On Friday, September 16th, Apple Inc released the iPhone 14, which is currently the latest iOS device. The inbuilt iOS 16 device introduces various new features such as Apple Pay, with upgraded internal chips and security. However, system upgrades and new features have not tackled this mobile device’s vulnerabilities.
Apple devices usually give threat actors “a tough time”, which concludes that it’s one of the safest devices in the cybersecurity market. The Indian Computer Emergency Response Team (CERT-In) and other cybersecurity agencies discovered vulnerabilities that affect iOS 16.
The content of this article contains:
CERT-In Vulnerability Discovery
CERT-In Vulnerability Discovery on iPhone 14
On October 26th, CERT-In issued a report revealing that the vulnerability termed as CVE-2022-42827 or Webkit 247562 affects iOS 16 devices. A list of devices at risk was also released, of which Apple’s iPhone 14 was included.
According to CERT-In, the improper security restrictions in Apple’s AppleMobileFileIntegrity component have resulted in the vulnerability. It was explained that victims may be persuaded to open a specially crafted file or application, which would allow the remote hacker to exploit these vulnerabilities.
After the hackers have successfully exploited these vulnerabilities, it becomes easier to gain access to sensitive information. The hacker can execute arbitrary code, and conduct distributed denial of service (DDoS) attacks on the targeted device.
Furthermore, CERT-In revealed the vulnerabilities of Apple’s Safari browser. The vulnerabilities found in the files, macOS Big Sur and macOS Monterey, in the Safari browser, could allow hackers to spoof URLs, execute arbitrary codes and gain access to sensitive information on a targeted device.
CERT-In advises users to apply security patches urgently. Apple Inc releases new iOS updates, bringing new features to the public as well as improving its security and patching vulnerabilities. It is important for users to always update their devices to the latest firmware version.
Another vulnerability was discovered by a security researcher posted on Twitter. In a tweet, @_simo36 disclosed screenshots that appeared to be a vulnerability proof of concept (POC) through the iPhone 14 command line interface (CLI).
This iOS 16.1.2 vulnerability is a bug that hackers could exploit to write and achieve reads to a target device’s kernel memory.
This vulnerability can be leveraged in the development of a jailbreak. The interesting fact about this vulnerability is that he shows this PoC on an iPhone 14 running iOS 16.1.2 (build 20B110).
However, Apple’s latest security implementations for iPhones have made it more difficult to build a jailbreak. This means that a lone exploit will most likely not be able to conduct a successful jailbreak.
Although, @_simo36 discovery is worthy of commendation, given the fact that iOS 16.1.2 is one of the latest firmware released by Apple Inc.
Some vulnerabilities affecting Apple’s iPhone 14 have been patched recently. The iOS 16.1.2 which landed on November 30 has already been rolled out to the various supported iPhones.
The bugs discovered are called zero-day as the vendor is given zero-day notice to fix the vulnerability. Apple revealed that security researchers at Google’s Threat Analysis Group which investigates spyware and cyberattacks also discovered the WebKit bug.
WebKit bugs are mostly seen when a person visits a malicious site. Apple has disclosed that they are aware of the vulnerabilities exploited against versions of iOS released before iOS 15.1, however, they have not confirmed the vulnerabilities associated with iOS 16.
According to Apple, an investigation must be conducted before security issues are confirmed or disclosed. After the company confirms a vulnerability, patches will be released along with the necessary information.
Another firmware version, iOS 16.2, has also been introduced by Apple Inc. Reliable data encryption and backup have been implemented in this new firmware version, with other new features.
The iOS 16.2 firmware has currently addressed over 30 vulnerabilities that were putting devices at risk. This is why it is very important to install the latest updates as soon as they are publicly released.
In this firmware, Apple Inc addressed issues concerning WebKit, Graphics Driver, Apple Safari, Photos, Weather, and more. Some of these vulnerabilities have not been exploited, however, an upgrade is still necessary. Additionally, Apple has provided the same vulnerability patches for iOS 15 devices to those yet to install iOS 16.