Serious Warning Issued For Millions Of Apple iPhone Users


    The latest iPhone 13 leaks have set tongues wagging, but now there is a more immediate concern after a new warning was issued to iPhone owners worldwide. 

    MORE FROM FORBESTop Apple Tipster Reveals First iPhone 14 Details

    Following revelations last month that all iPhones are vulnerable to a simple WiFi hack, new research from Amichai Shulman, CTO of wireless security specialist AirEye, has revealed the threat is potentially more dangerous than was first reported and may also spread to macOS. 

    “Our response research on the format string flaw revealed that the vulnerability is not only restricted to the iOS operating system,” states Shulman. “It also has the potential to affect the macOS operating system used by many corporations for employee stations.”

    “The nature of format string vulnerabilities is that when carefully crafted they can be used to write arbitrary code into random, or chosen, parts of a machine’s memory – and even eventually inject and execute code,” Shulman explains. “Since it is possible for the vulnerable iOS and macOS devices to be connected to the larger corporate network, this code can eventually be used for lateral movement even if it only stemmed from an employee accidentally joining an unknown SSID. Once the malicious code has infiltrated a device on the network, it can exploit corporate data without the need to ‘access the network first’ in the typical ways.”

    And this has significant consequences: 

    “Since the attack traffic is not part of the corporate network, Firewalls, NACs and Secure WLANs do not protect against this type of attack and most traditional network security solutions remain completely oblivious to it,” he adds. “Attack traffic can be sent over channels that are not used for corporate network traffic. Consequently, the attack goes undetected by network security solutions and does not leave any trace in the forensics and networking logs.”

    Shulman is also critical of industry reporting of the flaw, which focused on the current exploit needing an unusual WiFI SSID: “Consider the case where there would be a way to hide the last part of a network name upon connection (e.g. cases where very long URLs or hostnames that are used for phishing are displayed only partially in the address bar).” Shulman also points out that iPhone support for “multi line” SSIDs mean “an attacker could potentially create a network name whose first line is ‘legit’ and the next line contains the specially crafted format string.”

    Moreover, Shulman notes that this is a problem which is set to grow both in terms of threat and targets:

    “Though it has not yet been used beyond the realm of pranks, the new Apple format string vulnerability shows that even the most fundamental message exchange over the wireless medium (i.e. network recognition) may still be vulnerable. Now that researchers are starting to dig into Wi-Fi protocols, we should expect more such vulnerabilities, across all operating systems, to surface.”

    Apple has yet to fix the current flaw and Sulman believes Apple and other tech giants are poised to enter a new game of Whack-a-mole as hackers eye up a rich seam of airborne attacks. 

    “Airborne attacks are new and an as-yet unaddressed threat vector. Given their stealthy nature we’re bound to see more such attacks… Recent months have seen a slew of published digital airborne attacks – the AWDL attack, FragAttacks and this one. These three incidents are drawing a clear trend line of this new attack surface.”

    Apple iOS 14.7 is currently in beta testing though I would be surprised if a fix for the current airborne attack (potentially iOS 14.6.1) is not released sooner. In the meantime, I have contacted Apple and will update this article when/if I receive a response. 

    ___

    Follow Gordon on Facebook

    More On Forbes

    Apple Extends Magnet Health Warning To AirPods, iPads, iPhones And MacBooks

    All iPhone 13 Models Miss Out On Touch ID, Claims Apple Analyst



    Source link

    Previous articleBitcoin Mining Difficulty Records Largest Drop in History
    Next articleJustice Clarence Thomas, Mexico’s Decriminalization, Apple’s Policy Changes, Tilray And More