This particular vulnerability is very similar to the Stagefright problem which was discovered a few years back in Android devices. This allowed hackers to be able to spy on over a billion devices around the world, all with one cleverly constructed message. This latest vulnerability was discovered by Tyler Bohan, the senior researcher at Cisco Talos. He compared this latest hack which affects iOS devices, as similar to the Stagefright bug which had been affecting Android devices.
The critical bug (CVE-2016-4631) actually resides in ImageIO – API used to handle image data – and works across all widely-used Apple operating systems, including Mac OS X, tvOS, and watchOS. How do they take advantage of this flaw in the iOS security? It really is quite simple. All that they need to do is create an exploit for the attack, and then send it to someone’s device via a multimedia message, or inside an iMessage inside a Tagged Image File Format or TIFF. Once the person receives the message, and then opens it on their device, the hack would be active.
Forbes quoted Bohan as saying “The receiver of an MMS cannot prevent exploitation and MMS is a store and delivery mechanism so that I can send the exploit today, and you will receive it whenever your phone is online.” Another way that a hacker could send the attack is via the Safari web browser. They simply need to trick a user into visiting a website which would contain the virus. You don’t even have to download an attachment or open a specific part of a browser, because of the way iOS is set up to be as user-friendly as possible. Many iOS applications, such as iMessage, are set up to try automatically and render any images as soon as they are received. It is because of the way in which the attack is delivered, no user interaction is required, that causes many people not even to realize that they have been attacked. Once the exploitation has occurred, user’s details such as; Wi-Fi Passwords, PIN numbers, website login details, email logins, etc.
There is one bright spot on the horizon for Apple users; iOS includes sandbox protection to help prevent hackers from taking advantage of one part of the OS to control the entire thing. What does this mean? Hackers will need to target iOS which have been jailbroken or an additional root exploit to take over the iPhone or iPad etc. completely. The bad news is that Mac OS X doesn’t have this sandbox protection, this makes Mac users much more vulnerable than iPad and iPhone users. Apple has patched this critical issue in iOS version 9.3.3, along with patches for other 42 vulnerabilities, including memory corruption bugs in iOS' CoreGraphics that helps render 2D graphics across those OSes, according to Apple's advisory.
Apple also addressed serious security vulnerabilities in FaceTime on both iOS and OS X platforms, allowing anyone on the same WiFi network as a user to eavesdrop on the audio transmission from FaceTime calls even after the user had ended the call.
"An attacker in a privileged network position [could] cause a relayed call to continue transmitting audio while appearing as if the call terminated." Reads Apple’s description.
The FaceTime vulnerability (CVE-2016-4635) was discovered and reported by Martin Vigo, a security engineer at Salesforce. So what is the best option? Always make sure that you stay on top of any updates or patches which are released by Apple. These patches or updates include security precautions which will help protect your device.