AirDrop bug gifts hackers full iOS and OS X privileges
Wed 16 Sep 2015
A vulnerability has been discovered in Apple’s file sharing AirDrop service which can leave iOS and OS X devices open to attack and at risk of surrendering full administrative control.
Revealed by Australian security researcher Mark Dowd, the exploit allows anyone with malicious intent to install malware on a target device in AirDrop range and gain full control to negate any attempt at file rejection.
In a YouTube demonstration Dowd carries out what is known as a ‘directory traversal attack’ to access the operating system and alter configuration settings to ensure iOS would accept any software stamped with an Apple enterprise certificate. These certificates are used by businesses to install software not hosted in the App Store, but are also typically exploited to skirt security protections.
When the phone has been rebooted, the malware can access Springboard, Apple’s home screen management tool, to trick the device into thinking the malicious app is trusted. The disguised malware is then placed among other third-party apps.
“The app is restricted by its sandbox. However, since you sign the app, you can grant some entitlements that allow it to do things like read contacts, get location information, use the camera or whatever other entitlements legitimate apps can be allowed to have,” explained Dowd. He added that hackers looking to inflict further damage could “find a kernel vulnerability […] to gain full privileges to the phone in the same way jailbreaks do.”
Apple has now released a sandbox for AirDrop in iOS 9, stopping attackers from copying files across the service. Users have been advised to update to iOS 9 and Mac OS X El Capitan, version 10.11, due for release on the 16th and 30th September respectively, to prevent future malware attacks of this kind. Alternatively, the AirDrop service can be turned off and is disabled by default, although it is possible to activate from the lockscreen.
