Proof-of-concept exploit installs malicious app on nearby iPhones.
Apple has mitigated a critical iOS vulnerability that allows attackers within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.
Mark Dowd, the security researcher who discovered the bug and privately reported it to Apple, told Ars that the vulnerability has been mitigated in iOS 9, which Apple released Wednesday. But he went on to say that the underlying bug still hasn’t been fixed. As he demonstrated in the following video, the bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.
Dowd used an enterprise certificate Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones. As a result, the apps his technique installs don’t generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed. He said another method for bypassing iOS code-signing restrictions would be to combine his Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS.
Dowd’s attack works in part by exploiting a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want. Although Dowd said Apple hasn’t fully fixed the flaws, the mitigations available in Wednesday’s release of iOS 9 are one more benefit that security-conscious iPhone users should consider when deciding whether to install the update. Word of the mitigated vulnerability came a day after separate researchers demonstrated anew lockscreen hack in Google’s competing Android mobile operating system that gives attackers full access to locked phones.