A previously unknown vulnerability has been discovered in Apple’s iOS which can allow the attacker to take control of the victim’s device.
A new zero-day vulnerability has been discovered in iOS devices where a user’s device could be hijacked completely by a hacker and he or she could spy on the user’s calls, emails, messages, etc.
In a first, Apple announced a bug-bounty program in the first week of August, where it invited hackers from all over the world to find problems in its security systems. Hackers were promised amounts up to $50,000 for discovering zero-day vulnerabilities that could make for the execution of malicious code in the kernel.
Since all the security loopholes and attack vectors cannot be ascertained and visualized by the security team, bug-bounties have been used by many major corporations to make their security systems stronger against attacks. Apple is the latest to initiate such a program, highlighting the need for better security in today’s world.
However, a week after Apple announced this program, a zero-day vulnerability was discovered in their iOS. Human Rights and Technology organization Citizen Lab was shown text messages by an activist in UAE, Ahmed Mansoor, which contained a suspicious link. Citizen Lab and Lookout, a security firm, later confirmed that the link downloaded three zero-days that could hijack the device.
Given the name ‘Trident’ on account of it being a combination of three zero-days, the exploit begins by enticing a target to open the malicious link. On clicking the link, the first zero-day begins its work, which was found in Safari and which exploits a memory corruption vulnerability to run arbitrary code. Then, two more zero-days are downloaded on the device from the landing page of the malicious link. The only indication that the device has been compromised is the unexpected closing of Safari.
The first zero-day is used to located the kernel in the memory of the device, as it is required to jailbreak it. Once located, the third zero-day is executed which gives the attacker read/write privileges. The attacker can then place surveillance software in the device to spy on the victim’s activity. A researcher from Lookout said that the sophistication of Trident is truly astounding.
Apple has acted quickly to roll out updates for this issue. The company was notified of it on August 15, and they had patched all three zero-day vulnerabilities within a week. Many security companies allow the company about 90 days for the same, so Apple’s turnaround is impressive.
This Apple zero-day highlights yet again how mobile devices are being targeted increasingly by hackers today. Since mobile devices store a lot of sensitive information, hackers find them attractive targets. People mistakenly believe that mobiles are more secure than computers, which allows hackers to succeed more easily.
If you own an iOS device and are worried about your protection, check out our list of some of the best VPNs for iOS.