Headline
iPhone 'VoiceOver' Feature Could Read Passwords Aloud
CVE-2024-44204 is one of two new Apple iOS security vulnerabilities that showcase an unexpected coming together of privacy snafus and accessibility features.
Source: Aleksey Boldin via Alamy Stock Photo
Apple has patched two quirky bugs that might have offended privacy-oriented iPhone and iPad owners.
The first — an issue with Apple’s VoiceOver accessibility feature — could have caused iPhones or iPads to announce sensitive passwords out loud. The other issue — affecting voice messages on new iPhone models — could have recorded users for brief seconds before they knew they were being recorded.
New operating system versions are available for both iOS and iPadOS (18.0.1), fixing each bug with improved validation and checks, respectively. Users should update their devices to avoid being vulnerable.
As Michael Covington, vice president of portfolio strategy for Jamf points out, “The good news is that neither of these highlighted issues involve remote exploits. They are, in fact, issues that will arise with use of the device, and it’s user privacy that is ultimately at risk.”
Still, he says that “for businesses that use mobile in any capacity for work, I recommend they pay close attention to both of the security issues and take appropriate action to update devices as soon as possible.”
Bug #1: Reading Passwords Aloud
The first issue involves VoiceOver, the accessibility feature that provides visually impaired users with audible descriptions of the various elements on their screens — text, buttons, images, etc. VoiceOver also allows users to navigate their devices using voice commands and gestures.
Perhaps not everything on a device should be read aloud, though, like passwords. Last month, as part of iOS and iPadOS 18, Apple released a brand new app, “Passwords,” allowing users to easily store and manage logins on their devices. CVE-2024-44204 is a logic issue that could have allowed VoiceOver to read out such a user’s passwords. It affected essentially every model of iPhone and iPad released since 2018.
VoiceOver is off by default, meaning that only select iPhone users were potentially affected.
Covington notes, “This is not the first time we’ve seen accessibility features misused. Previous instances include screen reader technology being used by misbehaving apps to capture on-screen details and exfiltrate data from the device. Fortunately, most accessibility features go through extensive security and privacy testing, so these scenarios do not tend to arise often.”
Bug #2: Beginning Audio Messages Too Early
If iPhone users are on the go, have a lot to say, or maybe just have tired thumbs, they might choose to record an audio message in iMessage, instead of a regular text. After they hit that plus sign on the left side of the message box and choose “Audio,” the device will indicate that it has started recording with a red-highlighted sound wave in place of the message box, and a little orange dot in the pill-sized Dynamic Island at the top of the screen.
A security researcher recently discovered though that audio messages could have captured a few seconds of audio before users were made aware that their microphone was hot. The issue has been labeled CVE-2024-44207, and affects all models of the new iPhone 16.
Though it might seem — and, in most cases, would be — a relatively minor issue, Covington points out, “this disconnect between device function and the associated visual indicators is something that Jamf’s own threat research team has connected to persistence techniques used by attackers to maintain a presence on the device following a successful exploit. Addressing this bug before it can be misused is a big win for Apple.”
Neither the VoiceOver nor the audio message vulnerability has received a rating in the Common Vulnerability Scoring System (CVSS) yet, nor are any further details public at this time.
About the Author
Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes “Malicious Life” – an award-winning Top 20 tech podcast on Apple and Spotify – and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts “The Industrial Security Podcast,” the most popular show in its field.
Related news
Apple Security Advisory 10-03-2024-1 - iOS 18.0.1 and iPadOS 18.0.1 addresses an audio capturing issue and a logic issue related to passwords being read aloud.
Apple has fixed a security issue in iOS (and iPadOS) that could have leaked a user's passwords through the VoiceOver feature.
Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology. The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with
Apple has released iOS and iPadOS updates to address two security issues, one of which could have allowed a user's passwords to be read out aloud by its VoiceOver assistive technology. The vulnerability, tracked as CVE-2024-44204, has been described as a logic problem in the new Passwords app impacting a slew of iPhones and iPads. Security researcher Bistrit Daha has been credited with