Spyware can disable camera and microphone indicator on iPhone
Ideally, you should be able to see with every iOS app whether camera or microphone recording is running. Predator, a spyware program, hacks these, however.
Indicator for camera (green) and microphone (orange) on the iPhone: Can be disabled via hack.
(Image: Apple)
The seemingly “hardwired” warning that the camera or microphone is currently active on the iPhone can apparently be bypassed. The security research team at MDM specialist Jamf warns in a new investigation that at least one known spyware is already doing this. This is the commercially available Predator spyware from manufacturer Intellexa/Cytrox. At least, for the trick to work, the iPhone must have been completely taken over beforehand, and the spyware must have kernel access.
Intervention in the system with a hook
Unlike the Mac, which uses a physical LED for webcam display, for which no hacks are currently known (but earlier), a green light for camera access (plus microphone if applicable) and an orange light for microphone access on iPhones and iPads are displayed purely graphically. Predator uses its hooks and code injections to bypass this function, which is deeply embedded in the system, to circumvent system processes.
Videos by heise
In their study, which does not describe new attack methods for the latest iOS version but rather a reverse engineering of Predator, a single hook is identified that can bypass both camera and microphone display. Earlier approaches worked differently, simulating a complete device shutdown to keep the camera and microphone active. Predator, on the other hand, only suppresses the display while the iPhone continues to operate normally.
Spyware requires complete iPhone access
It is not clear from the Jamf study what Apple could do to ward off this form of attack – or whether the exploited vulnerabilities continue to exist or could be defended against at all. “These findings fill gaps in existing threat intelligence and demonstrate the sophisticated post-exploitation techniques employed by commercial spyware to evade iOS privacy protections,” write the researchers. We have asked Jamf for their assessment of the current situation.
Information about Predator had already become known in 2024 – the Google Threat Intelligence Group had uncovered the attacks. The spyware is software that is presumably very expensive and used only for targeted attacks. To bypass the camera and microphone display, it must have full access to the iPhone, as mentioned, which can only be achieved through the exploitation of severe zero-day vulnerabilities. However, these occur again and again.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
