CVE-2017-2399

Vulnerability

The pasteboard in iOS versions prior to 10.3 on iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later encrypts its data using a key derived solely from the hardware UID (unique identifier) rather than from a combination of the hardware UID and the user’s passcode. This design flaw means the pasteboard contents are accessible without authentication when an attacker has physical proximity to the device [1].

Exploitation

To exploit this vulnerability, an attacker must be physically proximate to the target device—typically within arm’s reach—and gain unauthorized physical access to the unlocked device or bypass the lock screen through another method. The attacker does not need to know the user’s passcode because the encryption key does not incorporate the passcode. By extracting the hardware UID (which is accessible from the device’s firmware), the attacker can derive the encryption key and decrypt the pasteboard data [1].

Impact

A successful attacker can read all current and potentially previously copied content stored on the pasteboard, which may include sensitive information such as passwords, credit card numbers, personal messages, or authentication tokens. This represents a breach of confidentiality, with the attacker operating at the user’s privilege level but without requiring the user’s passcode [1].

Mitigation

Apple released iOS 10.3 on March 27, 2017, which addresses the issue by modifying the pasteboard encryption to incorporate the user’s passcode into the key derivation. Users should update to iOS 10.3 or later to mitigate the vulnerability. There is no known workaround for unpatched devices [1].