A cyber security researcher has uncovered a significant vulnerability present within a library in iOS. When exploited, an attacker has the means to overwrite arbitrary files and insert a signed applications on a targeted device.
Security researcher Mark Dowd discovered a vulnerability that is present in both iOS and OS X and confirmed that he was able to exploit the flaw via AirDrop, reports ThreatPost.
The feature is built-in to the both operating systems and enables the means for users to send files directly to other devices, wirelessly. The exploit can be triggered if, for instance, a user’s AirDrop setting is set to openly allow connections from anyone including those not present as a contact, an attacker can exploit the vulnerability.
Related article: Two Zero-Day Vulnerabilities Discovered in Apple’s OS X
It gets worse. An attacker can exploit the vulnerability even if the targeted victim explicitly refuses to accept the file transferred via AirDrop.
Mark Dowd, an Australian security researcher who heads Azimuth Security recommends Apple users to update to iOS9 and Mac OS X El Capitan (Version 10.11) immediately in order to restrict any possibility of malware infecting their phones and computers.
The Experimental Exploit
The proof of concept video of the exploit can be seen here:
Dowd’s AirDrop exploit first forced an installation of a provisioning profile for his app, when exploring ways to get the iPhone to accept his certificate. He then proceeded to change Springboard, the tool offered by Apple for managing the phone’s home screen.
In changing the setup, he tricked the phone into accepting his profile was already accepted and trusted by the user before copying his malware files into the same directory where third-party apps are installed.
To drive home the point, Dowd tweaked Springboard to ensure that his malicious app entirely replaced the iPhone’s ‘Phone’ software – routinely used to make phone calls. A reboot later, the attack was complete.
Related article: JailBroken Apple Devices Targeted by New Malware
Despite the sandbox environment of iOS and Mac where apps are kept in their own contained, Dowd explains that malware can still gain access to data from an infected device.
“The app is restricted by its sandbox. However since you sign the app, you can grant some entitlements that allow it to do things like read contacts, get location information, use the camera or whatever other entitlements legitimate apps can be allowed to have,” he notes, speaking to Forbes.
He added that hackers exploiting such a flaw could also go deeper into the phone, down to its kernel, the heart of the operating system.
“The best thing to do though would be to find a kernel vulnerability that you launch from your app to gain full privileges to the phone in the same way Jailbreaks do,” warned Dowd.
Dowd went on to say that further details of the exploit and bug will be released after it is fully patched.
