Previous All Posts Next

Critical iPhone Update Stops Silent Spyware Attacks

Posted: July 20, 2016 to Technology.

Tags: Data Breach, Malware, Cloud Security

If you are an iPhone owner who felt smug last Summer after learning that Stagefright bugs were found to be silently spying on almost a billion Android devices, you may want to consider hiding that smile of yours before your Android brethren read this article… Tyler Bohan, a senior security researcher at Cisco Talos, released a warning today that he found a critical vulnerability in ImageIO, that, if exploited, would not only be virtually undetectable by the smartphone user, but would also allow hackers to silently syphon passwords off the infected iPhone. Fortunately, Apple has patched this flaw with its latest update, iOS 9.3.3. ***APPLE USERS ARE ADVISED TO UPDATE TO iOS 9.3.3 AS SOON AS POSSIBLE*** How Hackers Get Inside Your iPhone As mentioned, the flaw was found in the iPhone mechanism that is used to handle image data, ImageIO. All a hacker would need to do is develop a program that takes advantage of the ImageIO flaws, by creating an exploit inside a Tagged Image File Format (TIFF). Once the bundled exploit has been created, there are three potentials means by which cyber criminals could infiltrate the target’s iPhone:
  1. Send the bundled exploit to an iPhone user via a Multimedia Message (MMS). Because MMS stores and delivers, the user doesn’t even need to open the message to compromise the phone; it only needs to be delivered.
  2. Send the bundled exploit to an iPhone via Email. All the user would need to do is click on the email; no downloads necessary.
  3. Embed the malicious code onto a website and wait for a user to visit the page on Safari. No interaction by the user is required; all the browser needs to do is analyze the exploit.
Potential Damage Once the exploit has contaminated the victim’s phone, it would then allow the hacker to have access to such authentication credentials as website and emails logins (that are stored in the browser), Wi-Fi passwords, and pretty much anything else that is being stored by the victim in the iPhone’s memory. There is, however, some very good news for Apple smartphone customers. All iOS systems come standard with sandbox protection. Sandbox protection makes it so that raiding authentication credentials is about as far as the cybercriminal can go without needing to further jailbreak or root exploit the iOS system. Sandbox protection was created by Apple just for the above reason; it has the ability to protect iPhones from hackers who try to take full control of a device. That good news aside, these bugs are not just limited to iOS iPhones; they are also found across most Apple operating systems, including tvOS, watchOS, and, of course, Mac OS X, the latter of which is NOT protected by sandboxing, putting Apple PC owners at a massive disadvantage. A person would merely need to OPEN a malicious email or VISIT an infected site, and a hacker could fully take over the computer. Solution PATCH NOW! Do not procrastinate. The moment you get your next iOS update alert, run it. It is almost inevitable that criminals have already begun working out a way to take full advantage of the newly-reported vulnerability. It is estimated that there will be about a two-week turnaround for this exploit, between the time that the vulnerabilities are announced, and the time it takes hackers to figure out a way to create ways to exploit the flaws. Additional Patches This was not the only flaw uncovered on iOS. Other issues include:
  1. iOS’ CoreGraphics. This is a mechanism that helps to reduce 2D graphics across Operating Systems; Bohan found that it contains memory corruption issues.
  2. FaceTime. Martin Vigo, a Salesforce security engineer, found this problem. Apparently FaceTime contains a bug that allows any privileged network user (that is on the same network as the person using FaceTime) to spy on the conversation by continuing to transmit audio, though the call appears to have ended.
In addition to the three more critical vulnerabilities discussed in this blog post, there are 40 (more minor) flaws that have been discovered. You can view additional details on Apple’s advisory. All 43 bugs are addressed, if not fully patched, in iOS version 9.3.3. Apple also put out advisories for Safari, tvOS, watchOS, OS X El Capitan and Safari.

Related Resources

Learn more about how Petronella Technology Group can help:

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

Build an AI Agent with n8n: Step-by-Step Tutorial Ollama vs vLLM: Enterprise AI Inference Comparison 2026 Proxmox vs VMware 2026: Why We Migrated (And You Should Too) AI Workstation Build Guide 2026: RTX 5090 Deep Learning Setup

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Enterprise IT Solutions & AI Integration

From AI implementation to cloud infrastructure, PTG helps businesses deploy technology securely and at scale.

Explore AI & IT Services
Previous All Posts Next
Free cybersecurity consultation available Schedule Now