Hackers Can Break Into an iPhone Just by Sending a Text
Probably the first thing that comes to mind when you consider how hackers could get into your smartphone is that they would get in by mistake through the clicking of a malicious link in a text message, the installing of a fake app, or some other means. It turns out that's not always the case, not even with the iPhone, where getting hacked could happen by just receiving an iMessage.
Google Project Zero researcher Natalie Silvanovich is presenting several so-called "interaction-less" defects in Apple's iOS iMessage client that may be used to take over a user's smartphone on Wednesday at the Black Hat security conference in Las Vegas. Furthermore, some of them are still unpatched even though Apple has previously fixed six of them.
According to Silvanovich, "these have the potential to develop into the kind of bugs that can run code and be used for weaponized purposes like getting access to your data in the future." The worst-case scenario, then, is that people are harmed by these vulnerabilities.
Silvanovich became interested in interaction-less bugs after learning about a recent, significant weakness in WhatsApp that let nation-state spies access a phone by just calling it—even if the recipient didn't answer. Silvanovich collaborated on the research with Samuel Groß, another member of Project Zero.
However, she found nothing when searching for comparable problems with MMS, SMS, and visual voicemail. Although Silvanovich had anticipated that iMessage would be a more closely watched and secured target, she was pleasantly surprised to discover several exploitable problems as soon as she began reverse engineering and searching for vulnerabilities.
This could be the result of iMessage's complexity—it provides a wide range of capabilities and communication choices. It includes rendering files such as images and movies, Animojis, and integrating with other applications, such as Fandango, Airbnb, and Apple Pay. Errors and weaknesses are more likely to occur as a result of all of these expansions and linkages.
One of the more intriguing interaction-less bugs discovered by Silvanovich was a basic logical flaw that would have made it simple for a hacker to take advantage of user communications and harvest data. The iMessage server might receive a carefully designed text message from an attacker and return user data, such as photos or SMS message content. For the attack to be effective, the victim wouldn't even need to open their iMessage app. This kind of assault would typically be blocked by iOS's built-in defenses, but since it leverages the system's fundamental logic, iOS interprets it as legitimate and intentional.
Exploit sellers and nation-state hackers are very interested in iOS bugs since they make it very simple to compromise a target's device without the user having to give any consent. On the exploit market, the six vulnerabilities Silvanovich discovered—there are yet more to be disclosed—could be valued at millions or possibly tens of millions of dollars.
According to Silvanovich, "bugs like this haven't been made public for a long time." Programs like iMessage provide a significant amount of extra attack surface. Although it is relatively easy to fix individual bugs, software is always full of bugs, and any library you use will expose you to attacks. Fixing the design flaw is therefore not too easy.
Silvanovich highlights that iMessage's security is robust overall and that Apple is by no means the only developer to occasionally struggle with this conceptual problem. When WIRED asked Apple for a comment, Apple did not respond.
Silvanovich claims that although she has searched for interaction-less issues in Android, she has not yet discovered any. However, she points out that practically every target is probably susceptible to these kinds of flaws. She has discovered comparable vulnerabilities in FaceTime, WhatsApp, and the webRTC video conferencing protocol throughout the last 12 months.
Silvanovich speculates, "Maybe this is an area that gets missed in security." "A lot of attention is focused on implementing protections like cryptography, but if the program has bugs on the receiving end, it doesn't matter how good your crypto is."
Keeping your phone's operating system and apps up to date is the best defense against interaction-less assaults; with the most recent releases of iOS 12.4 and macOS 10.14.6, Apple fixed all six of the iMessage issues Silvanovich was pointing out. Beyond that, though, developers must take care to either prevent or identify these kinds of errors in their code as soon as they are discovered. Users are unable to stop interaction-less assaults once harmful messages or calls start coming in because of how persistent they might be.
RELATED NEWS
