A recent iPhone security flaw has been discovered that allows hackers to access your data from just opening a PDF. We look deeper into the world of hackers and how they use technology against us.
Reporter: Emre Gunes / Subeditor: Adrian Vasilescu
Hacking and online privacy is still one of the biggest subjects of discussion in the 21st Century, and is so rightfully. The internet, social media and connected devices are all still relatively new and developing markets and they still struggle with transparency with their users. How many people actually know how their phones work, or how many actually read through all the terms and conditions before clicking accept? To this day of age of information overflow, it can be hard to know what the apparent threats are and how to defend against them. This is why websites such as The Hacker News exist, to teach its users how to defend against online hackers and give the latest news in the hacker-sphere. I interviewed the CEO and founder of the site recently after he published a feature about a new security flaw inside iPhone’s and iPod’s. Mohit Kumar is a self-proclaimed tech guru that has been involved in the hacker scene for a long time. “I like taking things apart, it helps me see the bigger picture”. I asked him about the article he published last week and he tried to explain what the flaw was as simply as possible.
“The way the hack works is that they embed an executable file inside the actual document (jpeg, PDF etc.) and the device then reads the files normally and encounters the executable which prompts the device to run it.”
Basically, the device sees the image as a line of codes that gives orders to display certain colours and pixels to produce the image but with the additional lines that are used for the hack. The device cannot defend itself preemptively and gets hacked through the file because it contains the data due to the actions of the user. This is known as a buffer overflow and can be used to gain full access to the device. Buffers are limitations in the memory of a device which make sure that data gets transferred in an efficient and safe manner. Overflowing them can cause leaks into other areas of the code and plant executables in things like JPEG’s.
“The idea is that anyone who uses an iPhone or an iPod is susceptible to these attacks. They are mostly linked to groups that try to steal vital information, such as credit card numbers and addresses. All they need is a gateway, and this security flaw gives them a new gateway to toy with new ways to get to your private information.”
The flaw he talks about is actually a very well-known vulnerability in many devices, but here specifically, it is coded as CVE-2016-4673.
“The flaw inside Apple (CVE-2016-4673) has been known for some time now and hackers who use corrupt jpegs or PDF documents to gain access is nothing new either. However, with more people relying on the internet and on their phones for work, these risks are harder to avoid.”
These security flaws are hard for manufacturers to test because it takes a real world trial to see how far hackers can push the limitations of their software. Hacks can range from innocent pranks all the way to devastating damage. One example of the more severe hacks was the stuxnet worm that successfully hacked and sabotaged Iranian nuclear facilities. Up until that incident many thought that industrial control computers that were used in most nuclear facilities were immune to outside attacks because they were isolated. However, the modernization of many systems that switched to Windows allowed hackers to gain access. Fortunately, the attack was thwarted eventually, but the repercussions of hacking a nuclear power plant are extremely severe.
“The people that try to hack your phone are not anonymous or big hacker groups and stuff like that, it’s mostly smaller petty people that are trying to make cash”
Apple already rolled out a patch for IOS 10.1 that promises to fix this security flaw. It recommends users update their devices as soon as possible.
When asked about how users could defend themselves best against these kinds of attacks, he said: “The best way to avoid this is to always have an antivirus program installed on your devices and to regularly update them. Be wary of suspicious websites that require you to download something, even if it looks like a harmless word document or JPEG.”