CVE-2021-1863 in iOS
Summary
by MITRE • 09/08/2021
An issue existed with authenticating the action triggered by an NFC tag. The issue was addressed with improved action authentication. This issue is fixed in iOS 14.5 and iPadOS 14.5. A person with physical access to an iOS device may be able to place phone calls to any phone number.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/11/2021
The vulnerability identified as CVE-2021-1863 represents a significant authentication flaw within the iOS operating system's handling of near field communication tag actions. This weakness specifically affected the authentication mechanisms that govern how NFC tags trigger automated actions on iOS devices. The issue stemmed from insufficient validation of the actions initiated by NFC tags, creating a pathway for unauthorized execution of functions that should require proper authentication. The vulnerability was particularly concerning because it leveraged physical access to exploit the system, making it accessible to anyone with direct contact with the target device. This type of flaw falls under the category of insufficient authentication as defined by CWE-287, where the system fails to properly verify the identity of the entity attempting to execute privileged operations.
The technical implementation of this vulnerability allowed for the bypass of normal authentication procedures that should typically be required before executing sensitive actions such as placing phone calls. When an NFC tag was presented to an iOS device, the system failed to properly verify that the action being triggered was authorized by the legitimate user. This authentication bypass enabled malicious actors to create NFC tags that could automatically initiate phone calls to arbitrary phone numbers without requiring user consent or authentication. The flaw existed in the NFC tag processing subsystem of iOS, where the system trusted the actions encoded in NFC tags without sufficient verification of their legitimacy. This issue was particularly dangerous because it could be exploited without requiring any network connectivity or sophisticated attack vectors, relying purely on physical proximity and device access.
The operational impact of this vulnerability extends beyond simple unauthorized calling, as it demonstrates a fundamental weakness in how iOS handles trusted input from physical devices. An attacker with physical access to an iOS device could create malicious NFC tags that would automatically execute phone calls to predetermined numbers, potentially enabling social engineering attacks, spamming campaigns, or even coordinated denial of service attacks. The vulnerability's exploitation requires only physical access to the target device and the ability to present an NFC tag, making it particularly concerning for mobile device security. The attack vector aligns with ATT&CK technique T1550.001 for legitimate credentials, where adversaries leverage physical access to bypass authentication mechanisms. This vulnerability could be exploited by attackers to perform unauthorized communications, potentially for reconnaissance purposes or to disrupt normal device usage patterns.
The fix for CVE-2021-1863 was implemented through enhanced authentication mechanisms that require proper user verification before executing actions triggered by NFC tags. Apple addressed this issue by strengthening the validation process for NFC tag actions, ensuring that any automated execution requires explicit user consent or authentication. The update specifically targeted the NFC tag processing components in iOS 14.5 and iPadOS 14.5, where the system now requires additional verification before executing phone call actions initiated by NFC tags. This mitigation approach aligns with the principle of least privilege, ensuring that automated actions cannot bypass normal authentication procedures. The solution effectively prevents the automatic execution of phone calls through NFC tags while maintaining legitimate functionality for authorized users. Users should immediately update to iOS 14.5 or later versions to protect against this vulnerability, as the fix resolves the authentication gap that allowed unauthorized action execution. The remediation demonstrates Apple's approach to addressing physical access attacks through improved input validation and authentication requirements for trusted device interactions.