Apple patches vulnerability where iPhone & MacBook cameras could be hijacked
An ethical "white-hat" hacker exploited Apple's own apps in December to show how a malicious website could gain unrestricted access to a user's camera and microphone without consent using flaws that have since been patched.
Former Amazon Web Services security engineer, Ryan Pickren, discovered seven zero-day vulnerabilities in Apple's Safari that could be used to hijack users' cameras. The vulnerabilities exploited the way Safari parsed Uniform Resource Identifiers, managed web origins, and initialized secure contexts.
The only requirement was that the user's camera would have had to trust a video conferencing site, like Zoom. If that criteria was met, a user could visit a site that utilized the attack chain, and a hacker could gain access to a users camera -- both on iOS and macOS.
Pickren had submitted his research to the Apple Bug Bounty program and was paid $75,000 for his contribution. Apple fixed three of the security flaws -- the ones that allowed for camera hijacking -- in the January 28 Safari 13.0.5 update. The four remaining flaws were not fixed until the Safari 13.1 release on March 24.
"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren told Forbes, "regardless of operating system or manufacturer."
Pickren had discovered the bug by "finding assumptions in software and violating those assumptions to see what happens." He noted that the camera security model was difficult to crack, as Apple requires nearly every app to be granted explicit permission to the microphone and camera. This makes it far less likely that a malicious third-party app could gain access without a users express permission.
The exception to the rule, however, is Apple's own apps, such as Safari. Pickren was able to exploit this exception to uncover the bugs. He managed to "hammer the browser with obscure corner cases" until he gained access to the camera.
Former Amazon Web Services security engineer, Ryan Pickren, discovered seven zero-day vulnerabilities in Apple's Safari that could be used to hijack users' cameras. The vulnerabilities exploited the way Safari parsed Uniform Resource Identifiers, managed web origins, and initialized secure contexts.
The only requirement was that the user's camera would have had to trust a video conferencing site, like Zoom. If that criteria was met, a user could visit a site that utilized the attack chain, and a hacker could gain access to a users camera -- both on iOS and macOS.
Pickren had submitted his research to the Apple Bug Bounty program and was paid $75,000 for his contribution. Apple fixed three of the security flaws -- the ones that allowed for camera hijacking -- in the January 28 Safari 13.0.5 update. The four remaining flaws were not fixed until the Safari 13.1 release on March 24.
"A bug like this shows why users should never feel totally confident that their camera is secure," Pickren told Forbes, "regardless of operating system or manufacturer."
Pickren had discovered the bug by "finding assumptions in software and violating those assumptions to see what happens." He noted that the camera security model was difficult to crack, as Apple requires nearly every app to be granted explicit permission to the microphone and camera. This makes it far less likely that a malicious third-party app could gain access without a users express permission.
The exception to the rule, however, is Apple's own apps, such as Safari. Pickren was able to exploit this exception to uncover the bugs. He managed to "hammer the browser with obscure corner cases" until he gained access to the camera.
Comments
bwahahaha
Does anyone know if this vulnerability was able to activate without turning on the LED on newer Macs?
https://daringfireball.net/2019/02/on_covering_webcams
But he also notes that a quick frame grab might be so fast that you might not notice the camera light has been lit.
And, it's a better webcam too!
AppleInsider said:
He noted that the camera security model was difficult to crack, as Apple requires nearly every app to be granted explicit permission to the microphone and camera. This makes it far less likely that a malicious third-party app could gain access without a users express permission.
The exception to the rule, however, is Apple's own apps, such as Safari. Hmm, but doesn't Safari pass out those permissions on a site-by-site basis? I was just trying to get some video-conferencing software working for an upcoming dr appointment, and it just wouldn't work with Safari, because it kept claiming it couldn't access the camera (it asked for mic access, but must be buggy about asking for camera). I finally had to give up and use Chrome... which scares me a bit, because then who knows what Chrome gives out that access to. (Of course, I hardly ever use Chrome except for such instances, so that should be OK.)
https://support.apple.com/en-gb/guide/security/secbbd20b00b/web
https://apps.apple.com/us/app/micro-snitch/id972028355?mt=12
Superb, free (donation-ware).