Illustrating the battle between convenience and security, Google Project Zero has just revealed a major gap left by AirDrop in securing the iPhone, by demonstrating an exploit which allows full control over a random iPhone without any user interaction.
The exploit uses Apple Wireless Direct Link (AWDL) and can be exploited without AirDrop being enabled on a device, merely by being in WIFI range. In fact, the exploit can force iPhones to activate AirDrop and can be used to remotely reboot and take complete control of their devices from a distance — including reading emails and other messages, downloading photos, and even potentially watching and listening to you through the iPhone’s microphone and camera.
The exploit was revealed to Apple, with the company releasing a patch in May which has filtered out to most iPhones by now.
Apple acknowledged the hack, but noted in mitigation that the hack will only work when you are in WIFI range (though you do not need to be on the same WIFI network).
All the details, explained in 30,000 words, can be read on Google’s Project Zero blog here.
via the verge