At the Black Hat security conference in Las Vegas, Google Project Zero researcher Natalie Silvanovich demonstrated interactionless bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device.
Apple released some patches for the bugs, but are still yet to deal with them all.
These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data.
So the worst-case scenario is that these bugs are used to harm users.
Silanovich worked with Project Zero member Samuel Groß to investigate whether other forms of messaging including SMS, MMS and visual voicemail were compromised. After reverse engineering and looking for flaws, she discovered multiple exploitable bugs in iMessage.
The reason is thought to be that iMessage offers such a range of communication options and features, which make mistakes and weaknesses more likely- e.g. Animojis, rendering files like photos and videos and integration with other apps, including Apple Pay, iTunes, Airbnb etc.
An interactionless bug that stood out was one that allowed hackers to extract data from a user’s messages. The bug would allow the attacker to send specifically crafted texts to the target, in exchange for the content of their SMS messages or images, for example.
While iOS usually has protections in place that would block the attack, this bug takes advantage of the system’s underlying logic, so iOS’s defences interpret it as legitimate.
Since these bugs don’t require any action from the victim, they are favoured by vendors and nation-state hackers. Silanovich found that the vulnerabilities found could potentially be worth tens of millions of dollars on the exploit market.
Bugs like this haven’t been made public for a long time.
There’s a lot of additional attack surface in programs like iMessage. The individual bugs are reasonably easy to patch, but you can never find all the bugs in software, and every library you use will become an attack surface. So that design problem is relatively difficult to fix.
While she didn’t come across similar bugs in Android. she’s also found them in WhatsApp, Facetime and the video conferencing protocol webRTC.
Maybe this is an area that gets missed in security.
There’s a huge amount of focus on the implementation of protections like cryptography, but it doesn’t matter how good your crypto is if the program has bugs on the receiving end.
Silanovich advises you to keep your phone operating system and apps updated, as Apple has recently patched all iMessage bugs that she has presented, in iOS 12.4 and macOS 10.14.6.