It seems Apple is facing constant challenges in ensuring iPhones’ security. While the company’s new software update has patched the KRACK security vulnerability, which was revealed on Oct. 16, the company is now facing a new challenge with the detection of a Wi-Fi bug and other vulnerabilities at a Japanese hackathon.
While KRACK allowed hackers to get a user’s photos from the lock screen, the new bug allows for a vulnerability that lets a hacker into a user’s iPhone using the Wi-Fi network. The vulnerability was discovered at the Mobile Pwn2Own hacking contest in Tokyo. A contest was held between security researchers and a $110,000 prize was offered for finding vulnerabilities in the iOS execute code.
The bug in iPhone 7’s code was found by Tencent’s Keen Security Lab. Not many details are available about the bug right now, but according to the web page of the event, the phone suffers from a total of four vulnerabilities.
“Tencent Keen Security Lab gets code execution through a WiFi bug and escalates privileges to persist through a reboot. The four bugs used earn them a total of $110,000 and 11 Master of Pwn points,” the event log reads.
The security researchers also discovered bugs in Safari and iPhone system services.
In simple language, this means that the company’s iPhones are at a critical risk of hacking due to this security flaw.
“The phone connects to a Wi-Fi network and a malicious app is installed,” software company Trend Micro stated. This means that sensitive information from your device such as your banking information and your Apple Pay ID can easily be leaked using this bug.
The security flaw might be related to iOS 11.1 as all the phones being tested at the hacking event were running the operating system.
The Twitter account of the hacking event — Zero Day Initiative states, “To confirm, all phones in #Mobile #Pwn2Own are running the latest available OS. That does mean the #iPhones are running iOS 11.1. #MP2O.”
The team that found the vulnerability at the event won the contest.
Details are scarce about the new bug currently and it is not known yet, whether a hacker even needs to be in the vicinity of the device, as was the case with the KRACK vulnerability.
While Apple security content for iOS 11.1, published on Wednesday, reveals that the company addressed the issue using improved state management, such solutions have not been cited for the new bug, since not much information is available about it anyway.
Apple is yet to issue a statement about the vulnerability, but according to its security content web p age, “Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.”
The only solution that seems viable seems to be to wait for the release of the iOS 11.2. The iOS 11.2 Beta was released to developers on Monday, and patches bugs such as the 1+2+3 = 24 bug in the device’s calculator.