Slashdot Mirror

← Back to Stories (view on slashdot.org)

New iOS Keylogging Vulnerability Discovered

Posted by timothy on from the it's-called-eye-phone-duh dept.

exomondo writes "Following hot on the heels of the iOS (and OS X) SSL security bug comes the latest vulnerability in Apple's mobile operating system. It is a security bug that can be used as a vector for malware to capture touch screen, volume rocker, home button and (on supported devices) TouchID sensor presses, information that could be sent to a remote server to re-create the user's actions. The vulnerability exists in even the most recent versions of iOS and the authors claim that they delivered a proof-of-concept monitoring app through the App Store."

17 of 72 comments (clear)

  1. Linux and windows have vulnerabilities by bazmail · · Score: 5, Insightful

    apple software has "bugs".

    1. Re:Linux and windows have vulnerabilities by StripedCow · · Score: 2

      At least Microsoft is conducting research to reduce bugs.
      See for example: http://research.microsoft.com/...

      Not sure where Apple stands.

      --
      If Pandora's box is destined to be opened, *I* want to be the one to open it.
    2. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 5, Funny

      Not sure where Apple stands.

      On a mahogany patio, looking at a gold-plated Olympic-size swimming pool full of cash, smiling before wading in.

    3. Re:Linux and windows have vulnerabilities by Anonymous Coward · · Score: 2, Interesting

      Background tasks don't receive touch input. That's why they are in the background.

      Unless you are iOS and have this vulnerability.

    4. Re:Linux and windows have vulnerabilities by rehtonAesoohC · · Score: 5, Insightful

      You can't assume that because android also has multi-tasking that it also has a security vulnerability... It's a completely different system with completely different designs. That's like saying that because an apple has skin that you should also eat people too.

    5. Re:Linux and windows have vulnerabilities by FlopEJoe · · Score: 2

      apple software has "bugs".

      It's a glitch.

  2. Goes to show... by jones_supa · · Score: 5, Insightful

    As Apple products keep gaining larger market share, also the number of discovered vulnerabilities increases day after day. Having a UNIX base does not mean that you are automatically invincible.

  3. Re:Can we just go back to the gotofail bug for a s by Cinder6 · · Score: 4, Informative

    They just released the patch for OS X, actually.

    http://appleinsider.com/articl...

    --
    If you can't convince them, convict them.
  4. Is this a real vulnerability or hype? by Ronin+Developer · · Score: 2, Insightful

    The method of how the app was installed on a non-jail broken device was not discussed. While I would say that being able to capture touches and such by an background app is a potential threat, getting the software on a device is easier said than done.

    Mobile Management Systems (MMS) have access to APIs that can also do these sorts of things.

    I would venture that this was one using either developer mode or as an enterprise app and not through the the AppStore. Jailbroken devices are, clearly, more at risk.

    Now...a bigger question. Can the same be done on Android devices? I am betting "Yes"????

     

    1. Re:Is this a real vulnerability or hype? by fsck-beta · · Score: 2

      iOS is just as vulnerable as Android?

      Not quite. It just means that iOS isn't as invulnerable as many claim.

  5. stfu and learn noob by fluffythdestroy · · Score: 2

    http://news.cnet.com/8301-2707...

    --
    PC Gaming enthousiast that gives comments, opinions and reviews on Games. I'm just having fun with games while doing let
    1. Re:stfu and learn noob by Slashcrunch · · Score: 3, Informative

      Yeah, that one piece of malware is a real pain.

      Yes, malware for OSX and iOS does exist. It is very possible. But the problem seems to be about the same size as malware for Linux at this stage. By that I mean there is very little of anecdotal evidence of widespread, active malware in the wild targeting OSX, iOS and Linux. The same can't be said for Windows.

      So far I've never been hit on OSX, iOS or Linux. I've had plenty of Windows machines go down in flames though. I still have friends of family for which this is a fairly regular occurrence. Even myself, I had a fully patched Windows VM just for testing websites in IE. No antivirus installed. Visited some legitimate news and html/css sites... Boom. Malware installed.

  6. So far /. is at 3% reading comprehension rate by JohnnyComeLately · · Score: 2
    35 messages on this thread as I read it, and only ONE says in any detail anything that shows the issue and what the vulnerability has as an underlying assumption. Here it is for those who did read the article (RTFA), you have to install a rogue app. So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs. This isn't a security vulnerability as most responses on here opine about. My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed. Press hard on gas, go faster. App installed and running in background, can accept device inputs. For example, have a GPS app? It is allowing inputs from other applications (e.g. you can listen to music on the GPS app I have without kicking out to Music app) and inputs (buttons).

    Nothing significant to see here. Yeah, more restrictions from Apple development guidelines coming due to asshats being asshats. *sigh*

    1. Re:So far /. is at 3% reading comprehension rate by Anonymous Coward · · Score: 2, Interesting

      So, someone who's breaking the ToS (not being rogue) has to put an app out, then you have to install it, and then it's scraping inputs.

      Oh so it's not a security vulnerability if it's against the Terms of Service, wow Microsoft should implement a ToS and then most of their Windows security issues will cease to exist.

      This isn't a security vulnerability as most responses on here opine about.

      Of course it is, how do you figure that a process running in the background being able to break out of the sandbox restrictions and capture all inputs is not a security vulnerability? You would have to be a complete Apple shill to be in such denial about a bug like this.

      My car has a gas pedal. Does the ECM for engine management have a "security vulnerability," because I can press hard on the right pedal and do 180mph (illegal by federal law)?? No. It's functioning as designed.

      Yet the application sandboxing in iOS is clearly not working as designed as it is allowing background processes to capture all inputs. Since you clearly don't understand the concept of sandboxing it is obvious why you would not see the security problem here.

  7. Re:Get out of your tower of Illusion by BasilBrush · · Score: 2

    You seem confused as to the topic. I repeat. OSX is not iOS. iOS doesn't have flash, nor flashback, nor any need for anti-virus. Anti-virus could only check for know malware, and known malware is removed by Apple anyway.

  8. Re:How to get compromised .. by DougOtto · · Score: 2

    04. Wipe hands on pants.

    --
    Solving Unix problems since 1989...
  9. Re:Can we just go back to the gotofail bug for a s by jo_ham · · Score: 2

    How do we know that this "patch" don't open up a new "NSA backdoor" somewhere else?

    Because the piece that was patched is open source.

    Go have a look through the code if you like.