One researcher claimed to have found a remote code execution exploit that could allow an attacker to wipe an iPhone or iPad with any version of iOS up to and including iOS 15 – but Apple says the claim is false.
Twitter user @RobertCFO posted Wednesday that they reportedly found a bug that would allow a user to use a high-level proximity Bluetooth LE exploit to target iPhones and iPads without access to the Remotely wipe devices. The user also declares that he will provide a proof of concept at a later date.
POC? RCE up to 15.0.X ~ high level proximity based bluetooth LE exploit to delete iDevices remotely based on proximity alone! No physical device access.
In short, you can put a laptop in a backpack and ride a bike in a city to wipe iPhones
The tweet includes a screenshot of an email exchange he allegedly had with a member of Apple’s product safety team. The team member acknowledges the issue and states that it will be fixed in iOS 15.1, which Apple reps says will be rolled out the week of Monday, October 25th – the week following Apple’s “Unleashed” event.
Apple also reportedly asked Robert to keep the email and details of the exploit confidential until the patches are released to users.
Apple today the fourth developer betas sown for iOS 15.1 and iPadOS 15.1.
The upcoming version of iOS 15.1 will introduce features that did not arrive in time for the first version of iOS 15, such as: B. SharePlay. An important new feature has also emerged that will allow users to Add wallet verifiable COVID vaccination cards.
To update: Apple came out to clarify that there is no record of any interaction between the alleged researcher and a member of the Apple Security Bounty team, leading Apple to believe that this interaction was spoofed. The company also advises that Apple is not giving any specific dates for upcoming software releases.