Security researchers discovered that an iPhone could be turned into a surveillance tool that can expose the victim’s sensitive information, including contacts, Live Location, chat history, emails, photos, and passwords.
According to Ian Beer, Google’s Project Zero researcher, a number of flaws in iPhones could enable attackers to set Monitoring Implants in the devices. The researcher said that they’ve found Fourteen security flaws that existed in iPhones from the past two years.
“Visiting hacked sites was all that is needed for a server to gather users’ images and contacts. A user only had to visit a website to potentially give hackers access to messages, photos, contacts, and location information,” Ian Beer said in a statement.
Apple stated that it fixed all the flaws in a software update released in February 2019, after confirming Google findings.
“We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286). We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019,” Beer added.
Recently, digital forensic experts at Google discovered six flaws in Apple’s iMessage software that could impact the iOS operating system and make the devices vulnerable to attacks. The bugs were discovered by Natalie Silvanovich and Samuel Grob.
However, Apple has released fixes for the vulnerabilities recently and urged users to update. But the researchers said the patch for the sixth discovered bug is not yet provided in the update to its mobile operating system.
According to researchers, four of the six security bugs, CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662 can execute malicious code on a remote iOS device, without a user’s knowledge. The bug can be exploited when an attacker sends a malicious message to the victim’s phone, which will be executed when a user opens and views the received message.