Share

There’s a massive iPhone vulnerability that can only be stopped by downloading

iOS 9 releases to the public today, and for those who weren’t sure if they want to upgrade, here’s a little incentive: A new Bluetooth vulnerability was revealed Wednesday, which allows anyone within range of your Bluetooth signal to hack your iPhone.

Advertisement

“The flaw is exploitable over AirDrop, which means the target has to have AirDrop enabled and reachable by everyone”, Dowd tells Vulture South. Find out why security researchers are recommending users update to iOS 9 today. Worst of all, even if a victim tried to reject the incoming AirDrop file, the bug lets attackers tweak the iOS settings so the exploit will still work.

Australian researcher Mark Dowd, founder and director of Azimuth Security, discovered and reported the vulnerability to Apple last month. How can a non-App Store app be installed that easily you ask?

The attack allows a potential hacker to install malicious apps on iPhones and Macs via their Bluetooth-enabled Airdrop filesharing feature.

While each app is “sandboxed” – meaning that apps are in their own “container”, limiting access to other aspects of the phone – Dowd argues that a more illustrious hacker could break into other areas of the operating system, causing untold damage to the phone. The attack required victims to approve the install process before already-installed apps could be replaced or destroyed. If a user has AirDrop set to allow connections from anyone-not just her contacts-an attacker could exploit the vulnerability on a default locked iOS device.

To protect your device, you should turn off your Airdrop feature until you have updated your iPhone’s software. But the ability to attack phones wirelessly puts it well beyond the lockscreen bypass vulnerabilities that have plagued Apple in the past. As well as installing apps without permission, the same technique can be used to overwrite files in both iOS and OS X.

Specifically the flaw lies in the CPIO package decompression and is triggered by a failure to ensure that a destination path is correctly NULL-terminated.

Advertisement

Compromised phones must be first rebooted so that the new app and provisioning profile is detected by services that scan the device during boot.

There's a massive iPhone vulnerability that can only be stopped by downloading