Report: New iOS Flaw Exposes Users to Keylogging

Just when you thought you’d heard enough about GoToFail and iOS vulnerabilities comes word via Ars Technica that a security firm has uncovered a new iOS security vulnerability that could expose iOS users to covert keylogging. Wait a minute you might say, an iPad or an iPhone doesn’t use a real keyboard. This iOS flaw essentially tracks any touch a user makes on an iOS device including TouchID and volume control. The new exploit, which has been delivered in a proof of concept is said to affect users of iOS 6.1.x, iOS 7.0.4, 7.0.5, and the recent iOS 7.0.6 that was released to patch the GoToFail vulnerability last Friday.

The security firm FireEye published its findings in a blog post Monday night. According to FireEye, attackers could use an App that bypasses Apple’s review process to take advantage of multitasking capabilities built into iOS. Here’s a quote from the FireEye blog post:

We have created a proof-of-concept “monitoring” app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

The App appears to take advantage of background multitasking. An example of this would be music Apps that play music in the background while users perform other tasks. Until Apple plugs the hole, FireEye says the only way to prevent the potential for risk would be to open the task manager and close any questionable Apps.

Ars Technica goes on to say that it is publishing FireEye’s findings out of an abundance of caution given that Apple typically doesn’t comment on these type of security matters, and that there may be mitigating circumstances that FireEye is not reporting. We’re echoing those reports with the same cautious approach.