Security News

Researchers have demonstrated iPhone malware that works even when the phone is fully shut down. T turns out that the iPhone's Bluetooth chip­ - which is key to making features like Find My work­ - has no mechanism for digitally signing or even encrypting the firmware it runs.

Attackers can target iPhones even when they are turned off due to how Apple implements standalone wireless features Bluetooth, Near Field Communication and Ultra-wideband technologies in the device, researchers have found. These features-which have access to the iPhone's Secure Element, which stores sensitive info-stay on even when modern iPhones are powered down, a team of researchers from Germany's Technical University of Darmstadt discovered.

A first-of-its-kind security analysis of iOS Find My function has demonstrated a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that's executed while an iPhone is "Off." Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.

How to lock an iPad or iPhone into Single App Mode with Guided Access. Does your organization utilize iPad apps for kiosk-style uses, or have you ever needed to hand a device to someone else to use an app or enter information, but didn't want to give away access to everything that's on the device? Apple has a solution for these scenarios built into iOS and iPadOS called Guided Access.

Digital threat researchers at Citizen Lab have discovered a new zero-click iMessage exploit used to install NSO Group spyware on iPhones belonging to Catalan politicians, journalists, and activists. "Among Catalan targets, we did not see any instances of the HOMAGE exploit used against a device running a version of iOS greater than 13.1.3. It is possible that the exploit was fixed in iOS 13.2," Citizen Lab said.

Apple on Thursday rolled out emergency patches to address two zero-day flaws in its mobile and desktop operating systems that it said may have been exploited in the wild. Both the vulnerabilities have been reported to Apple anonymously.

Apple has released security updates on Thursday to address two zero-day vulnerabilities exploited by attackers to hack iPhones, iPads, and Macs. In security advisories published today, Apple said that they're aware of reports the issues "May have been actively exploited."

Researchers have blown the lid off a sophisticated malicious scheme primarily targeting Chinese users via copycat apps on Android and iOS that mimic legitimate digital wallet services to siphon cryptocurrency funds. The wallet services are said to have been distributed through a network of over 40 counterfeit wallet websites that are promoted with the help of misleading articles posted on legitimate Chinese websites, as well as by means of recruiting intermediaries through Telegram and Facebook groups, in an attempt to trick unsuspecting visitors into downloading the malicious apps.

Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been luring unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. "This style of cyber-fraud, known as sha zhu pan - literally 'pig butchering plate' - is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence," Sophos analyst Jagadeesh Chandraiah said in a report published last week.

The latest raft of non-emergency Apple security updates are out, patching a total of 87 different CVE-rated software bugs across all Apple products and plaforms. With 87 noteworthy bugs in the mix, there are plenty of security issues to choose from, including several that are listed with a warning that the bug might "Lead to arbitrary code execution", or even that it might be exploitable "To execute arbitrary code with kernel privileges".