20 Jul 2016
If you are an iPhone owner who felt smug last Summer after learning that Stagefright bugs were found to be silently spying on almost a billion Android devices, you may want to consider hiding that smile of yours before your Android brethren read this article…
Tyler Bohan, a senior security researcher at Cisco Talos, released a warning today that he found a critical vulnerability in ImageIO, that, if exploited, would not only be virtually undetectable by the smartphone user, but would also allow hackers to silently syphon passwords off the infected iPhone. Fortunately, Apple has patched this flaw with its latest update, iOS 9.3.3.
***APPLE USERS ARE ADVISED TO UPDATE TO iOS 9.3.3 AS SOON AS POSSIBLE***
How Hackers Get Inside Your iPhone
As mentioned, the flaw was found in the iPhone mechanism that is used to handle image data, ImageIO. All a hacker would need to do is develop a program that takes advantage of the ImageIO flaws, by creating an exploit inside a Tagged Image File Format (TIFF). Once the bundled exploit has been created, there are three potentials means by which cyber criminals could infiltrate the target’s iPhone:
- Send the bundled exploit to an iPhone user via a Multimedia Message (MMS). Because MMS stores and delivers, the user doesn’t even need to open the message to compromise the phone; it only needs to be delivered.
- Send the bundled exploit to an iPhone via Email. All the user would need to do is click on the email; no downloads necessary.
- Embed the malicious code onto a website and wait for a user to visit the page on Safari. No interaction by the user is required; all the browser needs to do is analyze the exploit.
Once the exploit has contaminated the victim’s phone, it would then allow the hacker to have access to such authentication credentials as website and emails logins (that are stored in the browser), Wi-Fi passwords, and pretty much anything else that is being stored by the victim in the iPhone’s memory.
There is, however, some very good news for Apple smartphone customers. All iOS systems come standard with sandbox protection. Sandbox protection makes it so that raiding authentication credentials is about as far as the cybercriminal can go without needing to further jailbreak or root exploit the iOS system. Sandbox protection was created by Apple just for the above reason; it has the ability to protect iPhones from hackers who try to take full control of a device.
That good news aside, these bugs are not just limited to iOS iPhones; they are also found across most Apple operating systems, including tvOS, watchOS, and, of course, Mac OS X, the latter of which is NOT protected by sandboxing, putting Apple PC owners at a massive disadvantage. A person would merely need to OPEN a malicious email or VISIT an infected site, and a hacker could fully take over the computer.
Do not procrastinate. The moment you get your next iOS update alert, run it. It is almost inevitable that criminals have already begun working out a way to take full advantage of the newly-reported vulnerability. It is estimated that there will be about a two-week turnaround for this exploit, between the time that the vulnerabilities are announced, and the time it takes hackers to figure out a way to create ways to exploit the flaws.
This was not the only flaw uncovered on iOS. Other issues include:
- iOS’ CoreGraphics. This is a mechanism that helps to reduce 2D graphics across Operating Systems; Bohan found that it contains memory corruption issues.
- FaceTime. Martin Vigo, a Salesforce security engineer, found this problem. Apparently FaceTime contains a bug that allows any privileged network user (that is on the same network as the person using FaceTime) to spy on the conversation by continuing to transmit audio, though the call appears to have ended.
In addition to the three more critical vulnerabilities discussed in this blog post, there are 40 (more minor) flaws that have been discovered. You can view additional details on Apple’s advisory. All 43 bugs are addressed, if not fully patched, in iOS version 9.3.3. Apple also put out advisories for Safari, tvOS, watchOS, OS X El Capitan and Safari.