April 6, 2020

Your iPhone & Macbook Camera Can be Easily Hacked – Learn How?

A recent revelation has rolled out that just by simply visiting any genuine legitimate site, your device may become vulnerable to an audio and video hack. To put it simply, there’s a possibility your iPhone MacBook Webcam and Microphone can be hacked.

Your iPhone & Macbook Camera Can be Easily Hacked – Learn How?

If you are an avid iPhone or Macbook fan and follow it's news updates, then the internet must have warned you about it's security vulnerabilities, leaving you to wonder 'Can my iPhone camera be hacked?'. A recent revelation has rolled out that just by simply visiting a website, any genuine legitimate site, your device may become vulnerable to an audio and video hack. To put it simply, there’s a possibility your iPhone MacBook Webcam and Microphone can be hacked.

This important security threat was reported by Ryan Pickren, an ethical hacker, who demonstrated a set of total 7 vulnerabilities to Apple. This helped them jump into quick and much needed action, and in return they rewarded Pickren with $75,000.

The vulnerability was found in Apple’s in-built browser Safari, which most Macbook and specially iPhone users rely on. Pickren explains that if a real attacker wants to hack your webcam or iPhone camera, then all they need to do is pose as an authentic website, that the world knows and trusts, and then abuse Safari’s per site permissions.

Let’s dive in for a closer look on how this would work?

Safari Webcam Exploit - How did the Hack work?

How to know if your iPhone cam is hacked? Well, the starting point is to be aware of how hackers will approach it? Let's take a deeper look:
Apple Camera security is quite tight in terms of permissions within the available apps. Before using any new application, it explicitly asks for access.

But the exception to this rule is Apple’s own apps and the ones that have already been granted permission. This is where things went downhill.

So let’s say you’re using the web version of any video conferencing tool, say Zoom or Skype.

  1. You would naturally allow access in the browser for this domain upon first use.
  2. Another link that completed this chain of hacks is Safari’s lazy validation for URL scheme.
  3. This means that if an attacker posed as let’s say blob://skype.com, then Safari will grant it the same browser permissions as https://skype.com

This is known as hostname parsing, where it is possible to trick the browser with url structures such as ‘file:’, ‘javascript:’, ‘data:’.

"Safari thinks we are on skype.com, and I can load some evil JavaScript. Camera, Microphone, and Screen Sharing are all compromised when you open my local HTML file" Pickren said.

To string it all together, this vulnerability was completely Safari’s responsibility for carelessly ignoring the many possibilities of domain structures.

iOS Camera Hacked – What Else Could be Exploited?

Ryan Pickren set out to hack iOS and macOS Webcam for research purposes, and he was able to access a lot more than what he planned for. He answered the long-debated questions like, 'Can my apple webcam be hacked?', 'Can apple phone camera be hacked?'. He discovered, that upon this particular hack, your apple device could be accessed for:

  1. Webcam / Camera (Front and Rear)
  2. Microphone
  3. Saved Passwords
  4. Location
  5. Screen Sharing
  6. Auto-downloads

and more…

Safari Zero-Day Vulnerabilities

To summarize it all, this effective research uncovered 7 zero day vulnerabilities. Let’s take a look at them below:

  • CVE-2020-3852: A URL scheme may be incorrectly ignored when determining multimedia permission for a website
  • CVE-2020-3864: A DOM object context may not have had a unique security origin
  • CVE-2020-3865: A top-level DOM object context may have incorrectly been considered secure
  • CVE-2020-3885: A file URL may be incorrectly processed
  • CVE-2020-3887: A download's origin may be incorrectly associated
  • CVE-2020-9784: A malicious iframe may use another website's download settings
  • CVE-2020-9787: A URL scheme containing dash (-) and period (.) adjacent to each other is incorrectly ignored when determining multimedia permission for a website

How Can You Avoid Being Hacked?

We’ll have to write a 1000 page book for this, and even then someone will find a way. But let’s begin with this particular issue for now.

For starters, Apple has rolled out the fixes to this in version 13.0.5 updates (released on January 28, 2020) and Safari 13.1 (released on March 24, 2020). So if you’re reading this, make sure your devices are updated to the latest versions.

Some other precautionary steps you must take to stay safe from such internet hacks are:

  • Keep your browser settings up to date. Keep checking all the websites you’ve granted permissions to, and change if need be.
    You can check this at Safari > Preferences > Websites
  • Cross check the URL structure, look for the verified https scheme. Do this especially if you click on an ad.

To read the full white paper from Ryan Pickren, in its full technical glory, click here.