VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2014· Updated May 6, 2026

CVE-2014-4352

CVE-2014-4352

Description

Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Address Book encryption in iOS before 8 uses the hardware UID as key, enabling physically proximate attackers to decrypt data if they obtain the UID.

Vulnerability

Address Book in Apple iOS prior to version 8 uses the device's hardware UID as the encryption key for stored contact data. This design flaw means that the confidentiality of the Address Book depends entirely on the secrecy of the hardware UID, which is a static identifier unique to each device. Affected versions include all iOS releases before 8.0.

Exploitation

An attacker who is physically proximate to the device can obtain the hardware UID through various means, such as forensic acquisition or direct access to the device's file system. Once the UID is known, the attacker can decrypt the Address Book database without needing the user's passcode or any additional authentication.

Impact

Successful exploitation results in the disclosure of all contact information stored in the Address Book, including names, phone numbers, email addresses, and any other associated data. This is a direct breach of confidentiality, with the attacker gaining access to sensitive personal information without requiring elevated privileges.

Mitigation

Apple addressed this vulnerability in iOS 8, which was released on September 17, 2014 [1]. Users should upgrade to iOS 8 or later to ensure their Address Book data is encrypted with a more secure key derivation mechanism. No workaround is available for devices running iOS versions prior to 8.

References
  1. About the security content of iOS 8 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

11
  • Apple Inc./Iphone Os10 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.2
    • cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
  • Apple Inc./iOSllm-fuzzy
    Range: <8

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.