New ways to attack iPhones exposed – make sure you update to iOS 8.4

Graham Cluley

iOS Masque attackThis week Apple has released the latest version of iOS for iPhone and iPad users – iOS 8.4 – introducing Apple Music.

But even if you’re not interested in Apple’s attempt to dislodge the likes of Spotify, security firm FireEye has given you another good reason to update your devices to iOS 8.4 – especially if you work for a company that uses its own in-house iOS apps.

In a blog post, security researchers provide details of new so-called Masque attacks, exploiting iOS’s failure to properly distinguish between apps with the same bundle identifier.

Full details can be found in the FireEye blog post, including the reveal of a previously undisclosed code injection attack that could allow communications – including those over VPN – to be intercepted and hijacked.

Clearly any vulnerability which would lead to unauthorised monitoring of VPN traffic is very bad news indeed.

It’s important to emphasise that targeted iPhones and iPads do not have to be jailbroken to be at risk of having malware installed onto them.

Through social engineering, an attacker could trick users into installing a malicious app onto their iOS devices using the enterprise provisioning feature that Apple provides for companies who wish to roll out their own apps to staff.

The researchers believe that “around one third of iOS devices still have not updated to versions 8.1.3 or above, even 5 months after the release of 8.1.3, and these devices are still vulnerable to all the Masque Attacks.”

iOS share

FireEye describes Apple’s update for some of the vulnerabilities it reported as only “partial”, but it still feels sensible for users to update to iOS 8.4 at the earliest opportunity if possible.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “New ways to attack iPhones exposed – make sure you update to iOS 8.4”

  1. Hi Graham,

    These issues are not new,but a recap from previous blogs. See referenced articles at the end. I have followed this from the beginning and after the partial fix in ios 8.1.3 then wrote about the "new" attack vectors. What Fireeye needs to do is verify the fixes And then write it up. Yes,many have become gun shy after Apple botched some updates,and so wait to see if there are any bugs before updating,and then forget,or don't care to update for what ever reasons. The title of fireeye's blog is a little like click bait, it should have said to be sure to update to ios 8.4 to fix these issues.

    That said,I am not an Apple fan. That they have so many vulnerabilities,and took almost a year to fix them,is the real story. Their last update fixed 80 vulns,50 of which were Safari related. And now,77 fixes,all which need an os update, means that Apple is less secure then Android. Apple is the new MS and should have a patch Tuesday before they become the new Adobe (-:

    1. Microsoft are much better than they used to be in terms of general security and patches. In fact Windows Phones are now THE most secure handset according to research from the University of Cambridge.

      Apple should really take a leaf from Microsoft's book – in Windows 10 all consumer streams of the OS will be updated automatically.

      Apple are terrible at repairing vulnerabilities and then they cover them up.

  2. A major controversy last year was the backdoored ios that Apple denied,but fixed none the less. There is still a vulnerability about pairings with other computers for anyone interested, Jonathan Zdziarsky was the forensic expert who wrote these issues up. His website has a wealth of information on Apple issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES