From law enforcement to hacking firms everyone wants to hack iPhone. But Google, Apple’s arch-rival of sorts, has been hacking iPhone devices by identifying and exploiting critical vulnerabilities since last year.
This time, Google’s team of white hat hackers at Project Zero has identified exploitable flaws to compromise targeted iPhone devices.
According to Samuel Groß, the clickless flaw doesn’t require the victim to click on a malicious link to infect their device and attackers only need the targeted iPhone’s Apple ID to remotely compromise the phone.
It merely takes a few minutes for a hacker to steal data from the phone including passwords, emails, and text messages along with enabling other functions like microphones and cameras. All this without the user’s permission or knowledge.
The vulnerability exploited to carry out the attack is classified as CVE-2019-8641. It is a remote memory-corruption flaw that was originally identified by Groß himself during an earlier project where he collaborated with Natalie Silvanovich, another security researcher on Google Project Zero.
This project was completed in July 2019 and published in August. It is worth noting that the vulnerability was fixed by Apple first in iOS 12.4. and the update was released on August 26. The second update was made in the coding to address another iMessage flaw identified by Project Zero, and the update was released with iOS 13.2 on October 28.
Watch Groß’s presentation on the issue from last month:
Nevertheless, Groß hopes Apple will implement new security measures based on his research and protect iPhone users against such vulnerabilities.
As much code as possible should be put behind user interaction, in particular when receiving messages from unknown senders, said Groß
Since the flaw has already been fixed, your device is at risk only if you haven’t updated the iOS on your iPhone or iPad. However, the takeout from it is that you must not share your Apple ID with anyone and in case your Apple ID is out, backup your data, consider making a new ID and keep it to yourself.