A white-hat hacker was able to hijack iPhone cameras using a chain of three vulnerabilities he discovered. The same approach would also work with the cameras on Macs.
Ryan Pickren disclosed the vulnerabilities to Apple in December of last year. The company fixed the most serious of them in January, and the rest last month.
The approach relied on an exception to the normal privacy requirement for apps to seek permission for camera or microphone access…
Forbes reports that the exception was Apple’s own apps — including Safari.
During December 2019, Pickren decided to put the notion that “bug hunting is all about finding assumptions in software and violating those assumptions to see what happens” to the test.
He opted to delve into Apple Safari for iOS and macOS, to “hammer the browser with obscure corner cases” until weird behavior was uncovered. Pickren focused on the camera security model, which he readily admits was “pretty intense.”
That’s something of an understatement as Apple has made the camera very secure, or so it thought, by requiring any and every app that wants access to be explicitly granted camera/microphone permission, permission that is handled by an OS alert box.
Pickren found the exception to the rule, Apple’s apps, which is what led him to prod away at the Mobile Safari app to see how he could gain unauthorized access to the camera and microphone.
Pickren found a total of seven zero-day vulnerabilities, and was able to combine three of them to gain access to the iPhone cameras and microphones.
The hacker reported the bugs to Apple, and received a $75,000 bug bounty payment as thanks.
A fellow security researcher said that it’s surprising hackers haven’t focused more on mobile devices for this type of attack. The ability to hijack iPhone cameras would be especially valuable, he suggested.
Security researcher Sean Wright told me that while everyone has been paying attention to their webcams on PCs and laptops, “few have been paying attention to their webcams as well as microphones on their mobiles.” Which, when you stop to think about it, is bizarre, as it’s a far more likely route an attacker will take to eavesdrop on victims. “People are a lot more likely to have their mobile on them for most of the time,” Wright says, “especially perhaps when discussing sensitive matters.”
FTC: We use income earning auto affiliate links. More.