A newly revealed — and, importantly, already patched — iOS exploit allowed hackers to access and gain control over nearby iPhones using a proprietary Apple wireless mesh networking protocol called AWDL (Apple Wireless Direct Link).
Mikey Campbell for AppleInsider:
Discovered by security researcher Ian Beer, a member of Google’s Project Zero team, the AWDL scheme enabled remote access to photos, emails, messages, real-time device monitoring, and more.
As detailed in an exhaustive technical breakdown posted to the Project Zero blog on Tuesday, Beer uncovered the mechanism behind the exploit in a 2018 iOS beta that accidentally shipped with intact function name symbols tied to the kernel cache. After poking around in Apple’s code, he uncovered AWDL, a cornerstone technology that powers AirDrop, Sidecar, and other tentpole connectivity features…
The process took six months to develop, but when Beer was done, he could hack any iPhone in radio proximity… Apple patched the vulnerability in May with iOS 13.5 and a spokesperson for the company said a majority of its users are using updated software. Beer has found no evidence that the technique was used in the wild.
MacDailyNews Take: So, if you’re running iOS 13.5 or higher, as most of us are (92% of all devices introduced in the last four years; 81% of all devices), you’re all set.
Here’s the exploit explained in video form:
Since its been remediated, and the chances of anyone actually encountering someone that would do this is astronomical, why do we care..
Show that without Project Zero iOS would have had this massive security hole in their ‘cornerstone’ tech for years more to come?
Because most news outlets are going to put the exploit in the headline, and “This was patched six months ago, and no actual data was ever stolen” will be deep in the text that no one reads.
How does Apple’s management deal (admonishment, wage deduction, training) with engineers who introduce exploits?
Probably the same way they deal with management that championed failed Apple tech and products. Neither group is guilty unless proven that they intentionally created a ‘failure’.
Why should we care? Because of the extreme sloppiness on Apple’s part. Bad engineering, coding, and testing. What else is out there that no one has found … YET?