About a year ago, Android users were fighting something called the Stagefright bug. Buried deep in the bowels of the operating system was a series of bugs that would allow an attacker to send you a specially crafted text message and take over your Android phone. Stagefright affected close to a billion phones in the worst case scenario, but more likely about half that number – still a HUUUGE problem.
This week it is Apple’s turn. Cisco’s security research arm, Talos, discovered what is really a similar problem to Stagefright. All an attacker needs is your phone number – likely not hard to get. Then they send a specially crafted iMessage or MMS message.
The attack could be exploited via Safari by getting the user to visit an infected web site.
In any case, no user interaction is required.
So what can the attack do for the hacker?
Nothing important. Just leak your authentication credentials stored in memory to the hacker. Forbes says this includes any credentials the target is using in the browser such as website credentials or email logins.
Due to other security mechanisms in the iPhone, the attacker can’t completely take over the phone, but this is sufficiently bad. Apparently, on a Mac, the problem is worse because the Mac sandbox works differently.
And, this even affects WatchOS.
In addition to this bug, the researchers at Talos also found a memory corruption bug.
And a security engineer at Salesforce found a flaw in FaceTime that would allow hackers who were located on the same network as the user (i.e., they came from outside but already compromised some other PC on your network) to spy on your FaceTime conversations. Apple says “an attacker in a privileged network position (which they don’t define) may be able to cause a call to continue transmitting audio while appearing as if the call was hung up.
In total, 43 bugs were fixed in the new version of iOS.
If you are not running iOS 9.3.3 which was released on July 18th or MAC OS El Capitan 10.11.6, released on the same day, you should update now.
Given the complexity of computers and phones these days, it is not completely surprising that serious bugs are found. This means we need to make sure that researchers are not hampered by Washington’s lack of understanding of technology – but that is a whole ‘nother post.
Like Stagefright, this bugs affect all versions of iOS before the one that was released 4 days ago.
According to Apple, 14% of iPhones run iOS 8 or earlier. Likely these are older phones that might not be able to run iOS 9 for some reason. Those phones will never be patched unless the upgrade to iOS 9. Talk about a ‘target rich environment’. That represents close to a hundred million phones that may never be patched – like older Android phones.
How many of the more than 1 billion iPhones are running a version of iOS older than 4 days ago? Likely a large number. Probably several hundred million.
This just reinforces the fact that we really need to figure out, with the billions of phones and tablets out there, how to get people to upgrade to the MOST CURRENT version of the OS. That means that old phones need to crushed and melted. I know people don’t want to spend the money to replace phones that still function, but the alternative is to use a phone with bugs that allow attackers to, in this case, steal your passwords. I guess you could sell your old unsupported phone on eBay and make it someone else’s problem 🙂