Wednesday, February 26, 2014

New iOS vulnerability discovered, allows keylogging on iDevices

Right on the heels of the iOS 6.1.6 and 7.0.6 releases, which fixed a huge "Goto" FUBAR in Apple's iOS SSL code, FireEye said on Monday night that they have discovered yet another iOS security vulnerability. This one could allow the installation and use of a keylogger which could monitor all key presses and screen touches.

According to the firm, they created such an app, and used it successfully on non-jailbroken iPhones and iPads. The vulnerability affects devices running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those on 6.1.x. That means even the latest 7.0.x release still has the issue.

The big question, of course, is how would a hacker get the app on a device? A non-jailbroken iPhone can only install from the App Store, so a hacker would have to somehow disguise an app and get it past the App Store review process.

In terms of the proof-of-concept app, there are ways to install experimental apps on iDevices. Interestingly, though, prior to the posting of their blog entry, FireEye published a separate brief -- one that was quickly removed. However, what goes on the Internet stays on the Internet. According to an RSS reader cache that captured the earlier post,
FireEye successfully delivered a proof-of-concept monitoring app through the App Store that records user activity and sends it to a remote server. We have been collaborating with Apple on this issue.
The portion of that sentence that says that the app was delivered through the App Store has to be surprising.

The issue arises because of the way background apps run on an iPhone or iPad. While "background app refresh" can be disabled in iOS by going into Settings, General, Background App Refresh, some apps, like a music player, can run in the background without on its "background app refresh" switch being turned on.

Users can also kill background apps by using the iOS task manager. Pressing the home button twice in iOS will bring it up, and than an app can be swiped up and off the screen to disable it.

It is unclear if this vulnerability will be fixed in a new 7.0.x release or if Apple will simply wait for iOS 7.1 to release, and fix it there. It's also possible that 7.1 might ship with the vulnerability "intact," as most believe the new iOS version will ship in mid-March.

No comments: