iPhones and other Apple devices were open to a hack that would allow somebody to take control of them from a distance, a researcher has found.
The issue has now been fixed and there is no evidence that it was ever used, but until March of this year it would have been theoretically possible to gain almost complete access to a device using the hack, according to Google researcher Ian Beer.
He found that an attacker would potentially be able to read private messages, look through photos and even spy on the phone's owner through its camera and microphone.
The hack relied on a technology called Apple Wireless Direct Link, which is used to allow the company's devices to speak to each other and power features like AirDrop, which allows for files to easily be exchanged between users and their devices.
Mr Beer said that he had found a way not only to exploit that protocol, but also to turn it on if it had been switched off, meaning that even devices that were nominally protected against the exploit could have been affected by it.
That meant that someone using the attack would be able to break into the phone without ever actually getting near it. And the attack was also “workable”, meaning that it could spread from one phone to another.
In a long blog post outlining the problem, Mr Beer noted that the attack had taken him six months to work on, through early 2020. But he said that he had done so on his own, and hoped that the discovery of the exploit would serve as a warning that various bad actors are constantly trying to find ways into devices.
Apple has not officially acknowledged Mr Beer’s exploit, but it did mention his work in a system update that arrived in May, and appeared to fix the problem. That update noted that “a remote attacker may be able to cause unexpected system termination or corrupt kernel memory” and that it had been fixed by iOS 14.2.7 and simultaneous updates for its other operating systems.
Most active Apple users have likely updated to those newer versions of the operating system, meaning that many devices should be protected against the hack.