20 Jul 2016

If you are an iPhone owner who felt smug last Summer after learning that Stagefright bugs were found to be silently spying on almost a billion Android devices, you may want to consider hiding that smile of yours before your Android brethren read this article…

Tyler Bohan, a senior security researcher at Cisco Talos, released a warning today that he found a critical vulnerability in ImageIO, that, if exploited, would not only be virtually undetectable by the smartphone user, but would also allow hackers to silently syphon passwords off the infected iPhone. Fortunately, Apple has patched this flaw with its latest update, iOS 9.3.3.

***APPLE USERS ARE ADVISED TO UPDATE TO iOS 9.3.3 AS SOON AS POSSIBLE***

How Hackers Get Inside Your iPhone

As mentioned, the flaw was found in the iPhone mechanism that is used to handle image data, ImageIO. All a hacker would need to do is develop a program that takes advantage of the ImageIO flaws, by creating an exploit inside a Tagged Image File Format (TIFF). Once the bundled exploit has been created, there are three potentials means by which cyber criminals could infiltrate the target’s iPhone:

  1. Send the bundled exploit to an iPhone user via a Multimedia Message (MMS). Because MMS stores and delivers, the user doesn’t even need to open the message to compromise the phone; it only needs to be delivered.
  2. Send the bundled exploit to an iPhone via Email. All the user would need to do is click on the email; no downloads necessary.
  3. Embed the malicious code onto a website and wait for a user to visit the page on Safari. No interaction by the user is required; all the browser needs to do is analyze the exploit.

Potential Damage

Once the exploit has contaminated the victim’s phone, it would then allow the hacker to have access to such authentication credentials as website and emails logins (that are stored in the browser), Wi-Fi passwords, and pretty much anything else that is being stored by the victim in the iPhone’s memory.

There is, however, some very good news for Apple smartphone customers. All iOS systems come standard with sandbox protection. Sandbox protection makes it so that raiding authentication credentials is about as far as the cybercriminal can go without needing to further jailbreak or root exploit the iOS system. Sandbox protection was created by Apple just for the above reason; it has the ability to protect iPhones from hackers who try to take full control of a device.

That good news aside, these bugs are not just limited to iOS iPhones; they are also found across most Apple operating systems, including tvOS, watchOS, and, of course, Mac OS X, the latter of which is NOT protected by sandboxing, putting Apple PC owners at a massive disadvantage. A person would merely need to OPEN a malicious email or VISIT an infected site, and a hacker could fully take over the computer.

Solution

PATCH NOW!

Do not procrastinate. The moment you get your next iOS update alert, run it. It is almost inevitable that criminals have already begun working out a way to take full advantage of the newly-reported vulnerability. It is estimated that there will be about a two-week turnaround for this exploit, between the time that the vulnerabilities are announced, and the time it takes hackers to figure out a way to create ways to exploit the flaws.

Additional Patches

This was not the only flaw uncovered on iOS. Other issues include:

  1. iOS’ CoreGraphics. This is a mechanism that helps to reduce 2D graphics across Operating Systems; Bohan found that it contains memory corruption issues.
  2. FaceTime. Martin Vigo, a Salesforce security engineer, found this problem. Apparently FaceTime contains a bug that allows any privileged network user (that is on the same network as the person using FaceTime) to spy on the conversation by continuing to transmit audio, though the call appears to have ended.

In addition to the three more critical vulnerabilities discussed in this blog post, there are 40 (more minor) flaws that have been discovered. You can view additional details on Apple’s advisory. All 43 bugs are addressed, if not fully patched, in iOS version 9.3.3. Apple also put out advisories for Safari, tvOS, watchOS, OS X El Capitan and Safari.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top