A massive security failing by Apple allowed an attacker to take total remote control of iPhones within WiFi range. They would be able to download all the data on the phone, and even activate the iPhone’s cameras and microphones to provide real-time spying capabilities.

The vulnerability was not just a theoretical risk: a noted Google security researcher was able to demonstrate the capabilities by taking full remote control of an iPhone in another room …

The jaw-dropping exploit was demonstrated by Google Project Zero security researcher Ian Beer. The project is designed to identify vulnerabilities and notify companies before the bad guys can discover and exploit them. Project Zero founder Chris Evans told ArsTechnica that the scary thing about this one is that it works without any user interaction at all, and leaves no clue that their privacy was violated.

There is some good news in the mix. Beer said he hasn’t found any evidence that it was ever exploited in the wild by hackers, and he of course allowed Apple time to patch the issues before he shared the details. But it is still incredible that such a massive security hole ever existed.

This attack is just you’re walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets.

How could a vulnerability allow such over-reaching control of an iPhone without physical access to it, and without any user interaction? Because the flaw was in a networking protocol called Apple Wireless Direct Link (AWDL). And AWDL can do a lot of things – including send any photo or file stored on an iPhone.

Beer’s blog post explaining how the vulnerability arose, and how he was able to discover and exploit it, is a lengthy and technical one. The story began in 2018.

AWDL is an Apple-proprietary mesh networking protocol designed to allow Apple devices like iPhones, iPads, Macs and Apple Watches to form ad-hoc peer-to-peer mesh networks. Chances are that if you own an Apple device you’re creating or connecting to these transient mesh networks multiple times a day without even realizing it.

If you’ve ever used Airdrop, streamed music to your Homepod or Apple TV via Airplay or used your iPad as a secondary display with Sidecar then you’ve been using AWDL. And even if you haven’t been using those features, if people nearby have been then it’s quite possible your device joined the AWDL mesh network they were using anyway.

One of Apple’s security measures is to strip function name symbols from iOS, so there are no clues as to what they do. But in 2018, Apple shipped an iOS beta build without doing so. Having the names provides all kinds of clues, and Beer said that one function in particular caught his eye.

Once he Googled and discovered what AWDL was, he knew what his line of attack was going to be. He was eventually able to generate fake AWDL data which would lead any iPhone within WiFi range to respond.

The function name:

IO80211AWDLPeer::parseAwdlSyncTreeTLV

At this point, I had no idea what AWDL was. But I did know that TLVs (Type, Length, Value) are often used to give structure to data, and parsing a TLV might mean it’s coming from somewhere untrusted. And the 80211 is a giveaway that this probably has something to do with WiFi.

The work this required was itself quite staggering. In all, it took him six months to overcome each of the barriers he hit along the way. By the end of it, though, he was able to successfully demonstrate this by taking over an iPhone 11 Pro in the room next door. You can watch the video demo below, which uses a Raspberry Pi and some ordinary WiFi adapters, controlled by a MacBook Air.

This demo shows the attacker successfully exploiting a victim iPhone 11 Pro device located in a different room through a closed door. The victim is using the Youtube app. The attacker forces the AWDL interface to activate then successfully exploits the AWDL buffer overflow to gain access to the device and run an implant as root. The implant has full access to the user’s personal data, including emails, photos, messages, keychain and so on. The attacker demonstrates this by stealing the most recently taken photo. Delivery of the implant takes around two minutes, but with more engineering investment there’s no reason this prototype couldn’t be optimized to deliver the implant in a handful of seconds.

Beer was the same researcher who previously detailed ‘one of the largest attacks against iPhone users ever’ in the form of hacked websites distributing iOS malware. Back in 2018, he accused Apple of making a poor job of fixing the many vulnerabilities he had reported to the company – but the iPhone maker did fix this one, as you’d expect, sometime prior to iOS 13.5.

Apple said in response that most people do keep their devices updated, so most users would be safe by the time such vulnerabilities are revealed, and that the exploit could only be used within WiFi range.