Security researcher discovers vulnerabilities in iOS and macOS that could be exploited to hack webcams
After discovering a no fewer than seven security vulnerabilities in Safari for iOS and macOS, a researcher has received a $75,000 bug bounty pay out from Apple.
Ryan Pickren, a former Amazon Web Services (AWS) security engineer, found a series of security flaws in Apple's web browser, some of which could be exploited to hijack the camera of a Mac or iPhone to spy on users. The webcam hacking technique combined a total of three zero-day bugs.
- Apple accidentally leaks details of its unreleased AirTags tracking tags
- Until Apple patches this security flaw your VPN traffic might not be secure
- Apple internally acknowledges Personal Hotspot problems in iOS 13 and iPadOS 13
Pickren found that it was possible to take advantage of the fact that while all apps require users to granted permission to access the camera and microphone, the same was not true for Apple's own apps. The vulnerability researcher explains: "The camera security model in iOS and macOS is pretty intense. In a nutshell, each app must be explicitly granted camera/microphone permission, which is handled by the OS via a standard alert box".
He goes on to say:
But there is an exception to this rule. Apple's own apps get camera access for free. So Mobile Safari can technically access the camera without asking. Furthermore, new web technologies such as the MediaDevices Web API (commonly used in WebRTC transmissions) allow websites to utilize Safari's permission to access the camera directly. Great for web-based video conferencing apps such as Skype or Zoom. But... this new web-based camera tech undermines the OS's native camera security model.
As Forbes reports, the seven vulnerabilities (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784 and CVE-2020-9787) were all responsibly disclosed to Apple and all have now been fixed. Three zero-days which could be combined into a "camera kill chain" were fixed in the Safari 13.0.5 update which was released on January 28. The remaining four vulnerabilities were regarded as being less severe, and they were fixed in Safari 13.1 which was released on March 24.