iOS 9 Fixes A Vulnerability In iOS 8 That Lets Malware In Through AirDrop [Video]
All security fixes are good security fixes, but when one plugs a hole that previously allowed anyone within AirDrop range to install an app on your iPhone, iPad or Mac, then things start to get very serious indeed. Thankfully, the arrival of iOS 9 means iPhone and iPad users are safe, while Mac owners will be good to go once OS X El Capitan arrives on September 30th.
The security hole itself meant that anyone could send a payload to another device via AirDrop and, even if that payload wasn’t accepted by the unfortunate recipient, their device would be infected. From that point on, it would be a ticking time bomb, with a simple device restart all that would be required to kick the malware into gear.
Using an Apple certificate to sign the app that it installs, this malware would go completely undetected by the user, as demonstrated by a video created by the security flaw’s discoverer, Azimuth Security’s researcher Mark Dowd. In said video, which you’ll find embedded at the end of this post, Dowd replaces the stock Phone app with one of his own creations, showing just how easy it could theoretically be for someone to install an app and then harvest information collected by it. A piece of malware that looked like your banking app could have you giving your credentials to the wrong people, for example. According to the researcher, the malware could take control of whatever facets of the system any regular iOS app can access, such as contacts, location information, and yes, even the camera.
With the arrival of iOS 9, this is less of a concern unless you are using a Mac, in which case you might want to either turn AirDrop off or make sure you upgrade to El Capitan as soon as possible.
We’re not convinced too many people actually use AirDrop anyway, so if you’re in the firing line for potentially being affected by this, update to iOS 9 now and also update to El Capitan when it’s released at the end of the month.