Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iOS Wi-Fi exploit enables zero-click remote iPhone access without user knowledge

Last updated

A newly discovered — and already patched — iOS vulnerability allowed hackers to access and gain control over nearby iPhones using a proprietary Apple wireless mesh networking protocol called AWDL.

Discovered by security researcher Ian Beer, a member of Google's Project Zero team, the AWDL scheme enabled remote access to photos, emails, messages, real-time device monitoring, and more.

As detailed in an exhaustive technical breakdown posted to the Project Zero blog on Tuesday, Beer uncovered the mechanism behind the exploit in a 2018 iOS beta that accidentally shipped with intact function name symbols tied to the kernel cache. After poking around in Apple's code, he uncovered AWDL, a cornerstone technology that powers AirDrop, Sidecar, and other tentpole connectivity features.

From there, the researcher engineered an exploit and crafted an attack platform consisting of a Raspberry Pi 4B and two Wi-Fi adapters.

"AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity. With specialist equipment the radio range can be hundreds of meters or more," Beer explained in a tweet. Part of exploit involves forcing AWDL to activate if it was switched off.

Beer says AWDL is a "neat" technology that makes way for "revolutionary" peer-to-peer connectivity solutions, but notes that "having such a large and privileged attack surface reachable by anyone means the security of that code is paramount, and unfortunately the quality of the AWDL code was at times fairly poor and seemingly untested." He offers the example of a drone flying over a protest to collect information from unsuspecting iPhone users.

The process took six months to develop, but when Beer was done, he could hack any iPhone in radio proximity.

The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I'm fine.

Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."

Apple patched the vulnerability in May with iOS 13.5 and a spokesperson for the company said a majority of its users are using updated software. Beer has found no evidence that the technique was used in the wild.

It is unclear if Beer's work is eligible for Apple's Bug Bounty program, but if it is, the developer said he would donate the proceeds to charity.



28 Comments

netrox 1510 comments · 12 Years

Lame crackers having nothing else to do.

But thanks. 

lkrupp 10521 comments · 19 Years

Hopefully he was paid a crap-ton of money.

jrc 766 comments · 23 Years

This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

Nov 98 - earliest AI Forum registration.

MplsP 4047 comments · 8 Years

Kind of a scary exploit. Thankfully it's patched so unless you have an old phone that can't run iOS 13 or you haven't bothered to update your phone in the last 6 months you should be fine.

netrox said:
Lame crackers having nothing else to do.

But thanks. 

Not sure how finding a security hole that allows virtually complete access to a device is lame. We need more people like this. Every hole that is found makes security better for everyone, both on iOS and Android, and that's a good thing.

jrc said:
This is why I would like a physical on/off button that cuts all power from battery to any/everything. If I choose to use it, and let the implications of cutting off all services... so be it. 

Nov 98 - earliest AI Forum registration.

How would that help? you would need to have your phone turned on at some point and then it would be vulnerable. Not to mention you would need to go though the hassle of powering it up and down every time you took it out. If you're that paranoid, a better approach is to put it in a faraday cage when you're not using it.

bestkeptsecret 4289 comments · 13 Years

netrox said:
Lame crackers having nothing else to do.

But thanks. 

I don't think it is lame. It is amazing he was able to do something like this.

It was patched by Apple, but what he did will ensure that Apple is more careful with this stuff in the future. Apple probably appreciated his efforts.