Apple will release the final version of iOS 9 later today, and the software update will bring several new features and performance improvements. On top of that, the new release will fix a massive iOS vulnerability that would allow a third-party to gain control of a user’s iPhone. The bug also affects Macs, and will be squashed in the upcoming El Capitan release (set to launch on September 30th).
According to Azimuth Security’s researcher Mark Dowd, anyone within range of an AirDrop user would be able to install malware on a target device and then use the program for various malicious purposes. AirDrop is a feature that lets users quickly transfer files between iOS and Mac devices.
All the while, the user would not suspect anything, even if he or she rejects an incoming AirDrop transfer from an unknown contact.
To initiate the attack, all a hacker has to do is to send a file via AirPlay to an iOS or OS X user running iOS 7 or later, and Yosemite, respectively. It doesn’t even matter if the recipient accepts the incoming transfer, as the malware attack is initiated.
The hacker would then have to wait patiently for the user to reset the iPhone or Mac for any reason so that the malware app can be installed. How can a non-App Store app be installed that easily you ask? Well, the hacker would use an Apple certificate to sign it, fooling the OS into believing it’s a genuine piece of software – the kind that enterprises would release to their fleet of Apple devices.
“The [malware] app is restricted by its sandbox,” Dowd told Forbes. “However since you sign the app, you can grant some entitlements that allow it to do things like read contacts, get location information, use the camera or whatever other entitlements legitimate apps can be allowed to have.”
The video below shows the attack in action, with Down replacing the Phone app on the iPhone with an app of his choosing.
iOS 9 and OS X 10.11 fixes the problem, so get them as soon as possible. Also, you can just turn off AirDrop when you’re not using it, to avoid such potential issues in the near future, especially if you don’t plan to, or can’t, update to the latest iPhone and Mac software versions.