Ian Beer, a security researcher for Google‘s vulnerability-detecting initiative called Project Zero, said in a Monday blog post that he spent six months of 2020 trying to uncover an exploit in which he was able to “gain complete control over any iPhone” in his vicinity.
Apple confirmed to FOX Business that the issue was fixed before the company released iOS 13.5 in May, which included a contact-tracing feature for COVID-19.
“This issue was fixed in May with iOS 13.5 and the vast majority of our users keep their software current as you can see here from data published around the time this was patched,” an Apple spokesperson said. “The other point being that is good to note is this does require some proximity as it needs to be within WiFi range. Hope this is useful.”
Beer said he has no evidence that the vulnerabilities he found were “exploited in the wild.” Research like his, however, prevents those issues from allowing future hackers to take advantage of people’s devices and access personal information.
“The takeaway from this project should not be: no one will spend six months of their life just to hack my phone, I’m fine,” Beer wrote. “Instead, it should be: one person, working alone in their bedroom, was able to build a capability which would allow them to seriously compromise iPhone users they’d come into close contact with.”
Sophisticated teams of hackers and “companies supplying the global trade in cyberweapons … aren’t typically just individuals working alone,” unlike he was when he discovered the exploit, Beer noted.
“They’re well-resourced and focused teams of collaborating experts, each with their own specialization,” he wrote. “They aren’t starting with absolutely no clue how Bluetooth or WiFi work. They also potentially have access to information and hardware I simply don’t have, like development devices, special cables, leaked source code, symbols files and so on.”
In conclusion, Beer said in part that there must be a general “renewed focus on vulnerability discovery,” which means “not just more variant analysis, but a large, dedicated effort to understand how attackers really work and beat them at their own game by doing what they do better.”