Apple iPhone had major security vulnerability that could have allowed hackers to run arbitrary code on any nearby iOS device and steal all the user data. All that the hacker needed to do was stay near your iPhone and exploit a vulnerability that affected AirDrop.
Thankfully, there are no reported cases of someone exploiting this vulnerability and the zero-day exploit has been patched. Apple released the patch in iOS 13.5 update and if you are using an iOS version that is above 13.5, you are safe.
This vulnerability went unnoticed and it was Google’s Project Zero team that alerted Apple about the security issue. Hackers could gain access to your data by simply being within the Wi-Fi radius of your iOS device. The user is not required to click on any link or perform any task that would help the hackers.
“With some proper engineering and better hardware, once AWDL (Apple Wireless Direct Link) is enabled the entire exploit could run in a handful of seconds. There are likely also better techniques for getting AWDL enabled in the first place rather than the hash bruteforce. My goal was to build a compelling demo of what can be achieved by one person, with no special resources, and I hope I’ve achieved that,” explained Ian Beer of Project Zero in a blog post.
He demoed the entire concept of the attack showing how an attacker could successfully exploit a victim’s iPhone 11 Pro located in a different room through a closed door. “The victim is using the Youtube app. The attacker forces the AWDL interface to activate then successfully exploits the AWDL buffer overflow to gain access to the device and run an implant as root. The implant has full access to the user’s personal data, including emails, photos, messages, keychain and so on. The attacker demonstrates this by stealing the most recently taken photo. Delivery of the implant takes around two minutes, but with more engineering investment there’s no reason this prototype couldn’t be optimized to deliver the implant in a handful of seconds,” he said.