An iOS zero-click radio proximity exploit odyssey

I read the entire thing, and honestly the heap grooming is very interesting, but really that&#x27;s the boring part -- lots of trial and error, padding memory, etc. Also interesting that linked-lists aren&#x27;t used by Apple† (and Ian Beer&#x27;s suggestion that they <i>ought</i> to use them), but that&#x27;s neither here nor there. Getting kernel memory read&#x2F;write is also very interesting, albeit (again) a bit tedious. At the end of the day, it all started with this:<p>&gt; Using two MacOS laptops and enabling AirDrop on both of them I used a kernel debugger to edit the SyncTree TLV sent by one of the laptops, which caused the other one to kernel panic due to an out-of-bounds memmove.<p>How did this even pass the _smell_ test? How did it get through code reviews and auditing? You&#x27;re <i>allocating</i> from an <i>untrusted source</i>. It&#x27;s like memory management 101. I mean, my goodness, it&#x27;s from a <i>wireless</i> source, at that.<p>† In this specific scenario, namely the list of `IO80211AWDLPeer`s.

The scary thing is that even though this sounds like a monstrous effort to pull off this hack, its not out of reach for large governments. Its basically known as a fact they have loads of these exploits sitting in their toolbox ready to use when they have a enticing enough target.<p>Short of rewriting the whole of iOS in a memory safe language I&#x27;m not sure how they could even solve this problem. Assigning a researcher to search for 6 months only to find one bug is financially prohibitive.

<i>Unfortunately, it&#x27;s the same old story. A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers. In fact, this entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device. With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write.</i><p>Yes, same old buffer C&#x2F;C++ overflow problem. We have mainstream alternatives now. C#. Go. Rust. It&#x27;s time to move on.

&gt; What&#x27;s more, with directional antennas, higher transmission powers and sensitive receivers the range of such attacks can be considerable.<p>I&#x27;m reminded of ye olde Gumstix BlueSniper rifle. Back in the early 2000&#x27;s there were a series of exploits against bluetooth stacks. The standard response by the industry was that they attacks weren&#x27;t practically exploitable due to the low power of typical bluetooth devices.<p>The BlueSniper was a cantenna + gumstix SBC specifically constructed for the purpose of demonstrating the low cost of the threat.

What I don’t understand is:<p>Apple sits on this giant stack of unused money [1]. Why don’t they get the best security researchers in the world, pay each of them north of $1M &#x2F; year in salary and create the ultimate red team where their only task is to try to hack Apple devices.<p>If they get a team of 1000(!) people, each with $1M(!) in salary that would be less than 0.5%(!) of their revenue in 2019 [2].<p>Wouldn’t that be worth it?<p>[1] <a href="https:&#x2F;&#x2F;fortune.com&#x2F;2018&#x2F;01&#x2F;18&#x2F;apple-overseas-cash-repatriation-gop-tax-plan&#x2F;" rel="nofollow">https:&#x2F;&#x2F;fortune.com&#x2F;2018&#x2F;01&#x2F;18&#x2F;apple-overseas-cash-repatriat...</a><p>[2] <a href="https:&#x2F;&#x2F;www.statista.com&#x2F;statistics&#x2F;265125&#x2F;total-net-sales-of-apple-since-2004&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.statista.com&#x2F;statistics&#x2F;265125&#x2F;total-net-sales-o...</a>

&gt; A fairly trivial buffer overflow programming error in C++ code in the kernel parsing untrusted data, exposed to remote attackers.<p>Apparently Apple failed in their hiring process to get those mythical developers that never write such kind of errors in production C or C++ code. &#x2F;s

&#x27;AWDL is an Apple-proprietary mesh networking protocol designed to allow Apple devices like iPhones, iPads, Macs and Apple Watches to form ad-hoc peer-to-peer mesh networks. ... And even if you haven&#x27;t been using those features, if people nearby have been then it&#x27;s quite possible your device joined the AWDL mesh network they were using anyway.&#x27;<p>Wow, so Apple was ahead of Amazon&#x27;s Sidewalk with AWDL. Can you disable this?

A bit OT - how do I work on developing the skill set necessary to find vulnerabilities like these? Should I take some particular courses, or some other “track” of sorts? At the moment, I have an undergraduate in Computer Sciences, and I’d say I’m a fairly OK programmer.

It would be amazing to plot the 2.4 GHz amplitude vs. time series plot of this exploit.<p>Think about it, an ocean of electrons in the copper WiFi antenna bump along with a certain guiding EM wave and in so doing, they inadvertently cause the information moving electrons in the silicon crystal to disconnect from the electrons being pushed out of the Li-ion battery.<p>This amplitude fluctuation in principal could have been broadcast by motions of stars in the universe, as astronomy does peer into the deep with these frequencies [0].<p>In the future, one could imagine a bad actor with control over a global network of low orbit satellites spewing out this code for decades preventing the such devices from being turned on long enough to receive updates, deactivating billions of dollars of human capital.<p>[0]: <a href="http:&#x2F;&#x2F;www.astrosurf.com&#x2F;luxorion&#x2F;radioastro-frequencieslist.htm" rel="nofollow">http:&#x2F;&#x2F;www.astrosurf.com&#x2F;luxorion&#x2F;radioastro-frequencieslist...</a>

How many people on earth can find and exploit something like this? Less than 100, maybe less than 1000?

The link to the clang pointer auth doc is broken, Apple changed their default branch name to &#x27;main&#x27; instead of &#x27;master&#x27;. A (more?) permanent link is [1].<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;llvm-project&#x2F;blob&#x2F;73ea7cb9eba3196ae0a4ff882ba5aff3a928aecb&#x2F;clang&#x2F;docs&#x2F;PointerAuthentication.rst" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apple&#x2F;llvm-project&#x2F;blob&#x2F;73ea7cb9eba3196ae...</a>

I&#x27;d be really curious to know whether the phone can be exploited while on flight mode.

Despite the rather explicitly explanation I still have absolutely no idea how people go about deciding how and wear to start on such insane exploits.

Perhaps a dumb question, but why don&#x27;t things like signed pointers prevent this? Are they just not that good of a security measure?

Excellent video and nice write-up!

Can someone summarize the expoit?

Wow. No helium required either

masterwork.

Are Androids without crapware as insecure as iPhones?<p>I wonder if the daily HN article about Apple failing to be secure is a result of 1 OS, 1 phone. Where as no one is going to put the effort to find an exploit on a phone with 1% market share.<p>Similar question for desktops.

This is a disaster

&gt; After a day or so of analysis and reversing I realize that yes, this is in fact another exploitable zero-day in AWDL. This is the third, also reachable in the default configuration of iOS.<p>Holy shit.