Apple pushed out iOS 9 earlier this week, and if you haven’t upgraded yet because you’re worried it will cause serious issues, you may want to take the leap right now anyway because of a major flaw discovered in the iPhone. Also the good news with iOS 9 is that it appears to be causing relatively few major issues compared to iOS 8, at least so far.
iOS 9 patches security flaw in iPhones
The Sydney Morning Herald reports that an Australian cyber-security researcher has uncovered a major flaw in older iPhones, but that flaw has been patched in iOS 9. Unfortunately Apple has yet to patch it in OS X, so Macs are still vulnerable to it.
Mark Dowd said the problem specifically came to the iPhone in iOS 8, and it allowed him to install malware on iPhones using a bug in Apple’s sharing feature AirDrop. AirDrop allows Apple users to pass documents or files from one Apple device to another without a wired connection. It’s been about six weeks since Dowd discovered the security flaw.
How the AirDrop vulnerability works
Dowd, who founded Azimuth Security, told Fairfax Media that the AirDrop flaw allows someone to install malware on an Apple device and then mark it as a trusted application. This action makes the malware run freely on the iPhone it is installed on.
Hackers don’t even have to physically get their hands on the iPhone they wants to install the malware on. All they need is to be in the vicinity of the iPhone and for the iPhone to have AirDrop enables for “everyone” nearby to send over files. Dowd pointed out that iOS’ default is to have AirDrop enabled for everyone to send files without even unlocking the targeted iPhone, which means even locking the phone with a PIN won’t protect it.
Locking iPhones won’t protect them
Also the user of the iPhone that’s being attacked doesn’t even have to accept the file sent by the hacker. Dowd said the vulnerability in AirDrop automatically accepts the file without the iPhone user actually accepting it.
Further, he said even if someone doesn’t have AirDrop still in the default mode of accepting files from everyone, all the hacker has to do is grab their phone briefly, slide up the control center, which is also defaulted to on and does not require that a PIN be entered, and then enable AirDrop to accept files from everyone. In other words, those who don’t want to install iOS 9 yet must disable AirDrop and also change the setting on the control center so it doesn’t work on the lock screen without the PIN.
Mixpanel, an analytics firm, estimates that about 12% of iOS users have upgraded to iOS 9, which leaves the other 88% still vulnerable to the flaw Dowd found. If Mixpanel is correct in its estimate, then it would seem that Crittercism’s forecast of the iOS 9 adoption rate may be a bit too optimistic, as the firm expected a 20% adoption rate by today or tomorrow.
Not the first problem with Apple’s AirDrop
This isn’t the first problem discovered with AirDrop this year. In August, a woman in the U.K. experienced what officials termed “cyber-flashing.” Because she had AirDrop turned on because she had been using it, someone nearby was able to send her images of a man’s penis while she was riding on a train. In this particular case, the issue was the uncensored preview of the files provided by AirDrop, so even though users could reject files, the preview still showed what the images were.