Critical iOS Vulnerability Allowed Easy iPhone Hacking via Wi-Fi

Details have emerged about a highly exploitable vulnerability in iOS that allowed attackers to take control of nearby devices over Wi-Fi. If successful, a hacker could freely browse the victim’s photo album, read private messages, and monitor real-time activity on the device.

The issue, identified as CVE-2020-9844, was discovered by Ian Beer, a member of Google’s Project Zero. After receiving the report, Apple updated its code and released patches for iOS (13.5) and macOS Catalina (10.15.5) in May. A proof-of-concept exploit for CVE-2020-9844 was published on Tuesday, December 1.

According to Apple’s security bulletins, the vulnerability is classified as a double free memory error, which can cause system crashes and compromise kernel memory integrity. In his blog post, Beer explained that the root cause is a buffer overflow bug in the Wi-Fi driver associated with the Apple Wireless Direct Link (AWDL) protocol. Apple developed AWDL specifically to simplify communication between its devices.

To demonstrate the exploit, the researcher used an iPhone 11 Pro, a Raspberry Pi computer, and two different Wi-Fi adapters. He was able to remotely gain read and write access to the target device’s kernel memory, inject root-level shellcode, escape the sandbox, and access user data.

There are currently no reports of CVE-2020-9844 being used in real-world attacks, but Beer believes exploit vendors have already taken note of the vulnerability.

Previous AWDL Protocol Vulnerabilities

Bugs in the proprietary AWDL protocol have been reported before. In July, researchers from the Technical University of Darmstadt disclosed vulnerabilities that allowed attackers to track iOS device users, cause system crashes, and intercept files transferred between devices using man-in-the-middle (MitM) attacks.