GoKawiilThree AirDrop vulnerabilities have been discovered by security researchers, affecting both iPhone and Mac, with similar ones found in Android’s Quick Share.
An attacker could easily exploit the vulnerabilities to cause AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera to crash and remain unavailable for as long as the attack continues …
HelpNetSecurity reports that it is a simple attack to initiate.
A proximity attacker needs a laptop with Wi-Fi and a spot within range, often 10 to 30 meters. No pairing, contact exchange, or shared network is required. On Apple devices set to receive from “Everyone,” the early protocol phases respond before any user prompt appears.
The good news is that no data can be obtained. The bad news is that a number of related Apple services on both iPhone and Mac can be remotely disabled.
The three AirDrop findings all end in a crash. The simplest comes from a Swift fatalError call in the code that routes incoming web requests by path. A request to an unrecognized path hits that call and aborts the whole process. One short request takes down AirDrop, AirPlay, Handoff, Universal Clipboard, and Continuity Camera at once. Sent in a loop every couple of seconds, it holds the service down. During one test, the legitimate connection attempts all failed under the attack and all succeeded again once it stopped.
Security researcher Arash Ebrahim said that it’s hard to completely avoid such vulnerabilities, pointing to the fact that they exist on more than one platform despite very little shared code.
“I don’t think the overlap is unique to Apple or Google,” he said. “Instead, it reflects common engineering challenges in proximity-based protocols. These services are designed to provide a seamless user experience, which means privileged daemons have to process complex, attacker-controlled inputs before authentication or user approval has taken place. That inevitably creates a large pre-authentication attack surface.”
Ebrahim followed standard responsible disclosure practice in withholding specific details until both Apple and Google have had the chance to fix the issues. He says Apple has fixed one of the vulnerabilities and is still working on the other two.
One AirDrop bug now has a fix and an identifier, according to Ale Ebrahim. “Apple informed us that one of the reported AirDrop vulnerabilities has been fixed in a software update and has been assigned a CVE identifier,” he said. The advisory stays private for now. “The corresponding security advisory and CVE have not yet been published publicly, so I cannot share additional details at this stage,” Ale Ebrahim said, adding that “the remaining Apple reports are still under coordinated disclosure and have not yet received public CVE assignments.”