Slashdot Mirror

← Back to Stories (view on slashdot.org)

New iOS Keylogging Vulnerability Discovered

Posted by timothy on from the it's-called-eye-phone-duh dept.

exomondo writes "Following hot on the heels of the iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system. It is a security bug that can be used as a vector for malware to capture touch screen, volume rocker, home button and (on supported devices) TouchID sensor presses, information that could be sent to a remote server to re-create the user's actions. The vulnerability exists in even the most recent versions of iOS and the authors claim that they delivered a proof-of-concept monitoring app through the App Store."

47 of 72 comments (clear)

  1. Linux and windows have vulnerabilities by bazmail · · Score: 5, Insightful

    apple software has "bugs".

    1. Re:Linux and windows have vulnerabilities by StripedCow · · Score: 2

      At least Microsoft is conducting research to reduce bugs.
      See for example: http://research.microsoft.com/...

      Not sure where Apple stands.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    2. Re:Linux and windows have vulnerabilities by alen · · Score: 1, Interesting

      this one relies on apps that run in the background and "listen" to touch inputs

      since android is multitasking as well i assume it has the same issues

    3. Re:Linux and windows have vulnerabilities by kthreadd · · Score: 1

      We don't know because Apple never comments on things. It's a black box.

    4. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 5, Funny

      Not sure where Apple stands.

      On a mahogany patio, looking at a gold-plated Olympic-size swimming pool full of cash, smiling before wading in.

    5. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 2, Interesting

      Background tasks don't receive touch input. That's why they are in the background.

      Unless you are iOS and have this vulnerability.

    6. Re:Linux and windows have vulnerabilities by jddeluxe · · Score: 1

      Not sure where Apple stands.

      On a mahogany patio, looking at a gold-plated Olympic-size swimming pool full of cash, smiling before wading in.

      ...On the yacht...

    7. Re:Linux and windows have vulnerabilities by tero · · Score: 1

      You didn't even read the summary? That's very /. of you

      " iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system"

    8. Re:Linux and windows have vulnerabilities by rehtonAesoohC · · Score: 5, Insightful

      You can't assume that because android also has multi-tasking that it also has a security vulnerability... It's a completely different system with completely different designs. That's like saying that because an apple has skin that you should also eat people too.

    9. Re:Linux and windows have vulnerabilities by FlopEJoe · · Score: 2

      apple software has "bugs".

      It's a glitch.

    10. Re:Linux and windows have vulnerabilities by bazmail · · Score: 1

      I tried to be all-inclusive and use the lowest form of wit as the basis for a joke, but it seems to have passed clear over your head.
      I will try to include pie-in-the-face gags and poop in my next humor-based post.

      NO SLASHDOTTER LEFT BEHIND!!!!

    11. Re:Linux and windows have vulnerabilities by idontgno · · Score: 1

      It's a "You're doing it wrong!".

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    12. Re:Linux and windows have vulnerabilities by 0xdeadbeef · · Score: 1

      And if they allow privilege escalation they're called "jailbreaks".

    13. Re:Linux and windows have vulnerabilities by Anubis+IV · · Score: 1

      I shouldn't need to be explaining this on Slashdot, but the two are not necessarily the same, and one is not a polite euphemism for the other. A bug may lead to a vulnerability, or it may not, since it could be as benign as unexpected output for the provided input or as dangerous as the stuff we hear about here each day.

      In contrast, vulnerabilities are always dangerous, though to varying extents, and they may not always be caused by software bugs (though I suppose there is an argument to be made that you cannot have a vulnerability in the absence of bugs, such as bugs in the design spec that lead to vulnerabilities, even when implemented "correctly").

      Anyway, even if we set aside all of that, the summary refers to this issue as both a "vulnerability" and a "bug" in the span of the first two sentences (both of which appear to be applicable in this case), so I don't know why you're getting wound up.

    14. Re:Linux and windows have vulnerabilities by Slashcrunch · · Score: 1

      Hehe you missed a fairly thick joke there :)

      No one is denying that another vulnerability was found. Vulnerabilities will be found in any software.

    15. Re:Linux and windows have vulnerabilities by PNutts · · Score: 1

      apple software has "bugs".

      It's a glitch.

      And the Bobs fixed it.

  2. Goes to show... by jones_supa · · Score: 5, Insightful

    As Apple products keep gaining larger market share, also the number of discovered vulnerabilities increases day after day. Having a UNIX base does not mean that you are automatically invincible.

    1. Re:Goes to show... by Anonymous Coward · · Score: 1

      gaining a larger market share?

      they are going backwards.....

      the only place that buys apple products in a large quantity is the US....

      9% market share..... yep everyone is buy them

    2. Re:Goes to show... by Anonymous Coward · · Score: 1

      Actually, they haven't. They've never dominated the marketplace.

      Their phones only passed Blackberry's highest marketshare only in 2012 / 2013.

  3. Re:Can we just go back to the gotofail bug for a s by Cinder6 · · Score: 4, Informative

    They just released the patch for OS X, actually.

    http://appleinsider.com/articl...

    --
    If you can't convince them, convict them.
  4. Is this a real vulnerability or hype? by Ronin+Developer · · Score: 2, Insightful

    The method of how the app was installed on a non-jail broken device was not discussed. While I would say that being able to capture touches and such by an background app is a potential threat, getting the software on a device is easier said than done.

    Mobile Management Systems (MMS) have access to APIs that can also do these sorts of things.

    I would venture that this was one using either developer mode or as an enterprise app and not through the the AppStore. Jailbroken devices are, clearly, more at risk.

    Now...a bigger question. Can the same be done on Android devices? I am betting "Yes"????

     

    1. Re:Is this a real vulnerability or hype? by R3d+M3rcury · · Score: 1

      Now...a bigger question. Can the same be done on Android devices? I am betting "Yes"????

      I'd be willing to bet that it can as well.

      So what does that mean? iOS is just as vulnerable as Android?

    2. Re:Is this a real vulnerability or hype? by fsck-beta · · Score: 2

      iOS is just as vulnerable as Android?

      Not quite. It just means that iOS isn't as invulnerable as many claim.

  5. Re:virus too by Anonymous Coward · · Score: 1

    Quite a number of applications use Adobe AIR as their framework, which is effectively Flash.

    Flash in a Browser is, of course, a different story.

  6. stfu and learn noob by fluffythdestroy · · Score: 2

    http://news.cnet.com/8301-2707...

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:stfu and learn noob by Slashcrunch · · Score: 3, Informative

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux. The same can't be said for Windows.

      So far I've never been hit on OSX, iOS or Linux. I've had plenty of Windows machines go down in flames though. I still have friends of family for which this is a fairly regular occurrence. Even myself, I had a fully patched Windows VM just for testing websites in IE. No antivirus installed. Visited some legitimate news and html/css sites... Boom. Malware installed.

    2. Re:stfu and learn noob by Gunboat_Diplomat · · Score: 1

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux. The same can't be said for Windows.

      So far I've never been hit on OSX, iOS or Linux. I've had plenty of Windows machines go down in flames though. I still have friends of family for which this is a fairly regular occurrence. Even myself, I had a fully patched Windows VM just for testing websites in IE. No antivirus installed. Visited some legitimate news and html/css sites... Boom. Malware installed.

      Mac Malware Outbreak Is Bigger than 'Conficker'

    3. Re:stfu and learn noob by AmiMoJo · · Score: 1

      By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux.

      Actually iOS seems to be a very popular target for NSA malware. Check out their malware catalogue, they have a lot of stuff targeting iOS.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:stfu and learn noob by TheGrimmReaper · · Score: 1

      The biggest? Really? I'm hope your using humor.

  7. Get out of your tower of Illusion by fluffythdestroy · · Score: 1

    Its incredible how a mac user (I presume you are but I could be wrong with your antivirus answer) but to think that mac don't need an anti-virus is simple stupid and arrogant at the same time. It's not because you got a mac that your invulnurable on viruses. Phishing works with a browser and every OS as one. my recent link in my post was about the flashback bot which works in browsers. Guess what ? Mac has browsers too and since people know mac don't have an anti-virus guess what will hackers or people with bad intention do ? They' ll probably attack mac users especially since Apple got more popularity in recent years. So mac users should get out of their tower of illusion and embrace reality before its too late. Cause right now WIndows users or most of them made their research, work and studies on viruses and antiviruses and most are ready. How much mac users are ready against the upcoming threats ?

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:Get out of your tower of Illusion by BasilBrush · · Score: 2

      You seem confused as to the topic. I repeat. OSX is not iOS. iOS doesn't have flash, nor flashback, nor any need for anti-virus. Anti-virus could only check for know malware, and known malware is removed by Apple anyway.

    2. Re:Get out of your tower of Illusion by AmiMoJo · · Score: 1

      So iOS does have anti-virus, in the form of Apple's ability to remotely delete malware based on signatures.

      If (app_id == KNOWN_MALWARE_72) uninstall();

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Get out of your tower of Illusion by BasilBrush · · Score: 1

      Well probably not based on signatures, no. There's no need when each app has a unique App ID.

      Now as anyone interested in security knows, security is not a single defensive wall. It's a series of walls, such that whilst an attacker might break through one, they are then met with another wall. As a final wall in the iOS security, Apple does have the ability to kill malware remotely. There's not been the need to use it as yet.

  8. So far /. is at 3% reading comprehension rate by JohnnyComeLately · · Score: 2
    35 messages on this thread as I read it, and only ONE says in any detail anything that shows the issue and what the vulnerability has as an underlying assumption. Here it is for those who did read the article (RTFA), you have to install a rogue app. So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs. This isn't a security vulnerability as most responses on here opine about. My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed. Press hard on gas, go faster. App installed and running in background, can accept device inputs. For example, have a GPS app? It is allowing inputs from other applications (e.g. you can listen to music on the GPS app I have without kicking out to Music app) and inputs (buttons).

    Nothing significant to see here. Yeah, more restrictions from Apple development guidelines coming due to asshats being asshats. *sigh*

    1. Re:So far /. is at 3% reading comprehension rate by Anonymous Coward · · Score: 2, Interesting

      So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs.

      Oh so it's not a security vulnerability if it's against the Terms of Service, wow Microsoft should implement a ToS and then most of their Windows security issues will cease to exist.

      This isn't a security vulnerability as most responses on here opine about.

      Of course it is, how do you figure that a process running in the background being able to break out of the sandbox restrictions and capture all inputs is not a security vulnerability? You would have to be a complete Apple shill to be in such denial about a bug like this.

      My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed.

      Yet the application sandboxing in iOS is clearly not working as designed as it is allowing background processes to capture all inputs. Since you clearly don't understand the concept of sandboxing it is obvious why you would not see the security problem here.

    2. Re:So far /. is at 3% reading comprehension rate by Anonymous Coward · · Score: 1

      you have to install a rogue app.

      That is how most malware works, unless you have a privilege escalation bug. And iOS has had at least one such web-based drive-by bug (jailbreakme.com) so there are probably more undiscovered ones.

      So, someone who's breaking the ToS

      I can't imagine people looking to infect devices with keylogging malware are living in fear of the terms of service.

      This isn't a security vulnerability as most responses on here opine about.

      Of course it is. Background processes capturing touch input most certainly is a bug in the iOS application sandbox.

      My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)??

      No. Just because it does not prevent you from doing something illegal does not make it defective. Your analogy certainly is defective though, the application sandbox defines what an application can and cannot do, in this case an application can subvert those restrictions hence the sandbox is defective.

      For example, have a GPS app? It is allowing inputs from other applications (e.g. you can listen to music on the GPS app I have without kicking out to Music app) and inputs (buttons).

      Wrong! The GPS app isn't accepting music input at all and the music application is playing in the background but is not accepting inputs. The volume is a system level process, the button presses are handled by the system to control the volume, not by the app in the background.

    3. Re:So far /. is at 3% reading comprehension rate by AmiMoJo · · Score: 1

      You entirely missed the point. There is no "log all keyboard input" permission for apps to request. I don't think the TOS are very likely to prevent a black hat deploying the exploit. Since Apple doesn't examine every line of code in apps they approve they now need to either close the hole or develop a tool to detect when compiled code tries to make use of it.

      I expect a few apps will be getting updates to remove this exploit now, before Apple closes it off and notices them crashing.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. How to get compromised .. by DTentilhao · · Score: 1

    01. Download malware .. 02. Install malware ... 03. Get infected ....

    1. Re:How to get compromised .. by DougOtto · · Score: 2

      04. Wipe hands on pants.

      --
      Solving Unix problems since 1989...
    2. Re:How to get compromised .. by Anubis+IV · · Score: 1

      The real danger here is the ability for the system to automatically update apps to the latest version, which has been a feature since the release of iOS 7. The threat comes from when a developer of an existing app sells it to another company intent on updating that app to include this piece of malware. Suddenly, that little-known game you play every day is a trojan just waiting to infect you the next time you play it. So while the steps that you outlined are still the same, the change here is that steps 1 and 2 are transparent to the user in situations like these, making it all the easier to get infected.

      We've seen this form of attack more recently in the last few months, notably with Chrome extensions that were being purchased by third-parties and then updated to include adware or malware. I'd expect that we'll be seeing similar reports coming from Android and other platforms that allow auto-updating.

    3. Re:How to get compromised .. by Smerta · · Score: 1

      Yes, but isn't that under the user's control? The iOS user decides if apps auto-update or not, correct?

    4. Re:How to get compromised .. by Sancho · · Score: 1

      You can opt-out, certainly. How many will? How many will not just hit the "update all" button if they do opt out?

  10. But how are users treated? by jbn-o · · Score: 1

    Any complex software has bugs and perfection is never available. The important question remains: how are the users treated? If the software respects a user's freedoms to run, inspect, share, and modify the software, users are treated well. If these freedoms are not respected, the user is subjugated. This is an ethical issue with technical ramifications.

    Non-free programs (such as Microsoft Windows and Apple's OSes) are designed and licensed to prohibit anyone but the proprietor from understanding how the software works. Nobody but the proprietor can fix bugs or improve the program (I use the word "improve" purposefully subjectively here). And the proprietor could have included a variety of other problems (from the user's perspective) because proprietary software is often malware. A free software system (such as a GNU/Linux system on which nothing but free software is installed) can be fully inspected, shared, and modified by the users. Free software lets users treat each other ethically, non-free software leaves even the most expert users who are willing to do technical inspection/bugfixing work in the dark and prevents them from sharing with others, thus preventing them from helping others.

    Software freedom is a far better arrangement for the user. Where non-free software users have to wait for a proprietary binary to patch a problem (possibly introducing new problems and leaving other known problems unfixed such as Apple did for over 3 years with an exploitable iTunes bug during which time governments used the hole to invade people's computers), a free software user has additional options. One can choose to learn to program and fix bugs themselves, one can get someone else to fix software for them (even commercially, by hiring someone trustworthy and appropriate just as one would do to fix other things). No one person can understand all the software they need, there's way too much software to do that. But together we can (and do!) maintain free software systems very well.

    --
    Digital Citizen
  11. Re:Can we just go back to the gotofail bug for a s by jo_ham · · Score: 2

    How do we know that this "patch" don't open up a new "NSA backdoor" somewhere else?

    Because the piece that was patched is open source.

    Go have a look through the code if you like.

  12. Not a new thing by rabtech · · Score: 1

    There have always been holes in the App Store and sometimes you can sneak things through.

    The difference is if you try such things and you app becomes even remotely popular, Apple can pull your app and even your developer account so the actual window where your fraud or evil tricks can result in some kind of gain is very small.

    I'm not sure why people constantly fail to recognize this.

    Similarly with the SSL flaw... Apple pushes iOS updates in a way Android users can only dream of; within a month more than 90% of all iOS devices still in use will have the patch applied. Compare that with the web view remotely exploitable hole just revealed for Android... at least half of all Android devices will still have that hole a year from now!

    So in theory yes, Apple is just the same as everyone else. In reality, the actual user experience will be quite different.

    --
    Natural != (nontoxic || beneficial)
  13. Yep. I concur. by Wild_dog! · · Score: 1

    No virus' or trojans on any of my OSX or Linux boxes over the past 8 or so years. Lots on the windows boxes in the past.
    But times are changing as they will.
    The higher OSX gets or iOS gets the more likely folks will be seriously targeting these platforms.
    Just simple economics really.

  14. Re:So far /. is at 2.5% reading comprehension rate by Dr.+Evil · · Score: 1

    FTFY