The latest iOS 9 includes a security update for a nasty bug that could be exploited to take full control of your iPhone or Macs, forcing most of the Apple users to download the latest update.
Australian security researcher Mark Dowd has disclosed a serious vulnerability in AirDrop, Apple's over-the-air file sharing service built into iOS and Mac OS X.
How the Attack Works?
The vulnerability allows anyone within the range of an AirDrop user to silently install a malicious app on a target Apple device by sending an AirDrop file which involves rebooting of the target device.
An attacker can exploit this critical bug even if the victim rejects the incoming file sent over AirDrop.
After rebooting takes place, the malicious app gains access to Springboard, Apple's software to manage iOS home screen, allowing the app to fool the victim's iPhone into believing the malicious app has the same rights as a normal app.
These rights include access to:
- Contacts
- Camera
- Location
- Messages
- and many more…
…that could allow a more illustrious hacker to break into other sensitive areas of the Apple's operating system, causing severe damage to the victim's device.
"AirDrop bug can be used to target people wirelessly in close proximity. Also useful for lock-screen bypass," Dowd, founder and director of Azimuth Security, tweeted.
Video Demonstration
Dowd also provided a video demonstration (you can watch below) showing the real time attack on his iPhone running iOS 8.4.1.
The vulnerability affects any iOS versions supporting AirDrop from iOS 7 onwards, as well as Mac OS X versions from Yosemite onwards.
Update to iOS 9 and Mac OS X EI Capitan
Apple has responded to the vulnerability by adding a sandbox to AirDrop in iOS 9 that would prevent anyone from writing files to arbitrary locations on the device via AirDrop service.
However, it isn't clear when Apple will provide a complete patch to fix the issue.
So the only way to prevent this attack, for now, is by upgrading your devices to iOS 9 and OS X 10.11 El Capitan, which won't roll out before September 16 and 30 respectively.
