Apple iPhones Vulnerable To Contacts Hack, Shows New Research

Apple devices such as iPhones, MacBooks and iPads have been known to be some of the more resilient on the market when it comes to malware. As Apple has a lower market share on a global scale in computers and smartphones, it doesn’t become the target of mass attacks all that often. Even so, there is no platform in the world which is 100% secure and the latest research from Check Point software shows that contacts saved on iPhones are vulnerable to hacking attacks that could infect the iPhones with malware.

For those unaware, SQLite is the most widespread database engine in the world and is used for development across platforms no matter the OS, browser or the device. SQLite vulnerabilities are thus rather serious in nature. Check Point demonstrated the SQLite hack technique at cybersecurity conference Defcon 2019 and proved that it can be used to manipulate the iOS Contacts app on iPhones. According to reports about the vulnerability, the devices which have been attacked are forced to run malware when users use the search feature in the Contacts app.

The company’s demo hack also bypasses the native system checks that Apple has put in place when devices are booted up. It replaces one part of Apple’s Contacts app and since an SQLite database is not executable, but rather just a reference database, the malware can be executed when the database is queried. The hackers have also built-in persistence, which means that a restart won’t rid the iPhone of the malware and thus evades Apple’s Secure Boot feature. Surprisingly, Apple has not responded to this vulnerability officially.

“Given the fact that SQLite is practically built-in to almost any platform, we think that we’ve barely scratched the tip of the iceberg when it comes to its exploitation potential. We hope that the security community will take this innovative research and the tools released and push it even further,” the researchers said.

Apple Acts On Privacy Fears

Apple had announced earlier this month that it would be rolling out an update to mobile operating system iOS to restrict apps such as Facebook’s Messenger, WhatsApp and other communication apps from making voice calls over the internet in the background. Apps are able to run calls in the background when using an iPhone even when the app has not been opened. This means such messaging and calling apps can be used at a faster pace, but it also lets them collect data in the background, without the user being aware of such an activity, while a voice call is active and running

In May, WhatsApp fixed a massive data vulnerability that left its over 1.5 Bn users at risk from malicious spyware. The data vulnerability which could have led to breaches and unauthorised malware installation has seemingly been present on WhatsApp for a number of years. The company reported having 400 Mn users in India last month.

The voice call vulnerability allowed attackers to inject spyware on phones with WhatsApp by using the app’s voice call function. The attack allowed hackers to surreptitiously install apps in the background during a voice call. The spyware was developed by Israeli cyber surveillance company NSO Group. However, in a statement, NSO said its technology is licensed to authorised government agencies “for the sole purpose of fighting crime and terror”. The company added that it does not operate the system itself and also has a rigorous licensing and vetting process.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.