iOS 9, OS X El Capitan close serious AirDrop vulnerability allowing malware infections

The technique bypasses Apple's security using a spoofed enterprise certificate, and can potentially be used against anyone within AirDrop range, Azimuth Security's Mark Dowd told Forbes. The attack forces the installation of a provisioning profile, and can alter iOS' Springboard to convince a device that the fake certificate is already trusted. This allows malware files to be copied to a directory for third-party apps — a demonstration by Dowd further replaced Apple's native Phone app.

A hacker could use the technique even if the victim chooses to reject the AirDrop transfer. There's also no immediate evidence of harm, since a device has to be rebooted before an attack is complete.

Sandboxing should generally restrict the amount of damage any malware can do, but if coded with the right entitlements it could do things like fetch contacts and location information, or make use of a device's camera. More clever hackers could code an app able to exploit an unknown kernel vulnerability and assume full system control.

Neither iOS 9 nor El Capitan completely solve the vulnerability, Dowd said, but iOS 9 imposes an extra sandbox on AirDrop, preventing files from writing to arbitrary folders. Dowd cautioned that the flaw may also be exploitable in apps outside of AirDrop, though he is not offering details until a patch is ready.

iOS 9 was released on Wednesday, but OS X will remain exposed until El Capitan ships on Sept. 30. In the meantime, the best defense is reportedly to disable AirDrop entirely.