Endpoint Protection

A new vulnerability in Apple’s AirDrop wireless file transfer protocol could allow an attacker to install malware on vulnerable iOS and Mac OS X devices simply by sending them a file. The vulnerability presents a danger to users of devices running AirDrop, as they do not have to accept a file sent by an attacker for the exploit to trigger.

The vulnerability was discovered by Australian researcher Mark Dowd, who found that attackers could send a malicious file to any AirDrop-enabled device within range. Once the malicious file had been sent to the targeted device, Dowd found it was possible to then install unauthorized software on the device by taking advantage of a vulnerability in the Apple system which allows enterprises to install software that isn’t hosted on the Apple App Store. This vulnerability allowed Dowd to trick the targeted device into thinking that the certificate for the malware being installed had already been marked as trusted by the victim.

The result was that malicious software could be installed on the device with no warnings or notifications to the victim. In Dowd’s proof-of-concept attack, he replaced an iPhone’s phone app with another, non-functioning app.

Although Mac OS X and iOS both feature internal security measures which “sandbox” installed apps from the operating system and other software, the fact that the attack involves a signed app means the app could be granted extensive permissions, such as the ability to read contacts, use the camera, or capture location information. 

Affected devices
AirDrop is a feature on all computers running Mac OS X Lion and later. It also appears on all iPhone models from the iPhone 5 onward. In addition to this, AirDrop is available on the fourth generation iPad, the iPad Air, iPad Air 2, all versions of the iPad mini, and the fifth generation iPod Touch.

Dowd informed Apple of the vulnerability and the company has incorporated security updates into the new versions of Mac OS X and iOS, which offer additional protections against exploit by adding a sandbox to the AirDrop application, limiting the access it has to other parts of the operating system. Dowd told Forbes that the updates do not fully patch the vulnerability and said he would not publish further details on it until it is fully patched.

Mitigation

• Users of AirDrop-enabled devices are advised to upgrade to the latest versions of iOS and Mac OS X as soon as possible. Mac OS X El Capitan is due to be released on September 30, 2015 and iOS 9 was released on September 16.
• Those who are concerned about the vulnerability being exploited before it can be patched are advised to restrict AirDrop settings to “Contacts Only” or disable AirDrop entirely on iOS and Mac devices.
• Be aware that AirDrop can be activated on an iOS device from the lockscreen. Be cautious about who has physical access to your device. If you wish to prevent any unauthorized activation of AirDrop, you should use the Settings app to disable access to Control Center from the phone’s lockscreen.