Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
IOS OS X Security Apple

Bug In iOS, OS X Allows AirDrop To Write Files Anywhere On File System 94

Trailrunner7 writes: There is a major vulnerability in a library in iOS and OS X that allows an attacker to overwrite arbitrary files on a target device and, when used in conjunction with other techniques, install a signed app that the device will trust without prompting the user with a warning dialog. Mark Dowd, the security researcher who discovered it, said he's been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices. If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device. In fact, an attacker can exploit the vulnerability even if the victim doesn't agree to accept the file sent over AirDrop.
This discussion has been archived. No new comments can be posted.

Bug In iOS, OS X Allows AirDrop To Write Files Anywhere On File System

Comments Filter:
  • This bug has been known for a year or so [consumeraffairs.com]. Possibly more.

  • by Osiris Ani ( 230116 ) on Wednesday September 16, 2015 @09:01AM (#50531847)
    Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Except that's the only time it's useful.

      Anyone you actually know you can just email the file to and they can get at their leisure. The only time you'd ever use AirDrop is when sending or receiving stuff to or from people you don't have contact information for and who you don't want to share that info with.

      • Maybe Apple should change the behavior of "accept from everybody." Make it so it only stays active for 15 minutes, and then goes back to contacts only. It'd be closer to Bluetooth discovery then.

        • Maybe Apple should change the behavior of "accept from everybody." Make it so it only stays active for 15 minutes, and then goes back to contacts only. It'd be closer to Bluetooth discovery then.

          I agree that that would be a quick and dirty solution; but probably effective.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        The only time you'd ever use AirDrop is when sending or receiving stuff to or from people you don't have contact information for and who you don't want to share that info with.

        So basically, “I don’t know you, or I don’t trust you enough to give you my contact information, but here-- put something onto my phone.”

        You’re lucky someone else beat you to it, because at least that makes your statement only the second-stupidest thing I’ve read today.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          You know why Linux isn't the amazing success that Slashdotters think it should be? Because it's clear no one has ever interacted with real people, ever. Here, let me paint you a picture, I call it "literally the only time I've ever seen AirDrop used, ever."

          You're at a convention. There are people cosplaying. Two cosplayers who don't know each other but are cosplaying characters from the same show meet and do a pose and someone else takes a picture. The picture looks cool and one of the cosplayers says "ooo,

          • Pika! [gamingnow.info] (as SFW as a cheerleader photo)
          • by flink ( 18449 )

            AirDrop is only useful when, for whatever reason, you want to share some document of some form with someone you don't know and don't feel like setting up a "proper" channel to. Otherwise there's no reason to use it over email.

            It's also useful when you want to share a largish video without down sampling it or going through the rigmarole of syncing the phone and copying the file between PCs. This is literally the only time I've used it: to exchange a video of our daughter with my wife.

        • by Anonymous Coward

          and this is why the rest of the world (Android, Windows Phone) is much better.

          You set up the connection by NFC, which requires you to put your phones in physical contact with one-another first -- then it sets up the network for file transfer.

          *Much* more private and secure. I remember when everyone was worried about NFC / Android Beam dropping files everywhere... for some reason (cough), this never was a security concern for the much more promiscuous I thingies.

      • by Doug Otto ( 2821601 ) on Wednesday September 16, 2015 @09:30AM (#50532163)
        Um no. If you put your device in "fuck me mode" because you're worried about your privacy, your doing it wrong. I don't blame you for posting AC, I wouldn't want admit that asshattery either.
    • by Galaga88 ( 148206 ) on Wednesday September 16, 2015 @09:14AM (#50531975)

      I think AirDrop defaults to contacts only, so that should mitigate most of the severity of this - thankfully.

      I've actually enabled AirDrop receiving requests from anybody on my iPhone (which I'm about to change) and have never gotten anything via it, unsolicited or otherwise. In fact, I'm the only person I've ever seen use AirDrop, and I had to tell the other person how to turn it on in each case.

    • by BitZtream ( 692029 ) on Wednesday September 16, 2015 @09:29AM (#50532139)

      Considering that were talking about signed apps that don't have the security warning, it also means the app can be traced to a specific individual or organization ... And that certificate can be blacklisted effectively stopping the attack vector on a global scale, instantly. While directly identifying who to prosecute and seize funds from. Apple gives out the signed certs, you don't just generate a very and poof it's no longer warning anyone, it has to be signed by Apple (the cert, not the app on OSX).

      So while this is a concern ... It requires that you disable MULTIPLE security features and do several stupid things to intentionally give everyone access to your devices.

      Hope they fix it quickly in case this can be exploited in other actually scary ways, but this scares me less than Trojans on a jail broken phone ... And my phone isn't jail broken!

      • It wouldn't be difficult to steal a signing key.

        Ok, it might be difficult, but it's certainly not impossible or unheard of. They've been found in GitHub repos, for example.

        If an malware app was installed without an icon, it could spread prolifically before anybody detected it and the signature could be revoked. Depending on the purpose, it might not need to survive very long anyway.

        If anyone actually used AirDrop, that is. I don't know anybody who does, or has it enabled. Most people just send photos vi

    • by Qzukk ( 229616 )

      I consider the setting that allows it

      Is it the setting that allows it? Or does it work in the other settings too, but limited to just your "friends"? Now I'm tempted to see what kind of joke app I can throw together and get on my coworker's phone before Apple fixes this (of course, if I get my dev cert revoked by Apple that'd be bad, so I won't... but the temptation is there)

    • Re: (Score:3, Insightful)

      Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.

      The thing is, the iOS device is supposed to have a secure filesystem so that applications can't even share data via the local filesystem. And you can't just plug an iPhone into a USB port and drop whatever files you want on it, as if it were a USB thumbdrive. So iDevice users have been lulled into this sense of security that they can open up some space on their phone/tablet/iwhatever and that can't be abused, because Apple is so amazingly good at security. Except they aren't so oops.

      • because Apple is so amazingly good at security. Except they aren't so oops.

        Mighty haughty words, considering Android's "security" record.

    • Of course the bug is worrisome, but then, I consider the setting that allows it—leaving AirDrop open to everyone—to be a pretty ridiculous personal security flaw. Making one’s phone readily available to connections from random sources for the sole purpose of file drops doesn’t sound like something that should make the least bit of sense to even the average user.

      Exactly.

      If this was a flaw in Android, all the Fandroids would be blaming the User. Bet they won't feel the same about Apple, though.

    • Use it or lose it.

      I should mention I don't have an Apple phone, but would be trying to root it.

    • The only difference between a jailbreak and a hostile exploit is the person using it.

      • Which means that if it were a gun, every American would be allowed to jailbreak/root their phone by birthright and protected by the constitution.

        Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.

        • Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.

          Apple certainly doesn't notify law enforcement if it discovers your phone/tablet has been jailbroken; and many, many Android-Device OEMs take measures in an attempt to thwart casual "rooting" of their Devices, too.

          So, I'm not exactly sure why you are hating on Apple; because it seems like they are in line with the rest of the industry.

          Name any Android Device OEM that has a corporate policy of "C'mon and Root Us! We'll show you how! Right there on Page 86 of the User Manual.". Maybe Nexus phones; but tha

          • Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.

            Name any Android Device OEM that has a corporate policy of "C'mon and Root Us! We'll show you how! Right there on Page 86 of the User Manual.". Maybe Nexus phones; but that is about it, I would guess. And I wouldn't be at all surprised if they don't explicitly endorse "Rooting", either.

            That would of been Google; till their recent privacy policy that "prohibits" such activity now, they actively sought out "hackers" (sent them the phone) to root the phone so ROMs would be available for it when released.

            No cite I've looked before and can't find it now. Had a Xoom tablet (Motorola, Google) and came across that fact in my searches. It would of been a Moto though.

            • That would of been Google; till their recent privacy policy that "prohibits" such activity now, they actively sought out "hackers" (sent them the phone) to root the phone so ROMs would be available for it when released.

              The only requirement was that Google Apps be included wiki.rootzwiki.com/Google_Apps

            • Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.

              Name any Android Device OEM that has a corporate policy of "C'mon and Root Us! We'll show you how! Right there on Page 86 of the User Manual.". Maybe Nexus phones; but that is about it, I would guess. And I wouldn't be at all surprised if they don't explicitly endorse "Rooting", either.

              That would of been Google; till their recent privacy policy that "prohibits" such activity now, they actively sought out "hackers" (sent them the phone) to root the phone so ROMs would be available for it when released.

              No cite I've looked before and can't find it now. Had a Xoom tablet (Motorola, Google) and came across that fact in my searches. It would of been a Moto though.

              So, in other words, every single mobile OEM now has EXACTLY the same policy regarding rooting. So I NEVER want to see Apple singled-out on this topic, EVER AGAIN.

              The unfounded Apple hate around here is absolutely asinine.

              • Instead, it's mere control of your personal property, and therefore owned by the corporations. Individuals should never be allowed to wield such power - they simply can't be trusted not to infringe on the profits of the corporate elite.

                Name any Android Device OEM that has a corporate policy of "C'mon and Root Us! We'll show you how! Right there on Page 86 of the User Manual.". Maybe Nexus phones; but that is about it, I would guess. And I wouldn't be at all surprised if they don't explicitly endorse "Rooting", either.

                That would of been Google; till their recent privacy policy that "prohibits" such activity now, they actively sought out "hackers" (sent them the phone) to root the phone so ROMs would be available for it when released.

                No cite I've looked before and can't find it now. Had a Xoom tablet (Motorola, Google) and came across that fact in my searches. It would of been a Moto though.

                So, in other words, every single mobile OEM now has EXACTLY the same policy regarding rooting. So I NEVER want to see Apple singled-out on this topic, EVER AGAIN.

                The unfounded Apple hate around here is absolutely asinine.

                The question was name any.

                • The question was name any.

                  And by their own words, they could not. What is past, is past. But the truth is, at the present, there is nor a single mobile OEM that embraces nor encourages rooting a mobile device of their manufacture. And you know why? Because it almost universally results in a gaping security hole. Regardless of brand or platform.

                  People just need to get it through their addled brains that, although smartphones are in some ways (a lot of ways) "little computers", the use case and the amount of personal information th

  • If a user has AirDrop set to allow connections from anyone—not just her contacts—an attacker could exploit the vulnerability on a default locked iOS device.

    What the fuck is wrong with using the word "their"?

    Although...

    Mark Dowd, the security researcher who discovered it, said he's been able to exploit the flaw over AirDrop, the feature in OS X and iOS that enables users to send files directly to other devices.

    Perhaps Mark Dowd is female. If so then... Hmm. Then... I dunno.

    Either way, there are a whole group of words that are not gender specific. Use them(!), and stop with this retarded "her" crap.

    Thanks.

    • by Anonymous Coward

      Maybe because "their" is a plural and "a user" is a singular noun?

      Unlike some languages, English does not have a gender neutral singular possessive determiner applicable to humans. "Its" is still considered rude to use when referring to homo sapiens.

      • Since when is the word "their" plural?

        his, her, its — used with an indefinite third person singular antecedent

        (used after an indefinite singular antecedent in place of the definite masculine form his or the definite feminine form her)

        used to refer to one person in order to avoid saying "his or her": One of the students has left their book behind.

        • Since when is the word "their" plural?

          When the antecedent refers to a group, e.g. "The crowd showed their approval by setting themselves on fire."

          Yes, you can use "its" there, too; but English has many de facto synonyms and has a quite flexible syntax. That's why it is a wonderful language for poetry and lyrics.

          As a contrast, try and do a pun in German. I don't think it can be done; because it is "one word, one definition". Great for scientific texts; horrible for plays-on-words.

      • Oh, by the way, it's not a noun.

      • Even if we assume you are correct, an unknown person may be either male or female. Let's call them a quantum person, as they've yet to be observed; they're simultaneously male and female. In this instance, neither "he" nor "she" ("his", "hers", "him", "her", etc, you get the point) are appropriate. However, given the dual nature of the unknown individual, "they" (or "their") is correct.

        I'm just gonna let the fact that "'they' is correct" is also grammatically correct burn into your brain for a bit. Have a
        • Even if we assume you are correct, an unknown person may be either male or female. Let's call them a quantum person, as they've yet to be observed; they're simultaneously male and female. In this instance, neither "he" nor "she" ("his", "hers", "him", "her", etc, you get the point) are appropriate. However, given the dual nature of the unknown individual, "they" (or "their") is correct.

          There are a lot of words being spent here for the purpose of ignoring the standard rule in English where using a male pronoun is the correct way to refer to a person of unknown or undetermined gender.

      • Maybe because "their" is a plural and "a user" is a singular noun?

        Unlike some languages, English does not have a gender neutral singular possessive determiner applicable to humans. "Its" is still considered rude to use when referring to homo sapiens.

        Maybe because "their" is a plural and "a user" is a singular noun?

        Unlike some languages, English does not have a gender neutral singular possessive determiner applicable to humans. "Its" is still considered rude to use when referring to homo sapiens.

        I have to disagree with the grammar experts on this one. "Their", while not technically a singular possessive, is most assuredly less cumbersome than using "she or he" repeatedly (OMG, yuck!!!) or even worse, the non-word "S/he" or "Hir" (retch!!!).

        So, kind of like the word "sheep" or "deer", which can mean either singular or plural depending on context, or "Aloha" (yes, another language, but...) which can mean "Hello" or "Goodbye", again depending on context; I firmly believe that "their" SHOULD be accep

        • Whenever I encounter someone who gets truly offended at the use of a gender-specific term, I start using a word I coined for just that scenario around them: hesheit. I usually get to say it once or twice before being asked what it is that I'm saying; shortly thereafter, "he" and "she" suddenly become acceptable again. Once, I had someone inquire as to why "he" came first in my coined term, insinuating that it was still sexist, so I pronounced the four possible permutations of the term not starting with "he"
    • by Anonymous Coward

      "Their" is plural. English has no neuter - using "their" as neuter is incorrect. Using "her" is trying to be politically correct. Using "his" would have been grammatically correct.

      • No, it's not plural. See above. Look up a dictionary. Read some books. Listen to some people speak.

      • Let's look at this another way.

        Given the statement "That rock is owned by Roger", we can determine that the singular rock is owned by a singular person (Roger). Thus, if someone asked "Is that Roger's rock?" then the response "Yes it is theirs" is grammatically correct (and always has been).

        Similarly, given the statement "That rock is owned by the three women sitting on top of it", we can determine that the rock is owned by three women. Therefore, if someone asks the question "Who owns that rock?" we can sa

        • Let's look at this another way.

          Given the statement "That rock is owned by Roger", we can determine that the singular rock is owned by a singular person (Roger). Thus, if someone asked "Is that Roger's rock?" then the response "Yes it is theirs" is grammatically correct (and always has been).

          Historically, their and theirs means third person plural owners. In this politically correct age, these words are used when the gender and / or sex of the owner is not known. Since Roger is (most likely) male, the most correct answer would be Yes, it is his.

          Similarly, given the statement "That rock is owned by the three women sitting on top of it", we can determine that the rock is owned by three women. Therefore, if someone asks the question "Who owns that rock?" we can say "It is theirs."

          Third person plural owners has always been their or theirs; this has not changed due to political correctness.

          Why am I adding an s to "their"? Because that's the plural of their. "Their" vs. "Theirs".

          WRONG! You use theirs when you don't want to repeat the object. It is their rock (the rock belongs to them) vs It is theirs (It belongs to them

      • Maybe this explains it better than I can: http://dictionary.cambridge.or... [cambridge.org]

  • To disable AirDrop (Score:5, Informative)

    by MAXOMENOS ( 9802 ) <<mike> <at> <mikesmithfororegon.com>> on Wednesday September 16, 2015 @09:40AM (#50532267) Homepage

    Check to see whether it's disabled already, open a command prompt and run:

    defaults read com.apple.NetworkBrowser | grep DisableAirDrop

    If it returns DisableAirDrop = 1, then you should be fine. If it comes up blank, or if it shows DisableAirDrop = 0, then AirDrop is not disabled by default. In this case, run:

    defaults write com.apple.NetworkBrowser DisableAirDrop -bool YES

    You'll need to log out and log back in for the change to take effect.

    references: this Apple Forums thread [apple.com]

    • by Anonymous Coward

      So, do you need to be jailbroken to do this, and is it okay to use this exploit to jailbreak prior to closing the loophole?

  • by Anonymous Coward

    It does not matter if you have switched off airdrop or restricted its access to known contacts.
    At a border crossing an officer can take your locked device and push some nasty payload to it.
    Even a confirmation would be useless as it would be another guy pressing okay.

  • ...a kernel issue, rather than an issue w/ iOS or OS-X? Wouldn't they have to look at XNU and debug that?
  • "If a user has AirDrop set to allow connections from anyone..."

    Ok, so you have a setup where people can push files at you, and if you allow anybody to do it, someone might drop a malicious file in your system? What about the fact that Apple allows you to leave your laptop unattended and unlocked, say, on the subway? A malicious person could take over your whole computer! That's a serious vulnerability, and proves that Macs are no safer than Windows machines.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...