AN AUSTRALIAN RESEARCHER HAS described a problem with Apple's AirDrop that has been fixed by iOS 9. It also applies to Mac computers, and could have put even non-jailbroken devices into the reach of hacking swine.
The bug is mostly fixed, according to security researcher Mark Dowd, but he is keeping some of it under wraps until Apple releases a complete solution.
What he has said publicly so far is limited to a couple of reports and some short bursts of detail on the Twitter social network.
AirDrop bug can be used to target people wirelessly in close proximity. Also useful for lock-screen bypass— mdowd (@mdowd) September 16, 2015
Earlier tweets from the researcher explained that the fix was applied, along with a range of other interesting updates. "Bug I disclosed to Apple is mitigated in iOS 9 - allows software installation via AirDrop on (locked) iPhone," he wrote.
Dowd did provide more detail in an email to The INQUIRER, explaining that anyone with AirDrop enabled and open to all-comers is at risk from the attack. "The phone does not need to be jailbroken or otherwise altered from its default state," he explained.
"It is useful in two attack scenarios. If they have AirDrop enabled and discoverable by everyone, you can attack them wirelessly within close proximity. If you have temporary physical access to a locked iPhone, you can also perform the attack because you can enable AirDrop from the lock screen by default."
@DaveNeal33 they've mitigated the flaw in 9 (using sandboxing$ but not fully patched. So I'm waiting for that— mdowd (@mdowd) September 17, 2015
The researcher, who represents Azimuth Security, repeated his promise to release more information when the bug is fixed properly, and will present this and more at the RuxCon security expo in October.
Apple does not pay a bounty for bug disclosures, but does put the discover's details on a hall of fame website. The iOS 9 update information includes a number of credits, but Dowd does not get a name check. µ
'Some of us like the misery'
That'll surely affect its credit score