Google’s Project Zero researchers, tasked with uncovering potential zero-day bugs in software like Microsoft’s and Apple’s, have found six severe bugs in Apple’ iMessage app for iOS. These would allow an attacker to take remote control of an infected iOS device without user knowledge. One of the bugs is said to be so severe it can only be saved by performing a clean wipe of the device.
“There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices,” Google’s Silvanovich’s said in an abstract for an upcoming talk in Las Vegas. “This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.”
While Apple has patched five of the six iOS bugs with iOS 12.4, the sixth has yet to be patched. The firm stresses the importance of updating and keeping your devices updated, and will probably roll out an update to iOS to fix it before iOS 13 lands.