Malware + Security & Privacy + Security News

AirDrop Bug Could Let Hackers Silently Plant Malware on Your iPhone or Mac

Posted on September 16th, 2015 by

AirDrop

Do you have AirDrop enabled on your iPhone or Mac?

Maybe you'll think again after watching a video made by Australian security researcher Mark Dowd.

Dowd has uncovered a major vulnerability in the current versions of iOS and OS X, that could allow a hacker to install a malicious app on your phone wirelessly, from close proximity, with no obvious warning to you that anything suspicious has occurred.

The vulnerability depends upon AirDrop, the over-the-air file-sharing technology used by OS X and iOS, being enabled — but does not require the intended victim to accept a file being sent to them.

To demonstrate the attack in action, Dowd published a YouTube video with an amusingly stealthy soundtrack, showing just how easy it was to infect an iPhone with AirDrop enabled.

After your device has received a boobytrapped AirDrop request (which you don't have to accept), nothing happens.... until you reboot your iPhone.

The rebooting process wakes up the dormant infection, installing an app using the enterprise provisioning feature that Apple provides for companies who wish to roll out their own apps to staff.

In short — the app hasn't had to sneak into the official Apple App Store, and it hasn't been subject to the normal security checks.

In the video, Dowd gives a taste for just how dangerous such an attack could be by replacing the standard iPhone app with a program that says, "Hello world." Just imagine if the app spied on your conversations, stole data, or provided remote access to malicious hackers.

The vulnerability is said to affect all versions of iOS that support AirDrop from iOS 7 onwards, and OS X Yosemite and later.

iOS 9, scheduled to be released today, mitigates against the flaw — although, it does not contain a full patch. OS X users will presumably have to wait until the release of OS X 10.11 El Capitan, due for official release at the end of this month.

For now there is no news from Apple as to when a proper full patch will be released.

In the meantime, maybe it would be sensible to disable AirDrop, or at least limit it to only allowing file sharing requests from your contacts.

Note, by the way, that by default it's possible to enable AirDrop from the lock screen — so even locked phones could be at risk if an attacker has physical access to them. So maybe you should also consider blocking Control Center access from the lock screen, if you really want to secure your iPhone or iPad.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Gen. Chang

    Hi Graham,

    You forgot to mention that Apple fixed over ONE HUNDRED bugs/vulns in their next update. That’s over THREE HUNDRED FIXES for the year so far.

  • Steve Smith

    Thank you for the heads-up and video. The video notes that the payload being dropped is Enterprise Signed. May I assume that being signed is a requirement for the attack, and further, that a jailbroken iPhone wouldn’t have that protection?