After the release of Apple’s latest operating system, iOS 9, a cyber security company has uncovered a bug in earlier versions of the software that can be exploited silently over AirDrop to install malware on iPhones and iPads.
The vulnerability affects any iOS versions supporting AirDrop from iOS 7 onwards, as well as Mac OS X versions from Yosemite onwards.The latest iOS 9 and Mac OS X El Capitan, version 10.11 includes a security update for this nasty AirDrop vulnerability that could be exploited to take full control of your iPhone or Macs, forcing most of the Apple users to download the latest update.
Australian security researcher Mark Dowd has disclosed the serious vulnerability in AirDrop, that the bug allows anyone within range of an AirDrop user to hack into their device and install malware on their operating system.Apple’s Airdrop is very similar to WiFi Direct – both technologies enable files and data to be shared between devices with minimal input from the user. The feature is available on both iPhones and Apple Macs, although it is switched off by default.This means it could be performed in public areas, such as coffee shops, stores, public transit or any other area where the phone is within wireless reach of the attacker.
To initiate the attack, all a hacker has to do is to send a file via AirPlay to an iOS or OS X user running iOS 7 or later, and Yosemite, respectively. It doesn’t even matter if the recipient accepts the incoming transfer, as the malware attack is initiated.The hacker would then have to wait patiently for the user to reset the iPhone or Mac for any reason so that the malware app can be installed. How can a non-App Store app be installed that easily you ask? Well, the hacker would use an Apple certificate to sign it, fooling the OS into believing it’s a genuine piece of software – the kind that enterprises would release to their fleet of Apple devices.
“The [malware] app is restricted by its sandbox.However since you sign the app, you can grant some entitlements that allow it to do things like read contacts, get location information, use the camera or whatever other entitlements legitimate apps can be allowed to have.” — Dowd told Forbes.
Dowd also provided a video demonstration showing the real time attack on his iPhone running iOS 8.4.1.
iOS 9 and OS X 10.11 fixes the problem, so get them as soon as possible. Also, you can just turn off AirDrop when you’re not using it, to avoid such potential issues in the near future, especially if you don’t plan to, or can’t, update to the latest iPhone and Mac software versions.
Earlier today it was reported that a security researcher has discovered a vulnerability in version 5 of Android (Lollipop) that allows an attacker to crash the lockscreen and gain access to a locked device, even if encryption is enabled.