5 Billion Devices at Risk! AIRFUZZ Exposes 6 Vulnerabilities in AirDrop and Quick Share
What Happened? Overview of the News
- Analysis of Major Protocols: Reverse-engineered Apple’s AirDrop and Google/Samsung’s Quick Share, uncovering previously undisclosed communication specifications.
- Discovery of Vulnerabilities “V1-V6”: Identified a total of 6 “zero-click” vulnerabilities that can be exploited without authentication. These include DoS, memory corruption, and encryption bypass.
- Development of AIRFUZZ: Created a protocol-aware fuzzing tool called “AIRFUZZ” that manipulates data before compression, achieving efficient bug detection.
Why Does This Matter? Key Points to Note
- Massive Impact Scope: Affecting over 5 billion devices, these vulnerabilities can be exploited without any user action, making them “zero-click targets.”
- Dissection of Proprietary Protocols: Completely reconstructed and analyzed AirDrop’s proprietary “7-layer state machine” and “DVZip adaptive compression,” which were previously undisclosed.
- Practical Findings: Google awarded a bounty for vulnerability V6 (Heap use-after-free), indicating that companies are aware of and working to fix these issues.
🦈 Shark’s Eye (Curator’s Perspective)
This is a brilliant study that has sunk its teeth into the depths of proprietary protocols! The implementation of “AIRFUZZ” stands out, especially its clever approach of altering data at an early stage of the DVZip adaptive compression process. This allows for analysis deep within processing flows that regular fuzzers cannot reach! The critical and interesting part is how it targets core OS components, like the infinite recursion in XML plist within Apple’s Foundation framework (V2). It turns out that those invisible privileged daemons are the biggest hideouts and vulnerabilities!
What’s Next?
- Transparency in Protocols: Companies will likely reassess their proprietary protocol designs, accelerating the transition to more standardized and secure handshakes (like UKEY2).
- Evolution of Fuzzing Techniques: Attack methods that understand protocol structures like “AIRFUZZ” will likely be applied to other proprietary wireless communications (such as Bluetooth-related services).
A Word from Haru Shark
No matter how well you hide, you can’t escape the shark’s keen sense of smell! The more “invisible” the communication, the more satisfying it is to bite into! Sharky shark! 🦈🔥
Terminology Explained
-
Fuzzing: An automated testing technique that feeds unpredictable input data into software to uncover bugs and vulnerabilities.
-
Zero-Click Attack: An attack where a device can be compromised simply by receiving communication, without the user needing to click links or open files.
-
State Machine: A blueprint defining states and transition rules. In this study, it modeled the complex communication protocols of AirDrop across 7 layers.
-
Source: Protocol Prying: Vulnerability Research in AirDrop and Quick Share