Latest in Gear

Image credit: Chris Velazco/Engadget

iPhone exploit gave hackers control over WiFi without your input

Apple has since patched the flaw.
Jon Fingas, @jonfingas
December 2, 2020
408 Shares
Share
Tweet
Share

Sponsored Links

Apple iPhone SE and iPhone 11
Chris Velazco/Engadget

Many security exploits require at least some kind of interaction on your part, but that wasn’t true for an iPhone exploit earlier this year. As Ars Technica reports, Google Project Zero researcher Ian Beer has detailed an iOS 13 exploit that let someone remotely control a device over WiFi using a “zero-click” attack — that is, with no input required from the target.

The exploit took advantage of a buffer overflow bug in a driver for the in-house mesh networking protocol used for features like AirDrop. As that driver sits in the operating system’s kernel, which has extensive privileges, a successful hack could have dealt extensive damage. An intruder could have installed an “implant” that accessed sensitive info like cryptographic keys and photos, for instance.

It wouldn’t have been trivial to stage an attack, but it wouldn’t have been difficult, either. Beer used a laptop, a Raspberry Pi 4 and a readily available Netgear WiFi adapter, and he was working from home during a pandemic lockdown. The stealthiness was the greater concern. A perpetrator could have swiped personal data while leaving you completely oblivious, at least as long as there was a reasonably close hiding place.

Notice the use of the past tense, however. Apple fixed the flaw in iOS 13.3.1, before iOS 13.5 arrived with COVID-19 contact tracing. It’s also unclear if anyone made use of the flaw in the wild, which might have been difficult with many people working from home. Still, this could easily have been a serious problem in apartments and other places where it’s difficult to stay out of WiFi distance from others.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
408 Shares
Share
Tweet
Share

Popular on Engadget

Presenting the Best of CES 2021 winners!

Presenting the Best of CES 2021 winners!

View
Donald Trump pardons ex-Waymo, Uber engineer Anthony Levandowski

Donald Trump pardons ex-Waymo, Uber engineer Anthony Levandowski

View
LG considers leaving the mobile business

LG considers leaving the mobile business

View
Mercedes-Benz' EQA crossover is its first sub-$50,000 EV

Mercedes-Benz' EQA crossover is its first sub-$50,000 EV

View
Korg teases Drumlogue, a hybrid analog / digital groovebox

Korg teases Drumlogue, a hybrid analog / digital groovebox

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr