Most hacks require some kind of user intervention. Either the user needs to allow malware access that it shouldn’t have, or the user must install an infected app, or perhaps even visit a malicious website. These are all things users wouldn’t do if they were fully aware, unfortunately, users are usually unaware they’re doing these things. Usually, users are tricked in to doing these things.
Unfortunately, there have been two recent Apple exploits that didn’t require the user to do anything. In fact, the user probably wouldn’t even know that they had fallen victim to these exploits.
The Hacker News reports a critical exploit (CVE-2016-4631) that has to do with the API which allows Apple products to handle image data. This exploit allows for an attack to occur through a simple TIFF image file sent through something as basic as an SMS message. Of course, this is not a file which would require a user to accept, allow, or take any action whatsoever. Simply receiving the file would be enough for the attack. Yet it doesn’t have to come through an SMS message, it can also be delivered via a website should a user stumble across it. This bug doesn’t only affect iOS, the API is also used across Mac OS X, tvOS, and watchOS.
There was also another vulnerability in FaceTime (CVE-2016-4635) which allowed anyone who was on the same WiFi network to eavesdrop on the audio of a FaceTime call. Even worse, it allowed them to continue eavesdropping after the FaceTime call was terminated. This vulnerability affects iOS and OS X
Apple claims to have addressed these vulnerabilities in the latest iOS updates. It is unknown whether these flaws were addressed within the other OS’s.
As iPhone users continue to brag of their security, claiming that their iDevices have the best security in the land, we need to recognize a few facts;
First, iPhone user’s believe they have the best security because of the encryption debate. While Apple was fighting the FBI over cracking the phone used by a terrorist in San Bernardino, it was repeated over and over that the iPhone’s security was so grand, that not even Apple could break it. Apple claimed themselves it would take weeks of a team of Apple engineers to do it. This amounted to an inordinate amount of publicity stating Apple’s security was the best available. In the end, a team of Apple engineers did not crack the phone. A third party did it within a couple of days.
Second, iOS had the most security vulnerabilities of any mobile OS last year. Not only the most, but more than Android, Windows Phone, and BlackBerry combined. Exploits like these mentioned here.
How’s that for security?