What with everyone being so firmly attached to their iDevices, this latest news would be rather worrying for most folks…
Governments and corporations willing to pay have a new way to easily spy on millions of owners of late model iPhones and iPads without them ever knowing.
And spying could mean targets are physically watched on their own mobile phone cameras.
That’s because an unknown hacking team has picked up a US$1 million (NZ$1.5m) bounty to find a way to do it, and the security company behind the exercise is happy to sell it to the highest bidders.
The company, called Zerodium, used its Twitter account to announce that it had awarded the million-dollar finders fee to a team that successfully showed it could run a remote browser attack against Apple devices using iOS 9.1 and iOS 9.2 beta . The operating system is used in iPhone 5 and 6 series devices and most of its recent model iPads.
“Our iOS #0day bounty has expired & we have one winning team who made a remote browser-based iOS 9.1/9.2b #jailbreak (untethered). Congrats!” Zerodium’s social media representative tweeted.
It was not made clear whether the security bug was limited to the Apple’s Safari web browser or all browsers used on the devices.
Zerodium, which describes itself as “a premium exploit acquisition platform”, began its Apple exploit bounty program in September, offering up to US$3m for working attacks.
The exploit broker placed strict conditions on competitors to justify the bounty including that the attack work remotely without the need to have a wi-fi, Bluetooth or physical tether to target devices.
Zerodium, as its name suggests, works strictly with so-called “zero-day” exploits, meaning they’re unknown to the technology vendor or its third party security providers.
The combination of conditions maximises the value of the attack method for Zerodium customers by being unknown to Apple and very difficult to detect.
Zerodium’s founder Chaouki Bekrar has made clear in the past that the company’s customers include large defence companies, and technology and finance firms.
Zerodium’s description of the hacking technique used for the exploit — a “jailbreak” — likely means that it allows an attacker to install unauthorised software on a target device.
Ty Miller, founder of computer security consultancy Threat Intelligence, said that means government’s would almost certainly seek to use the exploit for surveillance purposes, with the ability to go as far as using a target’s own smartphone camera to physically watch them.
“They can start escalating their privileges on your phone to gain unauthorised access to your camera or your audio to listen to your conversations – they can watch what you’re doing. They can potentially gain access to your phone logs, your SMSes, and if they’re able to do that they can gain access to all of your applications’ data as well,” Miller said.
“Your banking could become compromised, your social networking could be compromised, your email could be compromised – pretty much any application you use on the internet”.
Finance companies were likely to buy the exploit in order to find ways to stop it being used to attacks on employees’ devices, Mr Miller added.
Miller said bug bounties programs not run by the vendor of a product and instead run by exploit brokers were generally frowned upon throughout the computer security industry, as there is a broad assumption that the exploits uncovered were used for unlawful or unjustifiable reasons.
There was some justification for that assumption, Miller said, pointing to an incident last July this year when Italy-based bug hunting operation Hacking Team fell victim to its own craft.
An unknown attacker selectively released 400GB of documents stolen from Hacking Team’s servers – including emails and invoices – exposing, among other things, that it sold malware to Nigeria. The documents also revealed that it sold hacking tools to Ethiopia which were later used to spy on journalists.
Article and image as posted on Stuff.co.nz