Bug In iOS, OS X Allows AirDrop To Write Files Anywhere On File System

Trailrunner7 writes: There is a major vulnerability in a library in iOS and OS X that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog. Mark Dowd, the security researcher who discovered it, said he's been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device. In fact, an attacker can exploit the vulnerability even if the victim doesn't agree to accept the file sent over AirDrop.

The enabling technology, itself, is ridiculous.

[Osiris+Ani]

Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.

Re:The enabling technology, itself, is ridiculous.

Except that's the only time it's useful.

Anyone you actually know you can just email the file to and they can get at their leisure. The only time you'd ever use AirDrop is when sending or receiving stuff to or from people you don't have contact information for and who you don't want to share that info with.

Re:The enabling technology, itself, is ridiculous.

[Galaga88]

I think AirDrop defaults to contacts only, so that should mitigate most of the severity of this - thankfully.

I've actually enabled AirDrop receiving requests from anybody on my iPhone (which I'm about to change) and have never gotten anything via it, unsolicited or otherwise. In fact, I'm the only person I've ever seen use AirDrop, and I had to tell the other person how to turn it on in each case.

Re:The enabling technology, itself, is ridiculous.

The only time you'd ever use AirDrop is when sending or receiving stuff to or from people you don't have contact information for and who you don't want to share that info with.

So basically, “I don’t know you, or I don’t trust you enough to give you my contact information, but here-- put something onto my phone.”

You’re lucky someone else beat you to it, because at least that makes your statement only the second-stupidest thing I’ve read today.

Re:The enabling technology, itself, is ridiculous.

[BitZtream]

Considering that were talking about signed apps that don't have the security warning, it also means the app can be traced to a specific individual or organization ... And that certificate can be blacklisted effectively stopping the attack vector on a global scale, instantly. While directly identifying who to prosecute and seize funds from. Apple gives out the signed certs, you don't just generate a very and poof it's no longer warning anyone, it has to be signed by Apple (the cert, not the app on OSX).

So while this is a concern ... It requires that you disable MULTIPLE security features and do several stupid things to intentionally give everyone access to your devices.

Hope they fix it quickly in case this can be exploited in other actually scary ways, but this scares me less than Trojans on a jail broken phone ... And my phone isn't jail broken!

Re:The enabling technology, itself, is ridiculous.

[DougOtto]

Um no. If you put your device in "fuck me mode" because you're worried about your privacy, your doing it wrong. I don't blame you for posting AC, I wouldn't want admit that asshattery either.

Re:The enabling technology, itself, is ridiculous.

[StikyPad]

I think AirDrop defaults to contacts only

It prompts me each time I enable it from the swipe-up menu, at least on iOS 8.1.

Re:The enabling technology, itself, is ridiculous.

You know why Linux isn't the amazing success that Slashdotters think it should be? Because it's clear no one has ever interacted with real people, ever. Here, let me paint you a picture, I call it "literally the only time I've ever seen AirDrop used, ever."

You're at a convention. There are people cosplaying. Two cosplayers who don't know each other but are cosplaying characters from the same show meet and do a pose and someone else takes a picture. The picture looks cool and one of the cosplayers says "ooo, send me that picture." Rather than exchange contact information, the picture taker AirDrops the picture onto the cosplayer's phone.

And there you go, literally the only time I've ever seen anyone use AirDrop - to share a picture they just took with someone they didn't know and didn't want to share contact information with.

AirDrop is only useful when, for whatever reason, you want to share some document of some form with someone you don't know and don't feel like setting up a "proper" channel to. Otherwise there's no reason to use it over email.

Re:The enabling technology, itself, is ridiculous.

[myowntrueself]

Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.

The thing is, the iOS device is supposed to have a secure filesystem so that applications can't even share data via the local filesystem. And you can't just plug an iPhone into a USB port and drop whatever files you want on it, as if it were a USB thumbdrive. So iDevice users have been lulled into this sense of security that they can open up some space on their phone/tablet/iwhatever and that can't be abused, because Apple is so amazingly good at security. Except they aren't so oops.

Re:The enabling technology, itself, is ridiculous.

[Galaga88]

Because I would have seen a prompt asking me to accept or decline a file. And I think it's safe to say that given the place I work and community in which I live, I have a better chance of having been killed in a traffic accident than somebody coming within AirDrop range and targeting me with an unpublished iOS vulnerability.

Plus I just updated to iOS 9 which in all likelihood would have wiped out any nefarious stuff that had been installed by this mystery attacker-ninja.

Re:The enabling technology, itself, is ridiculous.

[gmack]

Years of using slashdot would keep me from enabling such a function even without the security implications. I can imagine some troll sending tubgirl or goat.cx pics to anyone they can.

Re:The enabling technology, itself, is ridiculous.

[93+Escort+Wagon]

Given this bug, how can you know that?

If you'd read the article, you'd have seen that the way to bypass the authorization prompt was by "nstalling an enterprise provisioning profile on the device and marking it as trusted."

Sounds to me like AirDrop is superfluous in this case. If my device has an enterprise provisioning profile, I believe that enterprise can already put whatever it wants on it.

So, if anything, this sounds like a sandboxing issue (you can put files in arbitrary locations on the device) rather than an AirDrop issue.

Re:The enabling technology, itself, is ridiculous.

[macs4all]

Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.

Exactly.

If this was a flaw in Android, all the Fandroids would be blaming the User. Bet they won't feel the same about Apple, though.

Re:Apple defending shit

[U2xhc2hkb3QgU3Vja3M]

That's because Windows has complex security holes that require a lot of hacking. With this flaw, Apple clearly shows that hacking "just works" on their devices.

To disable AirDrop

[MAXOMENOS]

Check to see whether it's disabled already, open a command prompt and run:

defaults read com.apple.NetworkBrowser | grep DisableAirDrop

If it returns DisableAirDrop = 1, then you should be fine. If it comes up blank, or if it shows DisableAirDrop = 0, then AirDrop is not disabled by default. In this case, run:

defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES

You'll need to log out and log back in for the change to take effect.

references: this Apple Forums thread

Re:To disable AirDrop

[MAXOMENOS]

Good point; I presume you're running OSX. If you're running iOS this won't work.

Re:Users are now known as "her"?

Maybe because "their" is a plural and "a user" is a singular noun?

Unlike some languages, English does not have a gender neutral singular possessive determiner applicable to humans. "Its" is still considered rude to use when referring to homo sapiens.

Re:Not bug, a jailbreaker (root ones phone)

[Overzeetop]

Which means that if it were a gun, every American would be allowed to jailbreak/root their phone by birthright and protected by the constitution.

Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.