New iOS Bug Lets Attackers Monitor All Your Tapping And Keystrokes

By

Apple lets Touch ID be used to unlock the iPhone and make purchases through the iTunes Store, but jailbreakers have other ideas.
Apple lets Touch ID be used to unlock the iPhone and make purchases through the iTunes Store, but jailbreakers have other ideas.

Apple just finished patching the nasty goto fail bug in iOS 7 and OS X, but a report shows another vulnerability in iOS has been discovered that gives attackers access to every single touch you make, including your keystrokes.

The new vulnerability discovered by FireEye works on non-jailbroken iPhones and iPads running iOS versions 7.0.4  devices with iOS 7.0.4 7.0.5, and 7.0.6, as well as those running on 6.1.x.

FireEye says they’ve been collaborating with Apple on the bug and they’ve created a proof-of-concept monitoring app that records touch events for a user in the background. The flaw uses resources iOS provides for apps to run in the background to register presses on the screen, home button, volume buttons and TouchID without being detected by a users.

The monitoring app can’t tell exactly which key you’re pressing, but rather logs the X and Y coordinates of each touch, but that information could easily be used to decipher keystrokes.

fig1

Attackers could utilize the exploit by luring victims to phishing sites to install a malicious app, or exploit another remote vulnerability of some app and then monitor in the background.

A fix for the bug is pending but to avoid the security flaw in the meantime the only course of action iOS users have is to kill apps running in the background to prevent unwanted monitoring.

howtocloseapps

 

Source: FireEye

Via: ArsTechnica

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.