contador web Skip to content

iOS 12.2 closed vulnerability that allowed user tracking by motion

Last week we talked about how Apple's strategy of making iOS a highly fortified system paradoxically creates an environment where more serious or advanced threats can evolve without much control. Today, precisely one of these threats has been happily exposed, however, it has already been neutralized by Ma.

As reported by AppleInsider, Apple corrected in iOS 12.2 a vulnerability discovered by the University of Cambridge whereby attackers could use techniques of website tracking to identify a user through the movements of the device.

Yes: With a little help from a JavaScript, malicious websites could capture the device's accelerometer, gyroscope and magnetometer data to give a unique identity to the technical user known as fingerprinting and thereby track their usage patterns on the internet and in applications. This “break-in” would happen in less than a second, without the user's permission, and would remain in the device even after a factory reset.

The video below gives a demonstration of the technique used by the University of Cambridge to simulate the attack:

According to the researchers, there is no news that the technique has already been used in the real world by intruders, but some devices such as Google's Pixel 2 and 3 smartphones remain vulnerable even after notification from the university.

IPhone and iPad owners running older versions of iOS should upgrade their devices as soon as possible (latest version available at 12.3). Even if the likelihood of such an attack being applied is small, I never protect too much.