When the IPhone turns black

31/10/2018

CRISP Researchers discover massive Vulnerability in Apple Operating Systems - More than Half a Billion Devices are affected

Collaborators of the Secure Mobile Networking Lab at TU Darmstadt, led by CRISP scientist Prof. Matthias Hollick, have found a vulnerability in Apple's iOS that affects more than half a billion devices. They strongly recommend that users install the newly released Update 12.1. The vulnerability allows attackers to crash iPhones and iPads with common hardware and without physical access.

[Translate to Englisch:] Schwachstelle im Apple-Betriebssystem iOS kann iPads und iPhones zum Abstürzen bringen. © Ann-Kathrin Braun

The researchers have found a vulnerability in the iPhone OS iOS 12, through which an attacker can bring down mobile Apple devices such as iPhones and iPads with a standard wireless card and a programmable board available for less than 20€. According to the principle of "responsible disclosure", the vulnerability was reported to Apple and now closed in all Apple operating systems through appropriate updates. In addition to iOS, the vulnerability also affects macOS, tvOS, and watchOS. The researchers strongly recommend that users of Apple mobile devices install the latest updates (iOS 12.1, macOS 10.14.1, tvOS 5.1 and watchOS 5.1) to protect their devices.

Apple is known for its user-friendly features, such as AirPlay, which allows you to wirelessly send music or movies to compatible speakers and TVs from a variety of Apple devices. The underlying protocols to make use of vendor extensions such as Apple Wireless Direct Link (AWDL), which allows direct wireless communication between Apple devices. But the convenient features also pose risks, explains TU Professor Matthias Hollick, head of the Secure Mobile Networking Lab: "AWDL uses various wireless technologies. Simply put, we ring the bell with the Bluetooth LE storm and the target device activates AWDL. In a second step, we take advantage of the fact that Apple does not fully verify the input we send to the target device; this allows us to flood the device with nonsensical inputs. As a result, we can thereby crash the target device or even all nearby Apple devices at the same time. We do not need any user interaction."

Milan Stute, a member of the Secure Mobile Networking Lab, adds: "In order to carry out the Bluetooth brute force attack and the following steps, there is no need for special hardware: it works with a WLAN card of a standard laptop and a BBC micro: bit, a low-cost Bluetooth-enabled single-board computer similar to a Raspberry Pi or Arduino, originally developed as a programming learning platform for schoolchildren. "Potential attackers would therefore have an easy time. This is impressively demonstrated by the researchers in a video of the attack that they have published on YouTube - which they have no longer been able to successfully install. The devices crash sequentially without even having to be touched by the researchers once.

In order to discover the vulnerability – published as CVE-2018-4368 – the researchers had to first understand the proprietary AWDL protocol and build it in their own prototype. With this it was made possible to identify the gap.

Even if the vulnerability found only affects Apple devices, users should not celebrate their Android phone too soon: The vulnerability found has implications for the "non-Apple world" as well. The new standard of the Wi-Fi Alliance, Neighbor Awareness Networking (NAN), builds on AWDL and is already supported by Google's Android. Researchers expect similar vulnerabilities to be found in NAN implementations since AWDL and NAN are of similar complexity.

How to install updates on iPhone and iPad
1) Access iPhone / iPad settings
2) Click on "General", then "Software Update"
3) Select "Load and install".
Now the update will be downloaded and installed via WLAN on the mobile phone or tablet.

Background:
Scientific publication on the topic M. Stute, D. Kreitschmann, and M. Hollick, “One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol”
In: The 24th Annual International Conference on Mobile Computing and Networking (MobiCom ’18), 2018.
Link to the Publication: https://owlink.org

To the Press Release of the TU Darmstadt

show all news