iOS vulnerability endangers half a billion Apple users

iOS vulnerability endangers half a billion Apple users

Technology News |
Through a vulnerability in Apple's iOS, attackers can crash iPhones and iPads using commercially available hardware. Physical access is not required for this. That's what researchers at the Darmstadt Technical University have found out. More than half a billion devices are affected by this problem.
By eeNews Europe

Share:

Scientists at the Secure Mobile Networking Lab at the TU Darmstadt have found a vulnerability in the iPhone operating system iOS 12 that could allow an attacker to crash mobile Apple devices such as iPhones and iPads with a standard WLAN card and a simple single-board computer for less than 20 euros. According to the principle of “responsible disclosure”, the vulnerability was reported to Apple and has just been closed by an iOS update. The scientists therefore strongly recommend users of Apple mobile devices to install the current iOS update 12.1.

Apple has traditionally promoted user-friendly features such as AirPlay, which allows users to send music or movies to compatible speakers and TVs wirelessly and with a single click from a variety of Apple devices. The underlying protocols use manufacturer extensions such as Apple Wireless Direct Link (AWDL), which enables direct WLAN communication between Apple devices. But the convenient functions also entail risks, explains Professor Matthias Hollick, head of the Secure Mobile Networking Lab at Darmstadt Technical University: “AWDL uses various wireless technologies. Put simply, the AWDL function is activated in the target device via a Bluetooth LE signal. In a second step, we take advantage of the fact that Apple does not cleanly check the input we send to the target device; this makes it possible to launch a denial of service attack. The result is a crash of the target device or all nearby devices at the same time. We don’t need any user interaction.”


According to the research team, the attack can be carried out using simple commercially available hardware – the researchers used the WLAN card of a laptop and a Bluetooth-capable single-board computer similar to a Raspberry Pi or Arduino, which was originally developed as a programming learning platform for schoolchildren. Potential attackers would therefore have an easy time of it.

The vulnerability – published under the acronym CVE-2018-4368 – only affects Apple devices. But users of Android mobile phones should not lull themselves in security, the scientists warn: “The vulnerability also has implications for the non-Apple world. The Wi-Fi Alliance’s new standard, Neighbor Awareness Networking (NAN), builds on AWDL and is already supported by Google’s Android (https://www.wi-fi.org/discover-wi-fi/wi-fi-aware ). The researchers expect similar vulnerabilities to be found in NAN implementations, as AWDL and NAN are of similar complexity.

In a Youtube video, the researchers documented their attack. See https://www.youtube.com/watch?v=M5D9NeKapUo  

Original publication:  https://owlink.org 

Linked Articles
eeNews Embedded
10s