
Exploiting the Wi-Fi Stack on Apple Devices - runesoerensen
https://googleprojectzero.blogspot.com/2017/09/over-air-vol-2-pt-1-exploiting-wi-fi.html
======
Terretta
> _More concretely, the Wi-Fi vulnerabilities presented in this research
> affect many devices in the Android ecosystem. For example, two of the
> vulnerabilities (#1, #2) affect most of Samsung’s flagship devices,
> including the Galaxy S8, Galaxy S7 Edge and Galaxy S7. Of the two, one
> vulnerability is also known to affect Google devices such as the Nexus 6P,
> and some models of Chromebooks. As for Apple’s ecosystem, while this
> research deals primarily with iPhones, other devices including Apple TV and
> iWatch are similarly affected ..._

> _We’d also like to note that until hardware host isolation mechanisms are
> implemented across the Android ecosystem, every exploitable Wi-Fi firmware
> vulnerability directly results in complete host takeover. In our previous
> research we identified the lack of host isolation mechanisms on two of the
> most prominent SoC platforms; Qualcomm’s Snapdragon 810 and Samsung’s Exynos
> 8890. We are not aware of any advances in this regard, as of yet._

~~~
ksec
>iWatch

1\. It should be Apple Watch. 2\. I thought the newest Apple Watch uses
Apple's own W2 Chip instead of Broadcom.

------
azinman2
So this is off topic, but does anyone else hate that swiping left/right in
blogger navigates to other blog articles? I don’t know often people use that
for real — I’m almost always directly linked to just one article in
particular. But what’s worse is that it’s so sensitive without enough visual
confirmation and ability to stop it. I find it naturally happens while
scrolling on my iPhone without any intention, and then I lose my place and
have no idea where I ended up. Just feels like a gigantic amount of UX flaws
for a purpose that’s likely rarely used.

~~~
hdhzy
Yes, it's the most annoying thing I've seen on the web since <marquee>.
Scrolling long fragments of code always takes me to another page when I'm
reading. Who thought it was a good idea?!

------
burntrelish1273
The iOS 11 leaving the Wi-Fi on but unassociated creates a privacy
vulnerability because the chipset will broadcast all of it's known SSIDs.
Plus, whatever vulnerabilities remain in the chipset. This is terrible. When
Wi-Fi is "off" it should be off.

~~~
jonnytran
Ugh!!! For those who aren't aware, see "Wi-Fi told me everything about you"
[1].

So what's the workaround? I have to go into Settings and turn it off there?
Will that actually turn it off? We've already established that turning off
wifi on Android may or may not actually turn it off [2].

1: [http://confiance-numerique.clermont-
universite.fr/Slides/M-C...](http://confiance-numerique.clermont-
universite.fr/Slides/M-Cunche-2014.pdf)

2:
[https://hal.inria.fr/hal-01575519/document](https://hal.inria.fr/hal-01575519/document)

~~~
jonnytran
Looks like iOS does MAC address randomization during Wi-Fi probing since iOS
8.

------
amatecha
Before anyone freaks out that their iPhone is about to get pwnd:

> The vulnerabilities affecting Apple devices have been addressed in iOS 11.

~~~
joewee
11.0.1 it’s a separate update. Not included in the main update. Very
confusing.

~~~
djrogers
No, not confusing as your statement isn’t accurate. The iOS 11.0.0 security
release notes from 9/19 specifically identify these CVEs as fixed.

[1] [https://support.apple.com/en-us/HT208112](https://support.apple.com/en-
us/HT208112)

------
new299
> In the next blog post, we’ll use our firmware debugger in order to continue
> our exploration of the Wi-Fi chip present on the iPhone 7. We’ll perform a
> deep dive into the firmware, discover multiple vulnerabilities and develop
> an over-the-air exploit for one of them, allowing us to gain full control
> over the Wi-Fi SoC.

ahhh cliffhanger! Looking forward to the next post!

------
feelin_googley
"Lastly, we require complete control over all aspects of our Wi-Fi router."

Perhaps this is something users of Apple's WiFi-only/Ethernet-deficient
devices might want.

He provides a useful hint on how to construct a router that allows complete
control, utilizing a general purpose computer and two AR9271-driven USB WiFi
adapters.

AFAIK this driver is available for both Linux and BSD.

"In my own lab setup, the role of the Wi-Fi router is fulfilled by my ThinkPad
laptop, running Ubuntu 16.04. I've connected two SoftMAC TL-WN722N dongles,
one for each interface (internal and external). The internal network's access-
point is broadcast using hostapd, and the external interface connects to the
internet using wpa_supplicant."

"Note that it's imperative that the dongle used to broadcast the internal
network's access-point is a SoftMAC device (and not FullMAC) -- this will
ensure that the MLME and MAC layers are processed by the host's software
(i.e., by the Linux Kernel and hostapd), _allowing us to easily control the
data transmitted over those layers._ "

------
saagarjha
> As for Apple’s ecosystem, while this research deals primarily with iPhones,
> other devices including Apple TV and iWatch are similarly affected by our
> findings.

The "correct" name for it is Apple Watch, just FYI.

~~~
sebleon
Meh, iWatch and iMessage are surefire ways to get people to think of the right
product. Technically incorrect terms, but they'll get the message right.

~~~
saagarjha
iMessage is a real thing–I'm not sure what you're getting at here.

~~~
derefr
The service is iMessage, but the client is "Messages" on both iOS and macOS.
The client was _previously_ called "iMessage", leading people to assume that
the marque "iMessage" is no longer part of Apple's branding. But no;
extensions you install inside Messages are still called "iMessage extensions",
and so forth.

~~~
comex
Actually, both clients have been named “Messages” as long as they’ve supported
iMessage.

The iOS client has been “Messages” since iPhone OS 3.0; before that it was
called “Text” and had “SMS” written inside the chat bubble in the icon.
iMessage wasn’t introduced until iOS 5.0.

The macOS client was originally “iChat”, then “iChat AV”, then “iChat” again;
in this era it supported multiple protocols including AIM and Jabber. In OS X
10.8, the client was renamed to “Messages” and gained iMessage support in
addition to the older protocols. Support for the older protocols was removed
in the just-released macOS 10.13.

~~~
saagarjha
Actually, Jabber support still exists. It's all the other things based on
IMServicePlugIn that were removed.

~~~
comex
Oh… you're right. During the betas, sending messages through Google Talk gave
me an error [1], and I removed the account. But I guess it's still supposed to
work, at least in the release version.

[1] With a delightful/odd error message: "The targeted service Potato has been
discontinued".

------
willitpamp573
Is Apple mad about this?

~~~
egwynn
I can’t imagine why they would be. If I were them I’d be happy to have such a
comprehensive pentesting resource to test against.

~~~
wyldfire
I suppose he means the disclosure and not the testing itself.

> The vulnerabilities presented in this research are present in iOS up to (and
> including) version 10.3.3 (apart from #1, which was fixed in 10.3.3).

This seems like it's old enough that Apple probably doesn't mind anymore.

~~~
reducesuffering
Project Zero discloses the vulnerabilities to the affected 90 days before
releasing to the public. It's probable that Apple was notified and patched
this because of Project Zero. Once it's been patched or 90 days are up, then
Project Zero discloses to the public.

~~~
MBCook
They mentioned it’s fixed in iOS 11 so all Apple has to do is tell people to
update their devices (which they always push anyway).

It’s not like there is no fix for it.

~~~
eisa01
A lot of corporate customers have still not approved iOS for upgrades, so it's
actually a big issue

~~~
chatmasta
Sounds like the corporation's problem, willingly ignoring security updates.

~~~
alsetmusic
> Sounds like the corporation's problem, willingly ignoring security updates.

A properly vetted update requires both compatibility testing and security
testing. It would be irresponsible to push an OS update without verifying that
it will not damage productivity or bring down defenses.

~~~
glhaynes
Businesses that provide or allow iOS devices need to be ready when new OSes
are released to the public, which can easily be done since Apple offers
regularly-updated betas for months in advance. This is particularly important
because even managed devices cannot be prevented from upgrading to new OSes
unless all traffic is routed through controlled networks that block access to
Apple update servers.

------
coleca
At least Apple has a simple way to disable Wifi right from the control center.
Oh wait, they removed that in iOS 11. Now clicking the Wifi icon doesn't
actually turn off Wifi. I guess no one will ever find similar issues w/that
release </sarcasm>

~~~
runjake
You should probably get the facts[1] from Apple, before parroting Internet
knee-jerk hysteria.

1\. [https://support.apple.com/en-us/HT208086](https://support.apple.com/en-
us/HT208086)

~~~
jordan314
That article says exactly what coleca was saying?

~~~
Spooky23
Not really. This controversy is similar to people complaining about the loss
of PC power buttons in 1997.

The previous behavior was turning off the radio, which is often not the intent
of the user. They replaced it with turning off joining networks, which is more
often user intent.

With the proliferation of personal connected devices like smart watches and
cars, and point to point WiFi services like airdrop, users often want or need
to have the radio on to utilize those services. At the same time, users may
not want to join WiFi networks due to poor performance (ie one-bar WiFi),
ineligibility for use (I’m at a Hilton for a conference, but am not eligible
for free WiFi because I’m not staying there), or some other reason.

The previous behavior also duplicated the behavior of the “airplane mode”
button in some scenarios.

IMO the iOS 11 behavior adds value in most cases and has two easy workarounds
(airplane mode or system preferences) for people who want the radio off.

~~~
donohoe
Gonna have to disagree.

I want them off. That has always been my intent and those I’ve informally
asked.

~~~
Spooky23
Do you have an Apple Watch?

~~~
stevehawk
I don't.. why does that matter? Do the watch and phone not communicate over
Bluetooth?

~~~
Spooky23
It uses both to improve reliability.

Additionally, increasingly important services like Airdrop and HomeKit use it.

------
wcdolphin
Google is using their security research as a marketing weapon against Apple.
From the article itself, Android is arguably more vulnerable as measured by
percent of users running a device whose OEM has not distributed an update.

~~~
gh02t
Android was the target of the original post, this is more of a followup
demonstrating that a similar attack works on Apple hardware too.

[https://googleprojectzero.blogspot.co.uk/2017/04/over-air-
ex...](https://googleprojectzero.blogspot.co.uk/2017/04/over-air-exploiting-
broadcoms-wi-fi_4.html)

~~~
pjmlp
The irony is that all Apple devices will get the updates, whereas the Android
ones....

~~~
steevdave
Anything iPhone 5 or lower will not - 10.3.3 fixed one of the issues, but 2
more exist.

I do wish they would at least put out a 10.3.4 to fix the security issues, but
I understand not putting the resources into a phone from 2012; I'm happy to at
least have gotten 10.3.3 considering my Nexus 5 stopped getting updates last
year and it was release in 2013.

~~~
Fnoord
> but I understand not putting the resources into a phone from 2012

I don't, but I have more sympathy for a company who quit supporting a phone
from 2012 than a hypothetic [1] company who quit supporting a phone from 2015.

[1] Tho certainly a plethora examples would fit here.

