With the Apple iPad a key fixture in many smart home installations as a controller, integrators and homeowners should pay close attention to Apple’s newest security update, as the company says it fixes three actively exploited iOS vulnerabilities that could lead to installation of spyware.
The updates patch the bugs in a wide range of Apple devices, including iPads, iPhones, iPod touch, and others, with Apple crediting Kaspersky researchers with the disclosure of two of the iOS vulnerabilities being patched. Kaspersky, a Russia-based cybersecurity firm with a large U.S. presence, disclosed the vulnerabilities earlier this month, saying a hacker can compromise devices via the iMessage service via a malicious attachment, and no user interaction is required.
According to Kaspersky, the message triggers a vulnerability that leads to code execution, and the code within the exploit downloads several subsequent stages from the command-and-control server that include additional exploits for privilege escalation.
After successful exploitation, a final payload is downloaded from the C&C server, which Kaspersky calls a “fully featured APT platform.” The initial message and the exploit in the attachment is then deleted.
Essentially, these vulnerabilities identified by Kaspersky and labeled “Operation Triangulation,” could essentially give hackers access to a wide range of sensitive information. The spyware, per the cybersecurity firm, allows for:
- Interacting with the filesystem (creation, modification, exfiltration and removal of files);
- Interacting with processes (listing and terminating them);
- Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
- Monitoring the victim’s geolocation;
- Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.
Exploitation of these vulnerabilities dates as far back to 2019, the company adds.
Since these flaws affect older versions of Apple products, Apple released two separate updates:
- iOS and iPadOS 15.7.7 for Phone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- iOS 16.5.1 and iPadOS 16.5.1 for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
The Kaspersky-disclosed vulnerabilities are tracked as CVE-2023-32434 and CVE-2023-32435, while the updates also fix a WebKit bug Apple tracks as CVE-2023-32439 and attributes to an anonymous researcher. All three are reported to be exploited in the wild, according to Apple.
In addition to iPadOS and iOS, Apple released fixes for the bugs in certain versions of watchOS, macOS and Safari. Read Apple’s full list of security updates to learn more.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!