Alleged iOS Security Flaw Enables Malicious Apps to Secretly Log User Touch Inputs

[DIRSGT]

It sounds like they submitted a bug report...

Hopefully engineering has everything they need, otherwise this might be a while.

----------



*closes flappy bird...*

LOL, my thoughts exactly! This was the first app that came to my mind after I had thought about all the apps on my phone. 99% of my apps are from established organizations. I thought I had installed no questionable apps...then the bird!

Create a simple game that is nothing but a virus and release it to the public. Hmmmmm...lol!

 

[Espeonia]

So a jail broken device?

FireEye also spoke about the flaw being identified in current versions of iOS:

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully.

It's probably an enterprise certificate bug, possibly done so you don't need to set the date back.

 

[kensic]

wow this thing is serious huh,

thank god I didn't update to 7.0.6 yet. was going to. but my battery was low so it stopped the phone from updating.

 

[C DM]

When it rains it pours?

 

[ISanych]

Surely this is an issue that can be solved with better monitoring and testing of submitted apps to the app store? If you get all of your apps from the app store and Apple stop the malicious apps then you have nothing to worry about.

What are you going to monitor during app review? Most of such apps are innocent during review and additional functionality activated either after some time or by getting command from certain url (when app has some legal internet activity it is easy).

 

[kolax]

While you could use the coordinates to determine areas that are on a keyboard, it is useless unless you also derive what app was being used at the time. You have no idea if you are just playing flappy bird, selecting songs in itunes, typing an email or entering in a user name or password etc. Thus, the data is pretty useless. Not to mention you would have to know the exact time a password box was displayed on the screen and then grab the resulting input. If you could get the running App and then determine based on coordinates, what is being pressed, then maybe there could be something more to this. You then have to have the ability to parse exactly what the password happens to be from all of the things typed from the keyboard.

This is another reason to use something like 1Password.

Not exactly. A keyboard logger just grabs input made via keyboard. Thus you know this is info entered. Since this grabs touch input, it is impossible to discern if the touch input was made specifically on the virtual keyboard or taps on the screen in that same area. Thus, it is impossible to know if in fact the gibberish is a password or just tapping in a game or other program. If this also captured screen grabs as well, or grabbed touch input based on a specific field being accessed, it would be highly effective.

Two things make this very minor. First it does not look like the attacker has any way of knowing what what app is active. If is hard to tell if you are typing a password of clicking out a game of Flappy Bird. Second the app needs to get into the appstore, trick people into installing it and avoid detection of the malicious activity. Remember Apple has a kill switch on third party apps.

An attacker with a map of keyboard coordinates could write a script to covert all those coordinates to letters. Then write another script to scan all those jumbled letters for words in a dictionary. They'd have every sentence you've ever typed logged.

It'd be a lot of data to analyse, but could get some interesting stuff. Passwords if you search all your data for bank websites etc and see what follows that.

 

[Tech198]

"The news comes less than a week after Apple issued iOS 7.0.6 in response to a SSL vulnerability"

wowzers .....

These guys are getting good. Even bypassing checks too

At one stage this only happened this quickly on Windows..

AT ONE STAGE......

Not anymore .....

Man the torpedo's....... I'm goin in

"iOS, just as bad as Android" BUT the software is good though ... This is out the window now.. software has nothing to do with it.

 

[alexrmc92]

I know this is a security exploit, and thus should be fixed because of it's nature. I just can't see how this is a big deal. How could anyone get any useful information from this exploit? My only though would be translating the coordinates into keyboard locations, but that can't be entirely accurate.

 

[tdmac]

An attacker with a map of keyboard coordinates could write a script to covert all those coordinates to letters. Then write another script to scan all those jumbled letters for words in a dictionary. They'd have every sentence you've ever typed logged.

It'd be a lot of data to analyse, but could get some interesting stuff. Passwords if you search all your data for bank websites etc and see what follows that.

I understand the 1st part of the script. Then you have to make assumptions to guess a password. First your password would have to be based on dictionary words to try and deduce.

The last sentence refers to them using your data for bank websites etc. How are they getting that info? Only way that can happen is if you are using Safari or a browser to access a site. Then they can try and obtain website, username and password. This is the only way I can see a person be vulnerable. However, even for that to be effective, you would have to manually enter the address for them to even know what site you were entering that info on. If you clicked a hyperlink to open the browser and pull up the site, click on a bookmark, etc, they have no clue what site that info is used on.

If you use Apps for access to your bank, etc there is no possible way to get any data, besides what you type. Pretty much all you type is a password for access, unless you select an option to retain that info. So they have no access to what user name you used and would have no access to what program you were running. Thus, the info is useless. Only way for a payoff is if you use the same password on all sites.

 

[C DM]

I know this is a security exploit, and thus should be fixed because of it's nature. I just can't see how this is a big deal. How could anyone get any useful information from this exploit? My only though would be translating the coordinates into keyboard locations, but that can't be entirely accurate.

First, good mapping and through analysis it can be made to be rather accurate.

Second, it seems the article mentions "actions including keyboard inputs, use of the volume, home, and power buttons, screen touches with exact coordinates, and Touch ID events were all captured", where keyboard inputs are mentioned separately from just coordinates of touches, meaning that they potentially can capture actual keyboard input, not just touch coordinates in that case.

 

[JAT]

An attacker with a map of keyboard coordinates could write a script to covert all those coordinates to letters. Then write another script to scan all those jumbled letters for words in a dictionary. They'd have every sentence you've ever typed logged.

It'd be a lot of data to analyse, but could get some interesting stuff. Passwords if you search all your data for bank websites etc and see what follows that.

IDK, seems like this may be an ok hack, but may not be that productive for someone.

https://www.macrumors.com/2013/10/2...phone-5s5c-neglects-perspective-compensation/

Not to mention all the people that completely miss a particular letter, but auto-correct fixes it.

 

[yjchua95]

I'll say it again... funny, but closer to reality that it may seem. I'm beginning to wonder if Apple has caved to NSA demands and, in a negligent manner that can plausibly be denied, is now building in backdoor access for clandestine use.

They will cave in to the 300-pound gorilla that is the NSA, one way or another. The NSA can just issue a subpoena and force Apple to do what the NSA wants.

Being a Swiss citizen, I can therefore say that, just like most other Europeans, that we've lost faith in American tech companies, not because of their doings, but because they can be subpoenaed by the NSA to take the unconstitutional path.

So I'm with Angela Merkel's ideas for a European Internet.

 

[C DM]

They will cave in to the 300-pound gorilla that is the NSA, one way or another. The NSA can just issue a subpoena and force Apple to do what the NSA wants.

Being a Swiss citizen, I can therefore say that, just like most other Europeans, that we've lost faith in American tech companies, not because of their doings, but because they can be subpoenaed by the NSA to take the unconstitutional path.

So I'm with Angela Merkel's ideas for a European Internet.

Non-US companies can't be forced (one way or another) by some agency to give up some data, if that data isn't already being spied on by those agencies? Despite all the laws on the books and whatnot, all this stuff has been happening for ages all over the world, and will continue to do so--it's part of the human condition.

 

[irnchriz]

What are you going to monitor during app review? Most of such apps are innocent during review and additional functionality activated either after some time or by getting command from certain url (when app has some legal internet activity it is easy).

We'll that really depends on how in depth the reviews are. I have no idea how Apple review apps, I would guess that they would be interrogating the app code and it's not some intern flicking through the actual app.

If they are interrogating the code and are able to test all calls etc it should be easy to identify and reject. They can obviously use this example (if it is actually bonafide and not the usual security dick waving) and close these loopholes too.

 

[charlituna]

Wow.. Apple.. Much secure

Maybe they aren't. Or maybe this report is a scam. Something to play off the whole 7.0.6 to get press.

If they really are working with Apple the first thing the company would demand is that they say nothing until the fix is out there. Because now folks would know, if this is real, what they can do.

And before someone says 'what about the proof of concept', they made it so of could they could fake it.

----------

What would actually be useful here is for somebody to tell us WHICH apps are to blame here.

Supposedly it's a flaw in iOS but they didn't show what the flawed code is. And they say that someone could make an app but there are no apps that they have exposed as doing it. Other than the one that they made as proof.

 

[yjchua95]

Non-US companies can't be forced (one way or another) by some agency to give up some data, if that data isn't already being spied on by those agencies? Despite all the laws on the books and whatnot, all this stuff has been happening for ages all over the world, and will continue to do so--it's part of the human condition.

At least I trust European federal authorities more than I trust the NSA.

 

[charlituna]

How is this even remotely considered a security issue?

Yes, every touch is logged, but none of the logs carry any semantic information about the touches.

What those guys have just demonstrated is of no use to an actual hacker. It would be like tapping a phone line and then only be able to know how many calls are placed each day.

Unless the information could be parsed to sort out usernames and passwords. Course in some cases they would need access to the device to know what app you could have been tapping on. Unless they have a flaw they haven't told us about that tells that to someone.

----------

Drop Out Jeep is from 2007. Around the iPhone launch. They said it would cost nothing. That they were only able to put the spyware on the phone if they got hands on it , though they were working to make a "remote install". Ring, ring.

Yep. A lot of will statements in there. It was basically a prototype program. No proof it worked or was ever used. Or if it was that it could be used with later versions of iOS

 

[C DM]

At least I trust European federal authorities more than I trust the NSA.

Really? Why? Mostly because you haven't heard anything specific or much about the potential spying they do? Perhaps that might be simply because they are better at it and might even be doing more spying and have better ways of hiding it or at least keeping people quiet about it? So in that case you'd be putting more trust into entities that do even more of the things that you are trying to somehow stay away from. Remember, just because you don't know or don't hear about something, doesn't mean it's not going on.

 

[charlituna]

So, we are told basically do not go I to any non-trusted wifi, e.g. Airport or hotel. I am traveling in a few days so what do I do? Can anyone more versed thean me tell me? VPN? Use iPhone as router so it's not using the totally accessible wifi?

The 7.0.6 iOS update and 10.9.2 OSX update fixes the hole so if you have installed those you should be as fine as you could be on such a network. I wouldn't go doing your banking and such at an airport since you have no idea what someone might have jacked in the router but that's just basic security practice, not specific to Apple stuff

----------

Well, you may have cut and pasted the message from the other thread, but it doesn't really apply here, at all. First of all, this is a "proof of concept" demo made by a security firm who is working with Apple to resolve the issue.

It's a proof of concept where they should the outcome but not the code or even the flawed code in iOS. And they say that they are working with Apple etc.

Maybe they are, maybe they are full of crap and looking to get some easy press. What better than to claim that they discovered a flaw that is even nastier than one that was discovered by someone else (but they weren't aware of that one and just happened to be investigating the notion of a key logger flaw on their own).

 

[XboxMySocks]

Yep, but I bet we don't get a response...They'll just release yet another patch...I'm pretty conservative when it comes to Apps, but I do have SSH installed on phone and iPad....I may remove them for now.

Removing SSH will have zero affect.

 

[charlituna]

Surely this is an issue that can be solved with better monitoring and testing of submitted apps to the app store?

There hasn't been a single app found with this trick in it.

----------

At the risk of seeming naive...is it not a bit more parsimonious to assume an accidental bug than some nefarious plot which includes Apple and the NSA in some secret collusion?

It's Apple they are supposed to be 100% perfect all the time. No bugs etc allowed. Ever.

----------

Thats happened when you fire the head of iOS and replace it with a puppet that is not even a software engineer

You do realize that Scott Forstall didn't write every line of code in iOS himself yes.

And just because his focus isn't software engineering doesn't mean Jony has zero clue about it.

 

[Marc-SP]

It's inevitable that more and more security bugs will start to be discovered now that iOS usage is at a significant level (which apple has not had previously).

Even when Microsoft had a much higher market share than iOS (>90% of the market on desktop OS, Windows, or web browser, IE) that excuse never seemed to stop people around here to claim "Apple is super secure, MS is totally incompetent".

 

[RedOrchestra]

i thought the iphone didn't have multitasking... I heard it so many times in here.

— beauty —

 

[MH01]

If you don't like long-running myths, you can choose Android where insecurity is a long-running fact.

Fact/Myth do not mean what you think they do

----------

Even when Microsoft had a much higher market share than iOS (>90% of the market on desktop OS, Windows, or web browser, IE) that excuse never seemed to stop people around here to claim "Apple is super secure, MS is totally incompetent".

Main difference being that M$ got damn good at rolling out fixes/patches very quickly.

Sadly something Apple is unable to do. Its quite disturbing how long it takes them to patch some of these security holes.

And frankly not making a public statement on these is quite pathetic, its like they refuse to admit the problem exists. Hopefully Apple will mature to deal with future security threats.

 

[C DM]

Fact/Myth do not mean what you think they do

----------



Main difference being that M$ got damn good at rolling out fixes/patches very quickly.

Sadly something Apple is unable to do. Its quite disturbing how long it takes them to patch some of these security holes.

And frankly not making a public statement on these is quite pathetic, its like they refuse to admit the problem exists. Hopefully Apple will mature to deal with future security threats.

Wow, it took the same day to get an iOS patch out and a whole of 2 business days to get an OS X one out. That's just clearly Apple being unable to roll out patches quickly. Totally.

No statement on a security issue is usually made until it's actually fully addressed. That said, I don't see widespread statements from Microsoft everytime a security hole is fixed.