Article 5BHDE Decrypted: Google finds a devastating iPhone security flaw, FireEye hack sends alarm bells ringing

Decrypted: Google finds a devastating iPhone security flaw, FireEye hack sends alarm bells ringing

by
Zack Whittaker
from Crunch Hype on (#5BHDE)

In case you missed it: A ransomware attack saw patient data stolen from one of the largest U.S. fertility networks; the Supreme Court began hearing a case that may change how millions of Americans use computers and the internet; and lawmakers in Massachusetts have voted to ban police from using facial recognition across the state.

In this week's Decrypted, we're deep-diving into two stories beyond the headlines, including why the breach at cybersecurity giant FireEye has the cybersecurity industry in shock.

THE BIG PICTUREGoogle researcher finds a major iPhone security bug, now fixed

What happens when you leave one of the best security researchers alone for six months? You get one of the most devastating vulnerabilities ever found in an iPhone - a bug so damaging that it can be exploited over-the-air and requires no interaction on the user's part.

google-project-zero-iphones.gif

The AWDL bug under attack using a proof-of-concept exploit developed by a Google researcher. Image Credits: Ian Beer/Google Project Zero

The vulnerability was found in Apple Wireless Direct Link (AWDL), an important part of the iPhone's software that among other things allows users to share files and photos over Wi-Fi through Apple's AirDrop feature.

AWDL is enabled by default, exposing a large and complex attack surface to everyone in radio proximity," wrote Google's Ian Beer in a tweet, who found the vulnerability in November and disclosed it to Apple, which pushed out a fix for iPhones and Macs in January.

But exploiting the bug allowed Beer to gain access to the underlying iPhone software using Wi-Fi to gain control of a vulnerable device - including the messages, emails and photos - as well as the camera and microphone - without alerting the user. Beer said that the bug could be exploited over hundreds of meters or more," depending on the hardware used to carry out the attack. But the good news is that there's no evidence that malicious hackers have actively tried to exploit the bug.

News of the bug drew immediate attention, though Apple didn't comment. NSA's Rob Joyce said the bug find is quite an accomplishment," given that most iOS bugs require chaining multiple vulnerabilities together in order to get access to the underlying software.

Wow. An iOS exploit that doesn't involve chaining multiple vulnerabilities together is quite an accomplishment. https://t.co/ZccMcVTIch

- Rob Joyce (@RGB_Lights) December 2, 2020

FireEye hacked by a nation-state, but the aftermath is unclearTechcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=gNpOTkD0wwQ:uTu9_gnkSm0:-BT Techcrunch?i=gNpOTkD0wwQ:uTu9_gnkSm0:D7D Techcrunch?d=qj6IDK7rITsgNpOTkD0wwQ
External Content
Source RSS or Atom Feed
Feed Location http://feeds.feedburner.com/TechCrunch/
Feed Title Crunch Hype
Feed Link https://techncruncher.blogspot.com/
Reply 0 comments