Apple quietly patched iPhone vulnerability allowing unauthorized collection of sensor data...

Posted:
in iPhone edited April 2017
Apple in 2016 issued a fix for a website-based iOS exploit that could've allowed hackers to collect sensor data from iPhones, and potentially learn many things about their targets -- even their passcodes, researchers revealed this week. [Updated with Apple clarification]




Findings shared by the researchers, based at Newcastle University in the U.K., noted that Web browsers don't need to ask permission for most sensor data, and that motion data in particular can be used to gauge what someone is doing on their phone. Through analysis, it was possible to crack a four-digit PIN with 70 percent accuracy on the first guess, and reach 100 percent accuracy by the fifth.

A JavaScript exploit was used to run the malware needed to gather data.

Companies like Apple and Google were alerted to the problem, and at least Apple Safari and Mozilla Firefox have been "partially" fixed, according to Newcastle. The university cautioned however that it's "still working with industry" on a comprehensive solution, and that people worried about their privacy should do things like change PINs and passwords regularly, keep their devices up-to-date, and close background apps they don't need.

Google is said to be aware of the trouble, but without any fix so far.

Apple's software fix came with iOS 9.3, released in March last year. That update also introduced Night Shift and secure Notes, while solving a security gap in iMessage. It proved problematic in its own right though, creating issues with Activation Lock and Web links that Apple had to fix in short order.

Update: Apple contacted AppleInsider to mention that the researchers in question are cited in iOS 9.3's security notes.

Comments

  • Reply 1 of 14
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    SpamSandwichlolliver
  • Reply 2 of 14
    chiachia Posts: 713member
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    Consider an airport, hotel or coffee shop wifi access point with a compromised landing page.  Maybe you pop the toilet and leave your phone briefly with the concierge for safe keeping or with airport security for a security check. You get your phone back five or ten minutes later, none the wiser to all the info they've looked at whilst you've been away.
  • Reply 3 of 14
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    Saves asking for it when you arrive in the USA. IF they know it then they can access your phone and not breach your constitutional rights.
    How it was obtained would be Top Secret - Eyes Only.

    I am joking but you asked the question...
    watto_cobra
  • Reply 4 of 14
    SoliSoli Posts: 10,035member
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    Unfortunately, people still use the same passcodes and PINs when possible.
    watto_cobra
  • Reply 5 of 14
    Given Apple's response shouldn't you fix the mistake in the headline? Since it wasn't quiet at all.
    lolliverwatto_cobraStrangeDays
  • Reply 6 of 14
    mike1mike1 Posts: 3,275member
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    No, but if they ascertained the pass code for your bank or Amazon, for example, they could potentially log in from any device or computer.
    watto_cobra
  • Reply 7 of 14
    mike1 said:
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    No, but if they ascertained the pass code for your bank or Amazon, for example, they could potentially log in from any device or computer.

    They only claimed accuracy using a 4 digit PIN and they only demoed it using the larger "number pad" that pops up for entry of a PIN. Had they demoed it with a full keyboard and showed them being able to discern between an "a" and "s" then I might be worried about them getting an actual password.
    watto_cobra
  • Reply 8 of 14
    sflocalsflocal Posts: 6,092member
    Given Apple's response shouldn't you fix the mistake in the headline? Since it wasn't quiet at all.
    Agree.  What's up with the click-bait headline AI?? You're making it sound like Apple was trying to keep this vulnerability hush-hush when clearly they were not.  A security team finds a flaw, it gets patched.  Are you somehow expecting Apple to print a full-page ad and announce to the world in a sound of trumpets that there was a flaw?  

    Oh right...  anything that can be even remotely put Apple in a bad light generates more traffic than even the worse security flaw that Android has.  My bad.

    lkruppai46StrangeDaysindiekiduklolliverwatto_cobrapropod
  • Reply 9 of 14
    lkrupplkrupp Posts: 10,557member
    Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?
    The paranoids among us can  always come up with scenarios. It must a hard life looking over your shoulder constantly. For normal people these exploits are about as feasible as being struck a by a meteorite while in your shower. Just once I’d like to see a verified, confirmed report from a tech blog of someone getting nailed by one these weird security ‘holes’. 

    Speaking of paranoids, has anyone seen those Youtube videos of wack jobs putting giant padlocks on their power meter boxes so the power company can’t install a so-called smart-meter, which allegedly is then used to spy on you and/or scramble your brains? I’m guessing a few AI commenters may be in that cadre. 
    edited April 2017 gatorguy2old4funwatto_cobra
  • Reply 10 of 14
    evilutionevilution Posts: 1,399member

    Google is said to be aware of the trouble, but without any fix so far.
    I think this should repeated for clarity.
    watto_cobraMacsplosion
  • Reply 11 of 14
    Hold on there Apple Fake News Insider

    [1] http://www.ncl.ac.uk/press/news/2017/04/sensors/
    The link in the article (dated 11 April 2017) says "The team has alerted all the major browser providers - including Google and Apple - of the risks but for the moment, says Dr Mehrnezhad, no-one has been able to come up with an answer."

    So was it fixed or not by Apple?

    [2] The CVE ID on the Apple page 
    https://support.apple.com/en-us/HT206166 is CVE-2016-1780. That points to a WebKit (i.e. browser) exploit being patched.
    That points to a Mozilla FireFox allowing access to the data, same as the WebKit patch that Apple did. There is no mention that this is Android only.

    So is this a browser exploit only since the browser gives access without prompt? The browser is the interface between the web and the phone operating system. You cannot just have a web page randomly get pin numbers without going through a browser, and that seems where the issue is. Not with the OS itself.
  • Reply 12 of 14
    netmagenetmage Posts: 314member
    The browser is part of the mobile OS these days, especially on iOS. 
  • Reply 13 of 14
    I tend to use the fingerprint sensor on the phone and the iPad instead of a passcode. But iOS forces the use of the passcode when rebooting the device or if I haven't logged in for 48 hours which happens frequently on the iPad. It would be nice if the passcode had to be followed by use of the fingerprint scanner. It would seem that such a case would defeat these types of attempts at breaking security and accessing my device or the services I use on it. 
    anton zuykov
  • Reply 14 of 14
    anton zuykovanton zuykov Posts: 1,056member
    I tend to use the fingerprint sensor on the phone and the iPad instead of a passcode. But iOS forces the use of the passcode when rebooting the device or if I haven't logged in for 48 hours which happens frequently on the iPad. It would be nice if the passcode had to be followed by use of the fingerprint scanner. It would seem that such a case would defeat these types of attempts at breaking security and accessing my device or the services I use on it. 
    Write Apple about that and suggest that change. I am not joking. It makes sense and it would defeat those types of attack that you mentioned, by at least creating a time buffer between attempts.
Sign In or Register to comment.