It has been reported that Google Project Zero security researcher Ian Beer has revealed that, until May, a variety of Apple iPhones and other iOS devices were vulnerable to an incredible exploit that could let attackers remotely reboot and take complete control of their devices from a distance — including reading emails and other messages, downloading photos, and even potentially watching and listening to you through the iPhone’s microphone and camera.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The recent iOS zero-click exploit published by Google\’s Project Zero is an attack that can be used by malicious groups to gain access to any iPhone device running an unpatched version of iOS. The attack requires close proximity to the target iPhone device as it leverages an exploit in the iPhone’s WiFi system. The exploit does not require any interaction from the target, and can be used to steal sensitive data such as photos, text messages, and install Trojans. The attack leverages a flaw in Apple\’s proprietary radio protocol used to connect iPhones directly to other iPhones, or Apple products for services such as AirDrop. Even if AirDrop is not enabled, this attack is able to bypass this restriction, and force AirDrop to be enabled momentarily to deliver the exploit. A proof of concept with limited capability has been released, and more dangerous variants might be developed from it. Fortunately, this vulnerability is patched since May 2020, and in the latest version of iOS. It’s recommended for users to keep their iPhones updated to the latest version.
Buffer overflows have haunted software developers for about as long as software existed. The good news is, buffer overflows can be systematically identified and eradicated early in the dev process using automated static analysis tools. But even incredibly mature organisations fall victim seemingly small mistakes that can have major repercussions. This vulnerability underscores how important it is for developers and AppSec teams to proactively and thoroughly test their code bugs. It’s also important to remediate issues identified during testing — even if it\’s not a problem today, any given vulnerability could become a substantial issue down the road.