Apple has rewarded US$75,000 [AU$121,690] to a white-hat hacker for discovering several security holes in iPhone and Mac cameras.
Ethical hacker Ryan Pickren has been reported to discover seven zero-day vulnerabilities, three of which gave him the ability to construct a camera hacking kill chain, allowing him unauthorized access to any Apple device camera.
Pickren: ‘Users should never feel totally confident that their camera is secure’
The former Amazon Web Services (AWS) security engineer said that the vulnerability required victims to visit a malicious website. The website then gives access to the camera if the user has allowed access to video conferencing software such as Zoom.
“A bug like this shows why users should never feel totally confident that their camera is secure,” said Pickren on his interview with Forbes. He also added that regardless of operating system or manufacturer, exploits will always be present.
Apple addresses problem, rewards hacker
According to Pickren, he informed Apple about the exploit last December. Apple verified his claim that there were seven vulnerabilities that can be used anytime. A few weeks later, Apple released an update that fixes the bugs on the iOS and the macOS.
Pickren was also given $75,000 for his work.
Sean Wright, another security researcher, said that the vulnerability that Pickren found is a “very viable form of attack” despite it working through a malicious website.
He also mentioned that the discovery may lead to proper security features for mobile phones as it is “a far more likely route” for anyone to attack.
Apple tightens iCloud security
Apple is reportedly improving its iCloud Keychain protection on the upcoming iOS 14.
The iCloud Keychain is one of the essential iOS and macOS features. It is similar to LastPass that serves as a password hub to store all private information. It is currently available to its flagship products.
Several users, however, said that the feature is not that secure compared to the competition and some exploits might be found anytime soon.
According to Apple, a new feature that notifies whether a user has already used a certain password will be added.
The two-factor authorization will be improved to add more security. A better way of integration to the software or apps that use 2FA will also be worked on.
Apple has been using this method for their Apple ID login. When a user signs in to a new device, it will ask for the login password and the six-digit verification code will be sent to one of the user’s existing trusted devices. Websites such as Gmail, Yahoo or even Paypal already use 2FA to verify the identity of the user.
The upcoming update for the iCloud Keychain will allow users to easily log in to several websites without the need of waiting for additional security SMS or some sort of code.
Basically, iCloud Keychain streamlines the login process.
Image courtesy of Flickr/Niels Epting, Pixabay