14 DAY TRIAL // A vulnerability in older versions of iOS allows an attacker to break into an iPhone remotely and without any user interaction, Google explains.
The security flaw, which was discovered in iOS 12.4 and was fixed in iOS 12.4.1 in mid-2019, basically allows a malicious actor to obtain access to pretty much everything on an iPhone, Google’s Samuel Groß, Project Zero, explains.
The only thing the hacker needs is the user’s Apple ID to launch an attack that only takes a few minutes. After that, an attacker could access files, passwords, two-factor authentication codes, SMS, other messages, emails, and app data, Groß notes.
Even worse, they can enable the microphone and the camera for spying on the iPhone user, he adds.
The vulnerability that is used for the attack is documented in CVE-2019-8641 and allows the hacker to bypass ASLR and then launch remote code execution outside of the sandbox without the user having to do anything.
iOS 12.4 is the vulnerable version
The Google researcher explains in a technical analysis of the security vulnerability that while the flaw has already been resolved, additional mitigations are required to prevent similar problems from being discovered.
“Further hardening measures were suggested based on insights gained during exploit development, which, if implemented, should make similar exploits significantly harder in the future. As some of these hardening measures are also relevant to other messenger services and (mobile) operating systems, they will be mentioned throughout this series and summarized at the end of it,” he says.
While the vulnerability allows an attacker to fully compromise an iPhone, only devices running iOS 12.4 are exposed, so if you already installed iOS 13, you should be on the safe. This is actually the only recommendation when it comes to staying secure and avoiding a potential attack using either this flaw or a similar one: update to the latest version as soon as possible, as security patches are most often included in every release.