New iOS Bug Lets Attackers Monitor All Your Tapping And Keystrokes

Apple lets Touch ID be used to unlock the iPhone and make purchases through the iTunes Store, but jailbreakers have other ideas.

Apple just finished patching the nasty goto fail bug in iOS 7 and OS X, but a report shows another vulnerability in iOS has been discovered that gives attackers access to every single touch you make, including your keystrokes.

The new vulnerability discovered by FireEye works on non-jailbroken iPhones and iPads running iOS versions 7.0.4  devices with iOS 7.0.4 7.0.5, and 7.0.6, as well as those running on 6.1.x.

FireEye says they’ve been collaborating with Apple on the bug and they’ve created a proof-of-concept monitoring app that records touch events for a user in the background. The flaw uses resources iOS provides for apps to run in the background to register presses on the screen, home button, volume buttons and TouchID without being detected by a users.

The monitoring app can’t tell exactly which key you’re pressing, but rather logs the X and Y coordinates of each touch, but that information could easily be used to decipher keystrokes.

fig1

Attackers could utilize the exploit by luring victims to phishing sites to install a malicious app, or exploit another remote vulnerability of some app and then monitor in the background.

A fix for the bug is pending but to avoid the security flaw in the meantime the only course of action iOS users have is to kill apps running in the background to prevent unwanted monitoring.

howtocloseapps

Related

About the author

Buster HeinBuster Hein is Cult of Mac's Senior News Editor and lives in Phoenix, Arizona. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News |