Apple iPhones are considered secure devices, but that doesn’t mean they aren’t open to hacking. And yesterday, Google Project Zero’s ethical hackers showed just how easy it can be to access your iPhone or iPad without your knowledge.
Armed only with a user’s Apple ID, security researcher Samuel Groß was able to remotely hack an iPhone within minutes, stealing passwords, text messages and emails.
Leveraging just one vulnerability labeled CVE-2019-8641, Groß was also able to remotely activate an Apple iPhone’s microphone and camera without any interaction from the user. In simple terms, this means an attacker could gain access to your iPhone without you clicking a malicious URL.
First things first: This vulnerability was fixed by Apple, so it’s not a danger to you any longer–unless of course you have avoided applying iOS updates on your phone.
CVE-2019-8641 is the name given to the remote memory corruption vulnerability Google’s Groß used to take over an iPhone with just an Apple ID. The issue was originally discovered and reported to Apple as part of Groß’s joint project with Natalie Silvanovich back in July, with a proof of concept exploit published in August.
The vulnerability was first dealt with in iOS 12.4.1 on August 26 when Apple made the vulnerable code unreachable over iMessage. It was fully fixed on October 28 last year when iOS 13.2 dropped.
Multiple other Apple vulnerabilities have been found by Google’s Project Zero over the last year. For example, in July it was revealed that a vulnerability in Apple’s iMessage could render an iPhone useless and force a factory reset.
Also in July, a vulnerability was discovered that could enable an attacker to read the files on an iPhone without having physical access to it.
What does Google’s blog tell us about the iPhone hack?
The Google Project Zero blog reveals more details about Groß’s research, which was first unveiled at a hacking conference in December. It’s part of a three part series, which the more technical among you might enjoy delving into. The video of Groß’s talk is available for those of you who like a visual accompaniment.
In the blog, Groß showed how a data randomising security feature called ASLR, which is meant to protect against exploits, is “not as strong in practice.”
He demonstrated how an attacker could set up a side communications channel to interact with a user’s device. Remote code execution could be achieved through abuse of the “Receipts” feature that lets people know their iMessages have been delivered.
As a result of the research, Groß has recommended new security measures to Apple, some of which the iPhone maker has already implemented. This should make similar exploits “significantly harder,” from now on, he said.
How bad is the vulnerability and how can I protect my iPhone?
One of the biggest concerns about the Apple iPhone vulnerability reported by Google is that it doesn’t require any interaction from the user to exploit. “This makes the vulnerability different from a lot of other mobile issues,” says security researcher Sean Wright. “Typically, they require some user interaction, such as installing a malicious application. It appears that this vulnerability only requires the attacker to know the user’s phone number to be able to exploit it.”
Thankfully, the issue has been fixed, and it was reported responsibly by Google’s Project Zero. Because the full fix wasn’t available to iPhone users for some time, the details were not revealed until much later. This stops attackers from being able to easily exploit the vulnerability and ensures people can update their operating systems when a fix is available.
What should I do?
The issue shouldn’t be a problem if you keep your iPhone up to date, so there’s nothing you need to do. But I’m still going to get a bit preachy: Please ensure you update your Apple iOS to the latest version as soon as it becomes available. Yes, some people like to wait until bugs are ironed out, but it can be dangerous to delay your updates when serious vulnerabilities such as this one are out there and detailed.
In addition, it’s a good idea to make sure you are taking steps to secure your iPhone, perhaps by using a security key which is now available in Safari following the launch of iOS 13.3.
Apple is also making it easier to improve your iPhone and iPad privacy by locking down the apps that collect your data.
It’s true that iPhones can, in theory, be more secure due to the closed nature of the Apple ecosystem–compared to the more fragmented Google Android. However, that doesn’t mean iPhones are immune from attack, as Google’s Project Zero has clearly shown here.