A new vulnerability in Apple’s AirDrop wireless file transfer protocol could allow an attacker to install malware on vulnerable iOS and Mac OS X devices simply by sending them a file. The vulnerability presents a danger to users of devices running AirDrop, as they do not have to accept a file sent by an attacker for the exploit to trigger.
The vulnerability was discovered by Australian researcher Mark Dowd, who found that attackers could send a malicious file to any AirDrop-enabled device within range. Once the malicious file had been sent to the targeted device, Dowd found it was possible to then install unauthorized software on the device by taking advantage of a vulnerability in the Apple system which allows enterprises to install software that isn’t hosted on the Apple App Store. This vulnerability allowed Dowd to trick the targeted device into thinking that the certificate for the malware being installed had already been marked as trusted by the victim.
The result was that malicious software could be installed on the device with no warnings or notifications to the victim. In Dowd’s proof-of-concept attack, he replaced an iPhone’s phone app with another, non-functioning app.
Although Mac OS X and iOS both feature internal security measures which “sandbox” installed apps from the operating system and other software, the fact that the attack involves a signed app means the app could be granted extensive permissions, such as the ability to read contacts, use the camera, or capture location information.
AirDrop is a feature on all computers running Mac OS X Lion and later. It also appears on all iPhone models from the iPhone 5 onward. In addition to this, AirDrop is available on the fourth generation iPad, the iPad Air, iPad Air 2, all versions of the iPad mini, and the fifth generation iPod Touch.
Dowd informed Apple of the vulnerability and the company has incorporated security updates into the new versions of Mac OS X and iOS, which offer additional protections against exploit by adding a sandbox to the AirDrop application, limiting the access it has to other parts of the operating system. Dowd told Forbes that the updates do not fully patch the vulnerability and said he would not publish further details on it until it is fully patched.