CVE-2016-1780

Vulnerability

WebKit in Apple iOS before version 9.3 does not prevent hidden web views (e.g., WebView or WKWebView instances not currently visible on screen) from reading device orientation and motion data via the DeviceOrientationEvent and DeviceMotionEvent JavaScript APIs. The affected versions are iOS 8.x and 9.x prior to 9.3. The condition for exploitation is that a user visits a crafted website that opens or uses hidden web views while the device’s orientation/motion sensors are active [1].

Exploitation

Exploitation requires no special network position beyond standard web access. An attacker hosts a malicious website that, when visited by the user, creates or loads a hidden web view (for example, an invisible ` or a background WKWebView). The site then registers event listeners for deviceorientation and devicemotion` events. Because the hidden web view is not restricted from reading sensor data, the attacker can silently collect orientation and motion readings without the user’s knowledge or explicit consent [1].

Impact

A remote attacker can obtain sensitive information about the device’s physical environment, such as the device’s tilt, rotation, and acceleration. This data can be used to infer user activities (e.g., walking, driving) or to fingerprint the device’s orientation in space. The attacker gains no persistent access or privileges, but the leakage of sensor data constitutes a privacy violation with a possible attack vector for physical side-channel attacks [1].

Mitigation

Apple has addressed this issue in iOS 9.3, released on March 21, 2016, by restricting sensor access from hidden web views so that these APIs are only available to visible, user-focused content. Users should update to iOS 9.3 or later via Settings → General → Software Update. No workaround exists for earlier versions. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].