게시일: 2020. 12. 6 오후 12:58:10
A Google researcher found flaws in Apple's AWDL protocol that would have allowed for a complete device takeover.A HACK THAT
let an attacker take full remote control of iPhones without user interaction is bad enough. One that can also then spread automatically from one iPhone to the next is practically unheard of. But a report published this week by Ian Beer of Google's Project Zero bug-hunting team lays out a sinister yet elegant roadmap for how an attacker could have done just that before Apple released fixes in May.
Beer's entire attack stems from a simple, well-known type of vulnerability—a memory corruption bug—in the iOS kernel, the privileged core of an operating system that can access and control pretty much everything. The genius of the attack, though, is that the bug was exploitable through an iPhone's Wi-Fi features, meaning that an attacker just needed some antennas and adapters to launch the assault whenever they chose, compromising any nearby iOS device.
"It’s very interesting research and super unique as well," says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. "Close access network attacks like this aren’t something you hear about every day."
The vulnerability, which Apple patched back in May, involved a flaw in one of the kernel drivers for Apple Wireless Direct Link, the proprietary mesh networking protocol Apple uses to offer slick over-the-air features like AirDrop and Sidecar. AWDL is built on industry Wi-Fi standards, but allows multiple devices to exchange data directly rather than sending it back and forth over a typical Wi-Fi network with a router, modem, and internet service provider as intermediaries.
But Beer discovered vulnerabilities in AWDL that would let a hacker send a specially crafted Wi-Fi packet that would cause an iPhone to crash and install malware on it. From there, the attacker would have full access to the device's data, the ability to monitor its activity in real-time, and even potentially access extra-sensitive components like the microphone and camera, or the passwords and encryption keys in Apple's Keychain. The attack is also "wormable," which means that a victim device could spread the infection to other vulnerable iPhones or iPads. Apple's watchOS was also vulnerable and received a patch.
An Apple spokesperson emphasized in a statement to WIRED that such exploits would be limited by the need for physical proximity. With cheap, general purpose equipment, though, Beer was still able to launch his attacks from an adjacent room through a closed door. The hacker and victim devices do not need to be on the same Wi-Fi network for the attack to work. And with directional antennas and other more powerful gear, Beer estimates that the range could potentially increase to hundreds of meters.
In his write-up of the attack, Beer says there is no indication that the vulnerabilities he found were ever exploited in the wild, but he did note that at least one exploit broker seemed to have been aware of the flaw before Apple released the patch in May.
Though the vulnerability has been patched for months now and has likely proliferated to the majority of iOS devices around the world, the finding raises important questions about the security of AWDL, which is on all the time, whether users realize it or not, unless a device is in Airplane Mode. In a series of tweets on Tuesday, Beer pointed out that AWDL has been used as an anti-censorship tool, for example during the 2019 Hong Kong protests when people used AirDrop to shared banned content with each other. But he emphasized that because the protocol is proprietary, the vetting and oversight is entirely up to Apple.
~~
In general, researchers looking at Beer's findings were simply impressed by how powerful, and sinister, the attack is—all without the need for a hacker to trick their victim into clicking a link, downloading a malicious attachment, or doing anything else. The work is yet another reminder of how valuable "interaction-less" or "zero click" attacks are for malicious hackers, and how important it is to have extra scrutiny on any device feature that is built to accept external inputs at any moment, like messaging services, the phone, Bluetooth pairing, or Wi-Fi.
~~
요약
1. AWDL(Apple Wireless Direct Link)는 루터, 모뎀 등을 사용하는 일반적 WIFI 네트워크로 데이터를 주고 받지 않고, 여러 장치에서 직접 교환하는 방식. + 해킹 방어툴은 전적으로 애플 내부 기기에만 의존
2. 이 특이한 WIFI 통신을 이용해 memory corrupt를 발생시켜 익스 가능한 버그가 발견됨. (다행히, 악의적으로 사용되기 전에 디버깅 됨)
3. victim(해킹 대상 기기)의 과실. 이를테면, 안전하지 않은 링크 접속이나 악성 프로그램 다운같은 것들이 아니라 온전히 공격자의 시도만으로도 익스가 되기 때문에 매우 치명적.
==> AWDL의 보안에 대해 검토 필요
WIRED, LILY HAY NEWMAN, 12.03.2020 05:27
===============================================================
이 사건은 온전히 시스템 허점만을 이용해 기기를 해킹할 수 있다는 실례다.
포너블을 학습하는 사람들이 이루고 싶은 가장 큰 염원이 이러한 경우들일 것이다.
이런 사례를 꾸준히 접하다 보면 학습에 대한 열의가 더 생길 것 같다.