Last May, Apple quietly patched a flaw in the Apple Wireless Direct Link (AWDL) protocol in Apple’s iPhone and Apple Watch. AWDL is an Apple proprietary protocol to allow devices to share data via an impromptu mesh network. This enables Airdrop, for example. Today we finally found out what the impact of this flaw could have been, and you can see the video here.
With minimal equipment, security researcher Ian Beer from Google’s Project Zero was able to remotely cause every single iPhone in radio range of his Mac to reboot. This makes for a fantastic demonstration of the impact of this flaw, but the potential damage that an attacker could have done could have been much more severe.
This is once again a clarion call to keep your devices updated to the latest OS release. Even the most benign update may include fixes to a series of critical security flaws that an attacker could leverage against the device. Once an OS release is available, it is common for malicious attackers to analyze the updates to identify any patched vulnerabilities and then immediately create attacks against those. Attackers are well aware that not everyone updates their devices immediately; be that due to time, distractions, or the need for organizations to first ensure that the latest update works well with the rest of their software stack. This gives them a time window in which to leverage these now disclosed vulnerabilities until the updates are distributed.
As one commenter at ArsTechnica so eloquently put it:
Note that according to https://support.apple.com/en-us/HT210919, an issue addressing the same CVE was fixed in macOS 10.14.6, 10.13.6 and 10.15.2 in January 2020. The philosophy of patch early, patch often affects every OS.
Patrick Wardle, Jamf's Principal Security Researcher, added: "One positive takeaway is the fact that Ian chose to report this bug to Apple (who promptly patched it, as CVE-2020-3843). Without Ian's discovery, this bug may still be lurking within iOS/macOS ...perhaps waiting to be discovered and exploited by malicious adversaries. In recent years, Apple has made great strides in creating a modern bug-bounty program that financially incentivizes (and thus encouraged) researcher to report such bugs to Cupertino. At this time, it is unclear if Apple has paid out a bounty for this bug (though it seems clear that such a bug would qualify). Ian has promised to donate any such bounty to charity (which also means a match from Apple), stating, ‘Let’s make this a great celebration of our work together towards a better future.'"
"Possible end result?" continued Wardle. "Half a million to charity. Making macOS/iOS safer for all, while raising money for charity? Talk about a win-win!"
Of course, Jamf is here to help you effectively manage OS updates and OS security patch rollouts while protecting your endpoints. We have a history of building tools to align with Apple so that when OS updates are available, your management and security tools are compatible with them on the day they are released. You should never need to delay critical security updates because a vendor isn’t ready to support the updates yet. And with Jamf’s same-day support for macOS, iOS, iPadOS and tvOS, you never will.
Let Jamf Pro help you roll out the latest OS patches to your devices as quickly as possible.