A serious vulnerability has been discovered in the iOS and OS X operating systems that allows Apple’s AirDrop user-to-user file delivery system to be used to overwrite security permissions.
Discovered by well-known security researcher Mark Dowd, founder of Azimuth Security, the bug can be exploited if AirDrop has been set to allow connections from anyone – a common choice for an app designed for file sharing with a variety of users – with AirDrop able to automatically receive files even when the iOS device is locked.
A user is required to respond to a notification to accept or reject the file transfer.
However, a specific kind of malicious package can be sent over AirDrop that takes advantage of a vulnerability in iOS and OS X’s code library, and basically bypasses the notification process.
“It does NOT matter whether they accept it or not to trigger this bug – the exploit has already happened by the time the notification is sent to the user,” Dowd told Threatpost.com.
Once the attacker is in the phone, they can alter configuration files to force the phone to accept any file with Apple enterprise certificates – which can be easily obtained by illegitimate means.
Apple’s Springboard – which handles the home screen in iOS – can then be accessed and its settings changed to accept the “enterprise” nature of the malware. Once delivered, the malware lies dormant until the device is rebooted, whereupon it activates and attacks can begin.
Further, the vulnerability then allows the malicious software to begin accessing any files and locations on the device, writing files as they go.
Dowd launched a YouTube video showing how simple launching such an attack can be, and how quickly it can be achieved.
Dowd admitted that, like any iOS and Mac OS app, activity of malware dispensed in this way is still restricted to operating in its own sandbox. However, because the attacker signs their own permissions, aspects of the phone’s features, such as the contacts list, location information or camera, can then easily be accessed.
There is a suggestion that, with iOS 9 launching yesterday, Apple’s newest mobile OS, at least, may not be vulnerable to this particular AirDrop exploit.
Mac OS X, version 10.11 El Capitan may also be able to sidestep the exploit, but official word from Apple is still being sought. Dowd seems to believe that with AirDrop on iOS 9 having its own sandbox, the immediate risk of writing files to arbitrary locations has been removed.