Most serious iPhone hack ever exposed

AirDrop settings on an iPhone with a MacBook in the background.
(Image credit: Aleksey Khilko/Shutterstock)

Don't panic, but until a few months ago, your iPhone or iPad could have been hacked by any stranger passing by — and not just by AirDropping a nasty picture on your screen.

A flaw in the Apple Wireless Direct Link (AWDL) protocol, upon which AirDrop runs, allowed someone with the right (cheap) equipment to get into your phone, steal private data and install malware, all in under two minutes. (This flaw didn't seem to affect Macs.)

Even worse, once your iPhone had been infected, it could spread the infections to other nearby iPhones or iPads, meaning that pretty soon your friends and family would be infected as well. 

Turning off AirDrop, Bluetooth or Wi-Fi on your iPhone wouldn't help — the attack can get your iPhone to turn AWDL back on, even if the phone is locked.

This is "a wormable radio-proximity exploit which allows me to gain complete control over any iPhone in my vicinity," wrote Ian Beer, a fairly well-known researcher with Google's Project Zero bug-hunting team, in a  blog post yesterday (Dec. 1).

Beer said he could "view all the photos, read all the email, copy all the private messages and monitor everything which happens on there [on an iPhone] in real-time."

You don't need to worry about this as long as your iPhone is patched up to at least iOS 13.5 or iOS 12.4.7, both of which were released in May 2020. An Apple spokesperson confirmed that to Tom's Guide.

Possibly the most serious iPhone flaw ever

We haven't had the time to read through Beer's 30,000-word blog post detailing his research, but suffice it to say that this is perhaps the most severe security flaw to ever affect Apple's mobile OS — even bigger than a longstanding state-sponsored iPhone hacking campaign that Beer revealed in 2019.

"If you've ever used AirDrop, streamed music to your Homepod or Apple TV via Airplay or used your iPad as a secondary display with Sidecar then you've been using AWDL," Beer wrote. "And even if you haven't been using those features, if people nearby have been then it's quite possible your device joined the AWDL mesh network they were using anyway."

This isn't the first time AirDrop and AWDL have been shown to be unsafe. In mid-2019, German researchers found that AirDrop and AWDL opened up Macs and iPhones to all sorts of over-the-air attacks. In fact, warnings about AirDrop vulnerabilities date back several years.

But none of the previous research went as far as Beer has. In this five-minute demo, he shows how a laptop rigged up to a Raspberry Pi mini-computer with a couple of Wi-Fi dongles attached can hack into a iPhone in another room (in what appears to be Beer's apartment). 

"This entire exploit uses just a single memory corruption vulnerability to compromise the flagship iPhone 11 Pro device," Beer wrote. "With just this one issue I was able to defeat all the mitigations in order to remotely gain native code execution and kernel memory read and write."

Beer spent six months working on this, but he warned that that should not be any reason to downplay this hack.

"The takeaway from this project should not be: No one will spend six months of their life just to hack my phone, I'm fine," Beer wrote. "Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they'd come into close contact with."

Imagine how quickly a team of well-funded professionals working for a nation-state intelligence agency could have developed the same exploit. Your best bet may be to assume that they did.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.