Search
  • Videos
  • Windows 10
  • 5G
  • Best VPNs
  • Cloud
  • Security
  • AI
  • more
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
  • Newsletters
  • All Writers
    • Preferences
    • Community
    • Newsletters
    • Log Out
  • Menu
    • Videos
    • Windows 10
    • 5G
    • Best VPNs
    • Cloud
    • Security
    • AI
    • TR Premium
    • Working from Home
    • Innovation
    • Best Web Hosting
    • ZDNet Recommends
    • Tonya Hall Show
    • Executive Guides
    • ZDNet Academy
    • See All Topics
    • White Papers
    • Downloads
    • Reviews
    • Galleries
    • Videos
    • TechRepublic Forums
      • Preferences
      • Community
      • Newsletters
      • Log Out
  • us
    • Asia
    • Australia
    • Europe
    • India
    • United Kingdom
    • United States
    • ZDNet around the globe:
    • ZDNet France
    • ZDNet Germany
    • ZDNet Korea
    • ZDNet Japan

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

1 of 10 NEXT PREV
  • Meltdown, Spectre

    Meltdown, Spectre

    January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.

    The vulnerabilities can result in the leak of sensitive information.

    While patches were quickly issued to resolve the flaw in any device utilizing a CPU, performance is often impacted. Hardware fixes have also been implemented for future processors.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • iOS Trustjacking

    iOS Trustjacking

    April: A new attack was revealed which impacts the iOS ecosystem. Dubbed Trustjacking by researchers, the bug is present in the iTunes Wi-Fi sync function of mobile devices and can be exploited to gain persistent control over a victim's device.

    After Symantec revealed the exploit to Apple, the iPad and iPhone maker added a mechanism which requires users to enter their passcode when choosing to authorize and trust a computer, effectively removing the main trigger for the attack.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • Android on the RAMPage

    Android on the RAMPage

    June: A variant of Rowhammer known as RAMPage is an Android exploit which affects devices from Ice Cream Sandwich (4.0) to the present day. Previous patches have done little to resolve the hardware problem, which can be exploited to DRAM memory and cause information leaks.

    The attack is difficult to perform on end-user devices. A fix developed to patch the problem, called GuardION, is yet to be implemented due to potential Android performance issues caused by implementing the system.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • Android API breaking bug

    Android API breaking bug

    August: A vulnerability in the Android operating system's communication management programming allowed rogue, malicious apps to eavesdrop on broadcast information including Wi-Fi network names, BSSID, local IP addresses, DNS server data, and MAC addresses, and also permitted attackers to track smartphone users covertly.

    The vulnerability has been patched in modern versions of Android. However, devices running Android versions before 9 Pie cannot not be patched as it would be "API breaking," according to Google.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • Severe Android vulnerabilities, off the shelf

    Severe Android vulnerabilities, off the shelf

    August: Researchers uncovered 25 Android smartphone models which, at the time of purchase, contained a slew of vulnerabilities which may expose the user to attack. The team found everything from minimal risk issues to critical vulnerabilities in pre-installed apps and firmware.

    The bugs were varied and according to Kryptowire, RiskTool apps, Trojan droppers, and advertising apps were the most common. In total, 38 different vulnerabilities in pre-loaded applications and the firmware builds of 25 Android handsets were discovered.

    Vendors affected, including LG, Essential, and Asus, rapidly deployed OTA updates to resolve the security issue.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • The Man-in-The-Disk

    The Man-in-The-Disk

    August: A novel attack technique was found that could be used to eavesdrop on user data, hijack sessions, and crash Android devices. Known as a Man-in-The-Disk (MiTD) attack, the exploit takes advantage of sloppy storage protocols used by mobile applications.

    As the technique can be used against countless third-party Android apps, users are vulnerable to attack if they happen to download a vulnerable app.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • Blueborne, a year on

    Blueborne, a year on

    September: A vulnerability which is known as Blueborne which impacts the majority of devices which utilize the Bluetooth protocol -- including all manner of smartphones and laptops -- was uncovered in 2017.

    In the most extreme cases, the Bluetooth bugs can be used to hijack and gain control of a vulnerable device running the Android, Windows, Linux, and iOS before version 10 systems.

    However, a year later, two billion devices are estimated as still vulnerable to exploit through a lack of patches. The researchers say that devices remain unpatched because "users haven't updated them, or because they won't receive updates at all." In the latter case, this is often due to the use of aging, legacy machines which will not be fixed.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • CSS code crashes iPhones

    CSS code crashes iPhones

    September: A researcher found a vulnerability in the WebKit rendering engine -- used by Safari on iPhones and iPads -- which could be exploited with simple, crafted CSS code. If a victim clicked on a link containing the code, the device would crash.

    It is possible that the attack is widespread enough to crash any app capable of loading a web page.

    Apple is currently investigating the issue.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • Exploiting Apple's Mobile Device Management (MDM)

    Exploiting Apple's Mobile Device Management (MDM)

    September: Apple's Mobile Device Management (MDM) is used to enroll iOS devices under one management server in enterprise networks. Researchers found a vulnerability in the Device Enrollment Program of the system which, if exploited, can result in a bypass of the authentication step in order to enroll potentially malicious devices in a network.

    IT admins have to go through a lengthy amount of steps to mitigate the issue, of which Apple is yet to release a fix for.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

  • iPhone photos compromised

    iPhone photos compromised

    October: A severe bug in Apple iOS VoiceOver permitted threat actors to perform a lock screen bypass and gain access to stored photos without knowing the handset's passcode.

    However, the attack chain in question does require a threat actor to have physical access to a target device. A phone call is made and Siri must be asked to turn on Voiceover. At the same time, the camera icon has to be tapped in order to illegitimately gain access to what should be a secure image library.

    The vulnerability is present in iOS 12.0.1. However, the bug can be mitigated by removing Siri lock screen access under Settings.

    Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

    Caption by: Charlie Osborne

1 of 10 NEXT PREV
Charlie Osborne

By Charlie Osborne for Zero Day | December 12, 2018 -- 21:50 GMT (13:50 PST) | Topic: Security

  • Meltdown, Spectre
  • iOS Trustjacking
  • Android on the RAMPage
  • Android API breaking bug
  • Severe Android vulnerabilities, off the shelf
  • The Man-in-The-Disk
  • Blueborne, a year on
  • CSS code crashes iPhones
  • Exploiting Apple's Mobile Device Management (MDM)
  • iPhone photos compromised

Bypassing passcodes, malware-laden apps, and inherent design flaws exposing almost all known mobile devices made up part of the security problems found in iOS and Android.

Read More Read Less

Meltdown, Spectre

January: The Spectre and Meltdown CPU design flaws exist in most Intel CPUs produced since 1995, alongside a number of AMD and ARM processors. The hardware issues caused heartache for hardware designers and vendors alike, and Apple later confirmed that iPhones were vulnerable to exploit.

The vulnerabilities can result in the leak of sensitive information.

While patches were quickly issued to resolve the flaw in any device utilizing a CPU, performance is often impacted. Hardware fixes have also been implemented for future processors.

Published: December 12, 2018 -- 21:50 GMT (13:50 PST)

Caption by: Charlie Osborne

1 of 10 NEXT PREV

Related Topics:

Security Mobility Security TV Data Management CXO Data Centers
Charlie Osborne

By Charlie Osborne for Zero Day | December 12, 2018 -- 21:50 GMT (13:50 PST) | Topic: Security

Show Comments
LOG IN TO COMMENT
  • My Profile
  • Log Out
| Community Guidelines

Join Discussion

Add Your Comment
Add Your Comment

Related Galleries

  • 1 of 3
  • OnlyKey hardware security key

    This is the ultimate security key for professionals.

  • SoloKeys Solo V2

    Durable, fully reversible connectors, encapsulated in epoxy resin, and with updatable firmware.

  • iVerify: Added security for iPhone and iPad users

    I'm usually wary of security apps, but iVerify by Trail of Bits is different. It comes highly recommended and offers a lot of features in a small download. ...

  • iStorage datAshur BT hardware encrypted flash drive

    FIPS 140-2 Level 3 compliant storage drive with wireless unlock feature and remote management. IP57 rated for dust and water resistance.

  • Netgear BR200 small-business router

    The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be ...

  • YubiKey 5C NFC: The world’s first security key to feature dual USB-C and NFC connections

    The YubiKey 5C NFC can be used across a broad range of platforms -- iOS, Android, Windows, macOS and Linux -- and on any mobile device, laptop, or desktop computer that supports USB-C ...

  • Apricorn Aegis Secure Key 3NXC

    The new Aegis Secure Key 3NXC builds on Apricorn's Secure Key 3z and Aegis Secure Key 3NX, taking the same proven form-factor and physical keypad, and adding something that users have ...

ZDNet
Connect with us

© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use

  • Topics
  • Galleries
  • Videos
  • Sponsored Narratives
  • Do Not Sell My Information
  • About ZDNet
  • Meet The Team
  • All Authors
  • RSS Feeds
  • Site Map
  • Reprint Policy
  • Manage | Log Out
  • Join | Log In
  • Membership
  • Newsletters
  • Site Assistance
  • ZDNet Academy
  • TechRepublic Forums