Apple has released a slew of iOS patches including a fix for the KRACK vulnerability, but its new OS version 11.1 and Safari have already been hacked successfully several times this week by researchers.
Trend Micro’s Mobile Pwn2Own 2017 contest pitted some of the best white hat hackers in the business against iPhone 7 devices running the newly updated iOS version.
Tencent Keen Security Lab was the first to score a success, with a Wi-Fi exploit which earned them $110,000.
“They used a total of four bugs to gain code execution and escalate privileges to allow their rogue application to persist through a reboot,” explained Dustin Childs of the Tipping Point-founded Zero Day Initiative.
The same team were at it again with a successful Safari browser exploit.
“It took them just a few seconds to successfully demonstrate their exploit, which needed only two bugs — one in the browser and one in a system service to allow their rogue app to persist through a reboot,” said Childs.
“Next, Richard Zhu (fluorescence) also targeted the Safari Browser on the Apple iPhone 7. He used a bug in the browser and an out-of-bounds bug in the broker to escape the sandbox and execute code.”
Details of the attacks are being kept under wraps until Apple gets around to fixing them.
The tech giant will be more than a little embarrassed by the ease with which the researchers managed to pick holes in its software, just hours after it released iOS 11.1.
That update included a fix for CVE-2017-13080, one of several components of the infamous KRACK vulnerability in the WPA2 protocol discovered last month.
KRACK could allow hackers to steal sensitive information from victims or inject malware into targeted websites.
However, Apple has only made that specific fix available to iPhone 7 and later handsets, and iPad Pro 9.7-inch and later devices.
It was claimed last month that over two-fifths (41%) of Android devices are vulnerable to this kind of attack.