New iOS Bug Lets Attackers Monitor All Your Tapping And Keystrokes

Apple lets Touch ID be used to unlock the iPhone and make purchases through the iTunes Store, but jailbreakers have other ideas.

Apple just finished patching the nasty goto fail bug in iOS 7 and OS X, but a report shows another vulnerability in iOS has been discovered that gives attackers access to every single touch you make, including your keystrokes.

The new vulnerability discovered by FireEye works on non-jailbroken iPhones and iPads running iOS versions 7.0.4  devices with iOS 7.0.4 7.0.5, and 7.0.6, as well as those running on 6.1.x.

FireEye says they’ve been collaborating with Apple on the bug and they’ve created a proof-of-concept monitoring app that records touch events for a user in the background. The flaw uses resources iOS provides for apps to run in the background to register presses on the screen, home button, volume buttons and TouchID without being detected by a users.

The monitoring app can’t tell exactly which key you’re pressing, but rather logs the X and Y coordinates of each touch, but that information could easily be used to decipher keystrokes.

fig1

Attackers could utilize the exploit by luring victims to phishing sites to install a malicious app, or exploit another remote vulnerability of some app and then monitor in the background.

A fix for the bug is pending but to avoid the security flaw in the meantime the only course of action iOS users have is to kill apps running in the background to prevent unwanted monitoring.

howtocloseapps

  • digitaldumdum

    Oh jeez, will this never stop? If you scrutinized every operating system on every device from every manufacturer—and if you believed all the paranoid hype—you’d be quaking in your shoes. I’ll bet no one… not ONE person has made an “attack” on an iPhone and hijacked taps.

    Slow news days are showing at Cult.

  • lucascott

    A bug they haven’t actually fully proven. They don’t show the code in iOS that makes it possible, they don’t show the code that would need to be in an app. They don’t show anything useful in terms of mapping the data to actual letters etc. And they don’t show a single app, even theirs that has gotten into the store past the monitors. They don’t even show it working in the background and sending any info anywhere.

    Their proof of concept could be something they whipped up to show what they wanted it to show to ride on the coattails of the whole GoTo issue and get some press.

About the author

Buster HeinBuster Hein is Cult of Mac's Senior News Editor and lives in Phoenix, Arizona. Twitter: @bst3r.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News |