Apple closes critical vulnerabilities in Bluetooth and Face ID in iOS

Apple closes critical vulnerabilities in Bluetooth and Face ID in iOS

Apple has released security updates for iOS and iPadOS that fix multiple critical vulnerabilities that could allow attackers to gain access to iPhones and iPads. The vulnerabilities are present in Bluetooth and Face ID, among other things.


Recently, Apple released iOS 14.8 and iPadOS 14.8 that fixed two actively attacked zero-day vulnerabilities in the operating systems. Now Apple says that these updates fix many more vulnerabilities than initially indicated. Something Apple does often. In addition to the two zero-day vulnerabilities mentioned above, eleven other vulnerabilities have been fixed.


This includes a vulnerability in bluetooth referred to as CVE-2021-30820. This Bluetooth vulnerability allows an attacker to remotely execute arbitrary code on iPhones and iPads. However, further details are not provided by Apple. To the best of our knowledge, the vulnerability has not been exploited.


Furthermore, several vulnerabilities in the FontParser of iOS and iPadOS have been fixed. Processing a malicious font makes it possible for an attacker to execute arbitrary code. Furthermore, several vulnerabilities in WebKit, the Apple-developed browser engine that Safari and all other browsers on iOS use, have been fixed.


Due to the vulnerabilities, just visiting a malicious website is enough for an attacker to run arbitrary code on the system. No further user interaction is required. This is also known as a drive-by download attack.


IOS on iPadOS 15

In addition to the additional information about iOS and iPadOS 14.8, Apple has also rolled out iOS and iPadOS 15 . These releases fix several vulnerabilities not listed in iOS and iPadOS 14.8. This includes a vulnerability in Face ID that allows an attacker with a 3D model to bypass the facial scan of iPhones and iPads to gain access to the device. No further details about the leak are provided by Apple, other than Face ID's anti-spoofing models have been improved.


Furthermore, it was possible for a local attacker with access to a locked device to view contact details via Siri. A vulnerability in the Wi-Fi functionality of iPhones and iPads made it possible for an attacker close to a user to connect them to a malicious Wi-Fi network during device setup. The updates for iOS and iPadOS are available through iTunes and the Software Update feature.

Previous Post Next Post