- He gladly keeps the phone “user” (which happens to be a giant pink teddy bear) sitting down watching a YouTube video.
- He goes next to him and launches an automated radio attack that exploits a kernel bug in the phone.
- This exploit secretly uploads malware code to your phone, grants access to the Photo app’s data directory, reads “secret” photo files, and invisiblely uploads them to your next laptop.
- The phone will continue to operate normally throughout, with no warnings, pop-ups, or anything that could alert the user to a hack.
That’s bad news.
Fortunately, the major vulnerability Beer relied on was discovered months ago by himself and reported to Apple, and has already been patched.
Therefore, if you have updated your iPhone in the last few months, you should be safe from this particular attack.
Another kind of good news is that Beer, with his own approval, took six months of detailed and devoted work to figure out how to exploit his own bugs.
To find out how much effort was put into the 5 minute “Teddy Bear Data Theft Picnic” video above, and as a fair warning if you’re thinking of studying a good article on beer in detail. Remember his blog post. Over 30,000 words – longer than the novel Animal farm George Orwell, or Christmas carol By Charles Dickens.
Of course, you might be wondering why you worked so hard when Beer found and took the trouble to pick up the bugs he had already reported. Weaponization It is to use paramilitary jargon, which is common in cybersecurity.
Well, beer first gives the answer for himself His article:
You shouldn’t take it home from this project: no one spends six months of their life just to hack my phone, I’m fine.
Instead, you should do the following: One person working alone in the bedroom was able to build a feature that could seriously endanger close-knit iPhone users.
To be clear: Beer quickly reported the original bug via google, and as far as we know, no one understood it before he did, so this bug is in real life. There is no suggestion that it was abused by anyone.
However, the point is that if a kernel-level buffer overflow is discovered, a determined attacker can generate dangerous exploits from it, even in the face of the latest and greatest exploit mitigations. Is reasonable.
Despite the following security controls Address space layout randomization And Pointer authentication code Greatly enhances cyber security. It is not a silver bullet in itself.
Mozilla says pretty badly when fixing a flaw in Firefox’s memory management mistake, but with apparently mild or mysterious errors that the team didn’t understand or couldn’t understand how to exploit themselves. Even says: With sufficient effort, consider that some of these could have been abused to execute arbitrary code. “
In short, finding bugs is very important. It is important to patch them. It is important to learn from our mistakes. Still, cybersecurity defenses need to keep evolving.
Road to a working attack on beer
It’s hard to justify Beer’s masterpiece with such a brief summary, but here’s just a few (possibly recklessly simplified) explanations of the hacking skills he used:
- Find kernel variable names that sound dangerous. The funky name that started it all IO80211AWDLPeer :: parseAwdlSyncTreeTLV, Where TLV is type-length-valueAWDL is a method of packaging complex data at one end for decomposition (analysis) at the other end. Apple Wireless Direct LinkA unique wireless mesh network used for Apple features such as AirDrop. This function name means the presence of complex kernel-level code that exposes directly to untrusted data sent from other devices. This type of code often causes dangerous programming failures.
- Find bugs in TLV data processing code. Beer mistakenly “checks the length of TLV data objects limited to a memory buffer of only 60 bytes (up to 10 MAC addresses) against 1024 bytes, which is a general safety limit rather than the actual size. I noticed that it was done. Of the available buffer.
- Build an AWDL network driver stack to create dangerous packets. Ironically, Beer started with an existing open source project aimed at compatibility with Apple’s own code, but couldn’t get it to work as needed. So he ended up knitting himself.
- Find a way to get buffer busting packets past safety checks that existed elsewhere. There were some partial precursor checks that made the attack much more difficult, even though the core kernel code was flawed and the final error check wasn’t done correctly. By the way, as Beer points out, in low-level code, especially when performance is important, you want to assume that untrusted data has already been sanitized and omit the error check code at the critical point. I will. most. Do not do so, especially if the important code is in the kernel.
- Learn how to turn a buffer overflow into a controllable heap corruption. This provided a predictable and exploitable way to use AWDL packets to force unauthorized reads from kernel memory and writes to kernel memory.
- Try a total of 13 Wi-Fi adapters to find out how to launch an attack. Beer wanted to be able to send poisoned AWDL packets over the 5GHz Wi-Fi channels that are widely used today, so he needed to find a network adapter that could be reconfigured to suit his needs.
At this point, beer had already reached a proof-of-concept result and most of us would have won.
The read / write capabilities of the kernel allowed him to be forced remotely Calculation For example, when you’re sending your own file via AirDrop using the photo app’s Share icon, the app will pop up on your phone as long as AWDL networking is enabled.
Nevertheless, he decided to convert this to so-called Zero click attack. Victims do not have to do anything more specific than just “use the phone” at that point.
As you can imagine, zero-click attacks are much more dangerous. Even well-informed users do not see clear signs of imminent problems in advance.
So beer also came up with the following technique.
- Impersonate a nearby device that provides files to share via AirDrop. If the phone determines that a nearby device may be one of your contacts based on the Bluetooth data you are sending, AWDL will be temporarily activated to see who it is. .. If it’s not one of your contacts, you won’t see any pop-ups or other warnings, but exploitable AWDL bugs will be easily exposed via the automatically activated AWDL subsystem.
- It doesn’t just extend the attack and pop up existing apps such as Calc. Beer has figured out how to use the first exploit in a detailed attack chain that can access and steal arbitrary files on the device.
In the video above, the attack hijacked an app that was already running (remember, the teddy bear was watching YouTube). By “unsandboxing” the app from within the kernel, you are no longer restricted to viewing the data in the app itself.I used the app to access the DCIM (camera) directory that belongs to Photo App; stole the latest image file. Then I extended it with a seemingly harmless TCP connection.
What should I do?
Tip 1. Make sure your security fixes are up to dateThe bug at the heart of the beer attack chain was first discovered and disclosed by him, so it has already been patched.Move to Configuration >> >> General >> >> Software update..
Tip 2. Turn off Bluetooth if you don’t need it. Beer attacks often remind us that “less, more” because Bluetooth was needed to turn this into a true zero-click attack.
Tip 3. Bugs sound “difficult”, so don’t assume that they will never be abused. Beer admits that it’s hard to take advantage of, very difficult, but ultimately not impossible.
Tip 4. If you are a programmer, be strict with your data. Proper error checking is not a bad idea.
For all the coders out there: Expect the bestThat is, I hope everyone who calls the code checks for the error at least once. But prepare for the worseThat is, suppose it is not.
Introvert. Beer guru. Communicator. Travel fanatic. Web advocate. Certified alcohol geek. Tv buff. Subtly charming internet aficionado.