Google Project Zero’s ethical hackers showed just how easy it can be to access your iPhone or iPad without your knowledge. Security researcher Samuel Groß was able to remotely hack an iPhone within minutes, stealing passwords, text messages and emails with Apple id password only.
Leveraging just one vulnerability labeled CVE-2019-8641, Groß was also able to remotely activate an Apple iPhone’s microphone and camera without any interaction from the user. In simple terms, this means an attacker could gain access to your iPhone without you clicking a malicious URL.
This vulnerability was fixed by Apple, so it’s not a danger any longer.
Google Project Zero
The Google Project Zero blog reveals more details about Groß’s research, which was first unveiled at a hacking conference in December.
In the blog, Groß showed how a data randomising security feature called ASLR, which is meant to protect against exploits.
Groß demonstrated how an attacker could set up a side communications channel to interact with a user’s device. Remote code execution could be achieved through abuse of the “Receipts” feature that lets people know their iMessages have been delivered.
Groß has recommended new security measures to Apple, some of which the iPhone maker has already implemented.
Extent of vulnerability and how it can be fixed
The biggest concerns about the Apple iPhone vulnerability reported by Google is that it doesn’t require any interaction from the user to exploit. Typically, it requires some user interaction, such as installing a malicious application. It appears that this vulnerability only requires the attacker to know the user’s phone number to be able to exploit it.
The issue has been fixed, and it was reported responsibly by Google’s Project Zero. Because the full fix wasn’t available to iPhone users for some time, the details were not revealed until much later. This stops attackers from being able to easily exploit the vulnerability and ensures people can update their operating systems when a fix is available.