Apple issued an emergency update for malware that can turn on mic and camera without the user clicking anything

Originally published at: Apple issued an emergency update for malware that can turn on mic and camera without the user clicking anything | Boing Boing

…

Don’t you hate when a big company is caught informing the government about their customers, and then has to pretend to fix it?

my popup notification said exactly this. huzzah

“What happens on your iPhone, stays on your iPhone.” lol, what a crock!

Can the malware turn on my camera or the update🤔

I missed how the malware gets onto the iPhone.

I don’t know if I’d call it an emergency update. This flaw was being exploited by very sophisticated hackers with an Israeli cyber firm for quite some time. It’s been publicly known about since July.

Mr. Marczak said he found that the Saudi activist, who declined to be identified, had received an image. That image, which was invisible to the user, exploited a vulnerability in the way that Apple processes images and allowed the Pegasus spyware to be quietly downloaded onto Apple devices.

That seems to have been a different zero-click exploit.

There should be a notifier, an LED, for the cameras and mic that are on a hardware level, and not software controlled. The software still needs to note what app is using what input resources, but trust would be greatly improved if this was added.

It is beyond stupid that modern phones and computers don’t have a physical button to cut power to the camera and microphone.

At the very least they should have a little plastic shutter that you could snap closed over the camera…what would that cost? A penny?

Every single person designing computing devices is hopelessly incompetent.

I’m willing to agree up to a point.

I would wager +95% of iPhone users would always leave their hardware enabled. The 1st missed picture and they would never disable the camera. The populous generally wants convenience. The most recent iPhones have awesome cameras yet lack almost all of the manual exposure controls my 3 year old LG phone has (at least on the default camera app). Enthusiasts make lots of noise about features and things they want (that they might buy). But when it comes down to sales it isn’t there. Ever car forum has endless chatter about manual transmissions, yet the take rate is abysmal.

And at the end of the day I can be outraged that this exploit, or I really should say capability, exists…or I can just realize it’s a risk being part of the interconnected world we live in. Someone wants to record me? I’m pretty sure the pay isn’t good enough to listen to all that for the reward. Now if I was someone like Elon Musk, yeah I’d have something to worry about.

Some Thinkpads have that … For instance:

[…]

One of the bugs, CVE-2021-30860, resides in Apple’s CoreGraphics framework. Reported by researchers at University of Toronto’s Citizen Lab, the bug consists of an integer overflow that allows a malicious PDF file to achieve arbitrary code execution, allowing spyware and other malicious programs to run.

[…]

Take your iPhone for a ride

In the case of Pegasus, the attacker just needs to send you an iMessage - you don’t even need to open it. It blasts through iMessage’s sandbox and the internal Blastdoor sandbox which is meant to stop messages from unknown senders.

I’m assuming iOS 12.5.4 does not have this vulnerability, as there is no update here in the UK (yet). Maybe the best advice for people not wanting Israeli spy software to deliver their every move to assorted evil-doers is to stick with back-level technology.

How would we know if our phones/laptops were affected already?

Linking to a NYT article is not much help.

And clearly NSO will loose it business license in most of the world as a result of setting this free or letting it get out, right?

For those who do not know about NSO and Pegasus… it’s fascinating stuff:

They even sent a Black Cube spy out to try and catch John Scott Railron saying something that could discredit him: