Vulnerabilities in earlier versions of iOS could allow attackers to remotely penetrate the iPhone without any interaction with the user, the Google Project Zero team said recently.
The Google Project Zero team explained that the security vulnerability was discovered in iOS 12.4 and fixed in iOS 12.4.1 in mid-2019. The vulnerability can basically allow malicious actors to gain access to almost everything on the iPhone Permissions.
The only thing a hacker needs is the user's Apple ID to launch the attack, which only takes a few minutes. After that, attackers can access files, passwords, two-factor authentication codes, text messages, emails, and application data.
To make matters worse, hackers can control the microphone and camera to monitor iPhone users. CVE-2019-8641 documents a vulnerability for the attack that allows hackers to bypass ASLR and then initiate remote code execution outside the sandbox without requiring the user to take any action.
CVE-2019-8641 is the name given to the remote memory corruption vulnerability Google's Groß used to take over an iPhone with just an Apple ID. The issue was originally discovered and reported to Apple as part of Groß's joint project with Natalie Silvanovich back in July, with a proof of concept exploit published in August.
Google researchers explained in a technical analysis of the vulnerability that, although the vulnerability has been resolved, other mitigations are needed to prevent similar problems.
Although the vulnerability allows an attacker to completely damage the iPhone, only devices running iOS 12.4 are affected, so if you have iOS 13 installed, you should be in a safe state.
In fact, this is the only recommendation for staying safe and protected from potential attacks from this or similar vulnerabilities: update to the latest version as soon as possible, as the new version includes the latest security patches.
