Google’s Project Zero has demonstrated how an Apple iPhone could be hacked remotely.
Apple has been promoting a secure profile, and iPhones are generally considered secure devices. However, it seems that they can be hacked.
Security researcher Samuel Groß used an Apple ID and managed to remotely hack an iPhone within minutes, stealing passwords, text messages and emails. He took advantage of the CVE-2019-8641 vulnerability and managed to remotely activate an Apple iPhone’s microphone and camera without any interaction from the user.
Hopefully, the specific vulnerability was fixed by Apple, so it’s not a danger to you any longer–unless of course you have avoided applying iOS updates on your phone.
The issue was originally discovered and reported to Apple as part of Groß’s joint project with Natalie Silvanovich back in July, with a proof of concept exploit published in August.
The vulnerability was first dealt with in iOS 12.4.1 on August 26 when Apple made the vulnerable code unreachable over iMessage. It was fully fixed on October 28 last year when iOS 13.2 dropped.
The Google Project Zero blog reveals some technical details about Groß’s research.
Groß has recommended new security measures to Apple, some of which the iPhone maker has already implemented.
Groß proved that despite numerous exploit mitigations being deployed, it is still possible to exploit memory corruption vulnerabilities in a non-interactive setting such as mobile messaging services and without an additional remote infoleak vulnerability as is commonly deemed necessary.
"My hope is that this research will ultimately help all vendors by highlighting how small design decisions can have significant security consequences and to hopefully better protect their users from these kinds of attacks," Groß said.
The issue shouldn’t be a problem if you keep your iPhone up to date.