Google’s Project Zero team of crack bug-hunters have uncovered a slew of new security flaws in Apple’s iOS operating system that can be exploited via the Messages app. While the good news is that most of these are fixed with Apple’s recent iOS 12.4 update, there is apparently one still lurking within iMessage that hasn’t been fully resolved by Apple.
According to a report by ZDNet, two members of the Project Zero team have published the details of five of the six security bugs that they’ve found, since they’ve been patched in iOS 12.4, but are holding back the details of the sixth simply because the patch didn’t “completely resolve the bug.”
The researchers describe the vulnerabilities as “interactionless” because they can be triggered without any need for the user to interact with their device beyond looking at a message. According to the researchers’ findings, four of the bugs could actually lead to the “execution of malicious code on a remote iOS device, with no user interaction needed.”
If that sounds scary, that’s because it is. In essence, all that an attacker would need to do would be to send a specifically constructed message to a victim’s iPhone, and malicious code contained within that message would be executed as soon as the user opens and views the received item. Three of these four exploits have been fixed in iOS 12.4, and although one remains outstanding, it is being kept secret by security researchers until Apple can address it.
The other two bugs are equally risky, providing the ability for an attacker to access data from a device’s memory and read files from a remote device, again with no user interaction required beyond simply looking at a received text message. Both of these bugs have been patched in iOS 12.4.
One of the two researchers who discovered this latest batch of flaws, Natalie Silvanovich, was also the same person who discovered of a flaw in earlier versions of iOS 12 that could actually “brick” iPhones after they received a malformed iMessage. This earlier bug was fixed in iOS 12.3.
Silvanovich has in fact been studying these issues for a while now, and is expected to present a talk on iPhone vulnerabilities in SMS, MMS, Visual Voicemail, Message, and Mail next week at the Black Hat security conference in Las Vegas. Her talk will likely garner a lot of attention, as this is the first time any “no-user-interaction iOS bugs” like this have been discovered.
You Should Update to iOS 12.4 NOW
As far as we’re concerned, it’s always a good idea to run the latest iOS version on your iPhone. While we understand that some users are nervous about the possibility of an iOS update breaking things, that happens very rarely, especially with point releases, and as we can see from reports like this, the risk of not updating is far worse.
In fact, in this particular case it’s highly recommended that you install the iOS 12.4 update immediately if not sooner, since these five exploits have been published, along with proof-of-concept code, which means any malevolent hacker or even “script kiddie” who is just playing around can simply grab the code to start attacking unpatched devices.
It wouldn’t be an exaggeration to say that Silvanovich just published details about exploits worth well over $5 million, and most likely valued at around $10 million.ZDNet
In fact, these vulnerabilities are considered a “holy grail” in the underground hacker community, since they allow undetected access to victims’ devices. If they had been sold on the black market, they would have easily fetched millions of dollars, since they work on recent iOS versions, and there are likely still going to be many unpatched devices out there from users who simply haven’t noticed iOS 12.4 yet, haven’t gotten around to updating, or are afraid of updating — but as we can see, you should be more afraid of not updating, especially now.
While there’s still one bug that remains unpatched, the fact that this hasn’t been disclosed by the Project Zero team provides at least a bit of protection. However, with exploits like these out there, it’s always a good idea to avoid opening ANY Messages from phone numbers or email addresses you don’t recognize — you can always swipe to delete a conversation from your Messages list without actually opening it.