A cybersecurity expert finds an unprecedented vulnerability on iOS operating system devices. Until May 2020 the ‘hackers’ may have accessed iPhones, iPads and iWatch remotely and gain full control of them: steal photos, read emails and even more.
Programmer Ian Beer is part of Google’s so-called Project Zero. The initiative was launched in 2014 to find software bugs and vulnerabilities that cybercriminals can exploit.
Thus, on December 1, Beer published an article describing in detail an exploit —system vulnerability— that allowed hackers to do whatever they wanted with an iPhone without coming into physical contact with it, simply using data exchange networks like Bluetooth or wifi.
This bug gives cybercriminals a tool to restart the smartphone and seize all the information on it without the user nodding. It is even possible to monitor the victim with the camera and microphone of the device.
Such a breach in defenses is based on Apple products using a certain data transmission protocol, Apple Wireless Direct Link (AWDL). It allows you to create a mesh network for services like AirDrop (allows you to share photos and files between devices) and Sidecar (which allows you to use an iPad as the second screen).
Beer not only found this vulnerability in AWDL, but also a way to activate it remotely in case it had been previously disabled.
In a video that accompanies the article, Beer demonstrates his discovery: on his computer modified with Wi-Fi adapters and a Raspberry Pi board, he hacks an iPhone 11 with iOS 13.3 installed. In less than five minutes he manages to download the photo from the device by implementing a malicious code.
The same programmer admits that it took him about half a year to find this vulnerability and he does not know if it was used by someone before. Anyway, with the iOS update in May 2020 Apple, which according to him was aware of the problem, made the necessary fixes to deal with it and now its consumers are safe.
However, Beer insists that there may be other exploits of this type and they should not be taken lightly since “one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”