Apple were recently made aware of a serious bug by a security firm called Lookout which with the sending of a text by the hacker could allow your phones Call Logs emails and even microphone to be accessed remotely.
The good news before everyone panics too much, is that both Lookout and Apple have worked closely after the discovery of the issues, and all 3 security flaws, nicknamed Trident, have been fixed in the latest 9.3.5 security release.
Am I Protected?
To check what version of the iOS you’re currently running, simply go to ‘Settings’, ‘General’, ‘Software update’ here you’ll either see ‘iOS 9.3.5 Your software is up to date.’ or you’ll have the option to download and install the update. The update required 50% of battery on your device or for it to be plugged in and charging to start.
Why should I be concerned?
Hackers see mobile phones as a weak point to get into target users, such as high position employees in major firms. This identified threat only requires one touch on a text message to compromise your device. The hacker first sends a text with a link embedded in. Once you’ve clicked the link, you’ve unknowingly allowed them access to your device to further silently hack and take greater control of your phone for espionage.
The threat in the nutshell (taken directly from Lookout’s site linked here)
- CVE-2016-4655: Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory.
- CVE-2016-4656: Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software.
- CVE-2016-4657: Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
- The attack sequence, boiled down, is a classic phishing scheme: send text message, open web browser, load page, exploit vulnerabilities, install persistent software to gather information. This, however, happens invisibly and silently, such that victims do not know they’ve been compromised.