If improved battery life and a smarter Siri aren't enough to convince you to upgrade to iOS 9, there's now another incentive to trade up sooner rather than later: To avoid having your iPhone wirelessly hijacked by any miscreant within Bluetooth range.
On Wednesday, Australian security researcher and consultant Mark Dowd revealed that iOS 9 includes a patch for a security vulnerability he warned Apple about just over a month ago. The attack, which he demonstrates in the video below, would allow someone to install malicious apps on iPhones and Macs via their Bluetooth-enabled Airdrop filesharing feature. Anyone in range of a target device with the feature enabled could plant malware on the phone or PC, even if the victim didn't tap "accept" for the offered file. "It doesn’t matter if they reject it or accept it, the vulnerability is already triggered by the time they can react to it," says Dowd.
Dowd's attack, which was first reported Wednesday morning by Forbes, takes advantage of not only the Airdrop bug in iOS but also a vulnerability that allows corporations to install their own custom apps on Apple's otherwise tightly restricted operating system. Making use of that second bug, Dowd's attack can install an unapproved application on an iPhone that hasn't been jailbroken and even disable the pop-up prompt that asks you if you want to trust the program's author. After gaining access, the attacker would then wait until your phone next rebooted and begin implanting malware.
That chain of security flaws adds up to a rarely seen risk for Apple's nearly malware-free mobile operating system. But with Dowd's attack alone, any malicious app an attacker implanted would still be limited in functionality. The iPhone is architected so that individual apps have limited access to the user's data, though they can track location, for instance, or in some cases make in-app payments from the user's iTunes account. A full compromise of an iPhone would require also exploiting a vulnerability in iOS's kernel, too, though Dowd points out that those deeper operating system bugs are frequently released by the jailbreaking community that seeks to help iPhone owners install unauthorized apps.
Apple has released a security update for both the Macbook and iPhone attacks, and anyone with the most recent OSX Yosemite or iPhone 8.4.1 should upgrade to avoid the attack. Stubborn Macbook owners who don't want to upgrade could alternatively disable Airdrop or their computer's Bluetooth feature altogether. But iPhone owners who don't install iOS 9 have no such easy fix. Since both Bluetooth and Airdrop can be toggled from an iPhone's lockscreen, an attacker who gains physical access to a phone could still turn those features on and use them to plant malicious software even if the phone is locked. Instead, they'll need to both disable Airdrop and also the ability to access Control Center from the phone's lockscreen.
Dowd outlines two types of threats that could result from his Bluetooth attack. First, a hacker could silently scout for users with Airdrop enabled within Bluetooth range—say, in a crowded place like a train or mall—and start planting malicious programs on their phones or Macbooks. An attacker who got hands-on time with the victim's iPhone could alternatively use the attack as a lockscreen bypass. But the ability to attack phones wirelessly puts it well beyond the lockscreen bypass vulnerabilities that have plagued Apple in the past. Its threat still falls short, however of the critical Stagefright exploit for Android, for instance, which allowed phones to be compromised by text message.
Apple didn't immediately respond to WIRED's request for comment on Dowd's work, and Dowd says that the company has asked him to avoid revealing the full details of his attack until it has a more permanent fix in place. For now, Dowd says iOS 9 and the latest version of OSX merely implement a "sandbox" around the Airdrop feature to limit its access rather than address the underlying vulnerabilities.
Even so, Apple users should upgrade without delay. That Bluetooth band-aid is far better than walking around with a device left open to an invisibly Airdropped infection.
