Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple quietly patched iPhone vulnerability allowing unauthorized collection of sensor data [u]

Last updated

Apple in 2016 issued a fix for a website-based iOS exploit that could've allowed hackers to collect sensor data from iPhones, and potentially learn many things about their targets — even their passcodes, researchers revealed this week. [Updated with Apple clarification]

Findings shared by the researchers, based at Newcastle University in the U.K., noted that Web browsers don't need to ask permission for most sensor data, and that motion data in particular can be used to gauge what someone is doing on their phone. Through analysis, it was possible to crack a four-digit PIN with 70 percent accuracy on the first guess, and reach 100 percent accuracy by the fifth.

A JavaScript exploit was used to run the malware needed to gather data.

Companies like Apple and Google were alerted to the problem, and at least Apple Safari and Mozilla Firefox have been "partially" fixed, according to Newcastle. The university cautioned however that it's "still working with industry" on a comprehensive solution, and that people worried about their privacy should do things like change PINs and passwords regularly, keep their devices up-to-date, and close background apps they don't need.

Google is said to be aware of the trouble, but without any fix so far.

Apple's software fix came with iOS 9.3, released in March last year. That update also introduced Night Shift and secure Notes, while solving a security gap in iMessage. It proved problematic in its own right though, creating issues with Activation Lock and Web links that Apple had to fix in short order.

Update: Apple contacted AppleInsider to mention that the researchers in question are cited in iOS 9.3's security notes.



14 Comments

🍪
ericthehalfbee 13 Years · 4489 comments

Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?

🎁
chia 15 Years · 714 comments

Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?

Consider an airport, hotel or coffee shop wifi access point with a compromised landing page.  Maybe you pop the toilet and leave your phone briefly with the concierge for safe keeping or with airport security for a security check. You get your phone back five or ten minutes later, none the wiser to all the info they've looked at whilst you've been away.

🍪
rotateleftbyte 12 Years · 1630 comments

Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?

Saves asking for it when you arrive in the USA. IF they know it then they can access your phone and not breach your constitutional rights.
How it was obtained would be Top Secret - Eyes Only.

I am joking but you asked the question...

🎁
Soli 9 Years · 9981 comments

Good that they plugged this, but how would anyone ever use this? So they can get your passcode. What next? Are they going to track you down and steal your iPhone just so they can unlock it?

Unfortunately, people still use the same passcodes and PINs when possible.

❄️
indiekiduk 16 Years · 386 comments

Given Apple's response shouldn't you fix the mistake in the headline? Since it wasn't quiet at all.