Apple quietly patched iPhone vulnerability allowing unauthorized collection of sensor data...
Apple in 2016 issued a fix for a website-based iOS exploit that could've allowed hackers to collect sensor data from iPhones, and potentially learn many things about their targets -- even their passcodes, researchers revealed this week. [Updated with Apple clarification]
Findings shared by the researchers, based at Newcastle University in the U.K., noted that Web browsers don't need to ask permission for most sensor data, and that motion data in particular can be used to gauge what someone is doing on their phone. Through analysis, it was possible to crack a four-digit PIN with 70 percent accuracy on the first guess, and reach 100 percent accuracy by the fifth.
A JavaScript exploit was used to run the malware needed to gather data.
Companies like Apple and Google were alerted to the problem, and at least Apple Safari and Mozilla Firefox have been "partially" fixed, according to Newcastle. The university cautioned however that it's "still working with industry" on a comprehensive solution, and that people worried about their privacy should do things like change PINs and passwords regularly, keep their devices up-to-date, and close background apps they don't need.
Google is said to be aware of the trouble, but without any fix so far.
Apple's software fix came with iOS 9.3, released in March last year. That update also introduced Night Shift and secure Notes, while solving a security gap in iMessage. It proved problematic in its own right though, creating issues with Activation Lock and Web links that Apple had to fix in short order.
Update: Apple contacted AppleInsider to mention that the researchers in question are cited in iOS 9.3's security notes.
Findings shared by the researchers, based at Newcastle University in the U.K., noted that Web browsers don't need to ask permission for most sensor data, and that motion data in particular can be used to gauge what someone is doing on their phone. Through analysis, it was possible to crack a four-digit PIN with 70 percent accuracy on the first guess, and reach 100 percent accuracy by the fifth.
A JavaScript exploit was used to run the malware needed to gather data.
Companies like Apple and Google were alerted to the problem, and at least Apple Safari and Mozilla Firefox have been "partially" fixed, according to Newcastle. The university cautioned however that it's "still working with industry" on a comprehensive solution, and that people worried about their privacy should do things like change PINs and passwords regularly, keep their devices up-to-date, and close background apps they don't need.
Google is said to be aware of the trouble, but without any fix so far.
Apple's software fix came with iOS 9.3, released in March last year. That update also introduced Night Shift and secure Notes, while solving a security gap in iMessage. It proved problematic in its own right though, creating issues with Activation Lock and Web links that Apple had to fix in short order.
Update: Apple contacted AppleInsider to mention that the researchers in question are cited in iOS 9.3's security notes.
Comments
How it was obtained would be Top Secret - Eyes Only.
I am joking but you asked the question...
They only claimed accuracy using a 4 digit PIN and they only demoed it using the larger "number pad" that pops up for entry of a PIN. Had they demoed it with a full keyboard and showed them being able to discern between an "a" and "s" then I might be worried about them getting an actual password.
Oh right... anything that can be even remotely put Apple in a bad light generates more traffic than even the worse security flaw that Android has. My bad.
Speaking of paranoids, has anyone seen those Youtube videos of wack jobs putting giant padlocks on their power meter boxes so the power company can’t install a so-called smart-meter, which allegedly is then used to spy on you and/or scramble your brains? I’m guessing a few AI commenters may be in that cadre.
[1] http://www.ncl.ac.uk/press/news/2017/04/sensors/
The link in the article (dated 11 April 2017) says "The team has alerted all the major browser providers - including Google and Apple - of the risks but for the moment, says Dr Mehrnezhad, no-one has been able to come up with an answer."
So was it fixed or not by Apple?
[2] The CVE ID on the Apple page https://support.apple.com/en-us/HT206166 is CVE-2016-1780. That points to a WebKit (i.e. browser) exploit being patched.
That points to a Mozilla FireFox allowing access to the data, same as the WebKit patch that Apple did. There is no mention that this is Android only.
So is this a browser exploit only since the browser gives access without prompt? The browser is the interface between the web and the phone operating system. You cannot just have a web page randomly get pin numbers without going through a browser, and that seems where the issue is. Not with the OS itself.