Recently, iPhone owners worldwide were warned that a seemingly harmless WiFi hack was not only just risky but a tangible threat. And now that threat level is genuine.
According to Gordon Kelly, in shocking new research that was shown to him ahead of publication, mobile security specialist ZecOps has found that a serious zero-click flaw was silently spotted in iOS 14.4 (without a CVE). Also, ZecOps research shows that exploiting this vulnerability can be applied to the new iPhone WiFi hack. This changes it from being a relatively harmless denial of service (DoS) threat for both local privilege escalation (LPE) and for remote code execution (RCE) attacks. These attacks are the hacker’s ultimate goal, allowing them to take over your iPhone remotely potentially. And Apple has yet to find a permanent solution.
ZecOps CEO Zuk Avraham warns, “There’s a new WiFi threat exposed in town. You all have already seen it but didn’t realize the implication. They recently reveal ‘non-dangerous’ WiFi bug is powerful. “While investigating this helplessly, we found another silently patched format-strings vulnerability that allows an attacker to affect an iPhone or iPad running iOS 14.3 or earlier version without any interaction with an attacker. This type of attack has been named 0-click (or zero-click). Exploiting this fault is possible, and the same technique can be implemented to the latest unpatched WiFi error in iOS 14.6.
And now it takes a turn for the adverse. ZecOps notes that in its latest form, a user running the latest version of iOS (14.6) would have to run a WiFi network with crafted characters, particularly in its name (SSID), to be vulnerable, which is likely to increase suspicion and reduce possible attacks. But at the beginning of this month, research by security analysts AirEye disclosed that their research team was able to build the network name in a way that does not expose the user to the weird characters, making it look like a legitimate, existing network name.”
In Apple’s defense, recent betas of iOS 14.7 convey that the company is working to fix this. Still, AirEye CTO Amichai Shulman reveals that these airborne attacks are a “new and yet unnoticed threat vector given their hidden nature, we’re destined to see more such attacks.”
So what can a user do? Unexpectedly, older iPhones running iOS 12 or earlier are not vulnerable. Still, for other users, Avraham suggests disabling the WiFi Auto-Join Feature on iPhones and iPads (Settings > WiFi > Auto-Join Hotspot > Never).
Next, you can only wait because Apple is likely to repair this version of the flaw in iOS 14.7, which will release next week. After which, a certain new high stakes game of Whack-a-mole is set to begin between hackers and all the big tech companies as momentum grows around these new forms of airborne attack.
But after this, you may never look at WiFi hotspots the same way again.
Please share your ideas and suggestions for us in the comment section.
News you can’t miss: How To Use FaceTime On Your Windows PC?