Apple iPhone vulnerability lets attackers secretly access private data
"This bug shows that mobile devices should not be considered 'safe' or low-risk endpoints."
Owners of Apple iPhones have been warned that a creepy new vulnerability could let threat actors steal their most sensitive data.
Researchers from Jamf Threat Labs identified a bypass vulnerability in the Transparency, Consent and Control (TCC) subsystem in iOS, which has now been assigned CVE-2024-44131.
The TCC bug impacts File Provider on both iOS and MacOS, the operating systems for mobile and Mac respectively. If successfully exploited, the vulnerability may let apps access sensitive data user’s knowledge.
"Across Apple’s ecosystem of operating systems, Transparency, Consent and Control (TCC) serves as a crucial security framework, prompting users to grant or deny requests from individual apps to access sensitive data such as photos, contacts and location details," Jamf wrote in a research blog published today. "A TCC bypass vulnerability occurs when this control fails, allowing an application to access private information without the user’s consent or knowledge."
With a medium CVSS score of 5.5, the bug might not necessarily keep hardened network defenders up at night. But it might spook anyone who doesn't want to have their private files pinched by heavy-breathing threat actors.
The potentially scary bug lets malicious applications copy "extensive" amounts of user data from iCloud, Jamf warned.
"Alarmingly, this exploitation occurs without leaving any trace of the data accessed, posing a threat to user privacy and overall data security," it continued.
"It allows unauthorised access to files and folders, Health data, the microphone or camera, and more without alerting users. This undermines user trust in the security of iOS devices and exposes personal data to risk."
What is a TCC bypass vulnerability?
Both iOS and MacOS use the TCC mechanism to notify users when an application tries to access sensitive information such as photos, GPS location, contacts and more, giving them the option to either grant or deny access to specific data on a per-application basis.
When a user moves or copies files within the Files.app, another malicious application running in the background can intercept these actions and redirect files to other locations, taking advantage of the elevated privileges of a system process called fileproviderd and manipulating symlinks to deceive the Files.app.
This exploitation can happen "in the blink of an eye" and go "entirely undetected by the end user."
The discovery of a bug in the TCC mechanism "highlights a broader security concern as attackers focus on data and intellectual property that can be accessed from multiple locations, allowing them to focus on compromising the weakest of the connected systems," Jamf continued.
"Services like iCloud, which allow data to sync across devices of many form factors, enable attackers to attempt exploits across a variety of entry points as they look to accelerate their access to valuable intellectual property and data," it wrote.
As well as once again putting paid to the misplaced claim that Apple devices don't get hacked, the bug is a sign that threat actors are now developing attacks that can be applied to both mobile and desktop platforms.
"Mobile security must be taken just as seriously as desktop security, especially when sensitive data is synced across platforms," Jamf warned.
"For mobile-enabled businesses, this vulnerability shows that mobile devices should not be considered “safe” or low-risk endpoints. The reality of mobile threats underscores the importance of treating all endpoints — whether desktops or mobile devices — with the same security rigor, especially as remote work and corporate mobility programs continue to expand."
How to respond to CVE-2024-44131
Apple has now patched CVE-2024-44131 in iOS 18 and macOS 15, so the most effective response is to upgrade immediately.
"Organisations should consider deploying dedicated security solutions that monitor app behaviour and prevent unauthorised data access," Jamf advised. "While Apple’s OS updates address specific vulnerabilities, having proactive endpoint protection can detect and block unexpected behaviours or abnormal requests.
"This discovery is a wake-up call for organisations to build comprehensive security strategies that address all endpoints. Mobile devices, as much as desktops, are critical parts of any security framework. Extending security practices to include mobile endpoints is essential in an era where mobile attacks are increasingly sophisticated."
Have you got a story to share? Get in touch and let us know.
