Media outlets love to sensationalise the latest news, but the recent spate of security-related revelations has been a dead-serious wake-up call. These vulnerabilities affect both Android and iOS devices
1. Black Hat Participants Hack Apple’s Face ID With Tape And Spectacles
At the annual Black Hat security conference held in Las Vegas, California, participants found a vulnerability in Apple’s Face ID biometric technology.
First implemented on the 2017 iPhone X, Face ID has been refined in subsequent devices like the iPhone Xs, Xs Max, XR and the iPads Pro.
This exploit involves nothing but tape and a pair of spectacles, but requires an unconscious, unsuspecting victim to install the modified glasses on to cheat Face ID into “thinking” the user has looked directly at the phone. That makes the hack highly unlikely to be executed successfully, but should still be a top priority for Apple’s software engineers.
Apparently, Face ID’s attention-dependent features that ensure the device unlocks if and only if the user intends work by detecting that the user’s eyeballs are pointed directly at the sensors. Also apparently, Face ID doesn’t work too well with spectacles, which Black Hat participants exploit with black and white tape to emulate the pupils and irises pointed directly at the Face ID sensors.
In a demonstration at the event, hackers completed the exploit under two minutes, spoofing authentications to perform a phone unlock and mobile payment.
2. Millions of Android Phones Preloaded with Malware
Pre-installed applications are a bane of reviewers, prosumers and everyday users alike, but this recent revelation takes bloatware to a whole new level.
According to Google, millions of Android smartphones have been purchased containing dangerous bloatware pre-installed at manufacturers’ facilities. While warnings about dangerous apps available on the App Store are not new, this is a radically more dangerous issue.
Users, beguiled by the pure newness of their recently-purchased mobile device, will be largely unaware that their devices come pre-installed with harmful malware that can steal personal data, commit ad fraud, or even take over permissions to install additional types of malware.
This risk impacts the Android Open-Source Project (AOSP), which is the cheaper, open-source alternative to regular Android, usually implemented on lower-end smartphones. Over 200 manufacturers have been implicated after a widespread investigation by Google’s Project Zero team, although mainstream manufacturers like Samsung and LG are fine.
Amongst the various forms of malware pre-installed on these AOSP smartphones are two particularly harmful ones: Triada and Chamois. Both are adware and commit advertising fraud, but are also capable of downloading additional harmful malware. Chamois, a more modern invention, can even send text messages at premium rates, and has been found to be pre-installed on 7.4 million devices.
Google’s Project Zero efforts have reduced Chamois to 700,000 devices at present, and relies on manufacturer compliance to clamp down on this issue.
3. Passwords, User Data on iPads, iPhones Vulnerable to Contacts App Exploit
Security firm Check Point has uncovered a bug within the in-built iOS and iPadOS Contacts app, that enables hackers to access vital user data and passwords using the ubiquitous SQLite database engine.
According to Check Point, the vulnerability was known but not addressed due to it requiring an unknown application to trigger. In a closed system like iOS, virtually all applications on the App Store are “known”.
By utilising the native Contacts app on iPads and iPhones to run a string of code, Check Point researches were able to access sensitive information. This exploit required an unlocked device, which effectively limits its use in hacking circles, but should still be a red flag for all users.