Google security researchers have discovered six so-called ‘zero interaction’ iOS vulnerabilities – bugs that can allow an attacker to take control of the phone without the user having to do anything other than receive and open a message.
Five of them have been fixed in iOS 12.4, but Apple has not yet been able to completely close the sixth one …
ZDNet reports that Google has published proof of concept code to exploit the bugs fixed by Apple.
Two members of Project Zero, Google’s elite bug-hunting team, have published details and demo exploit code for five of six “interactionless” security bugs that impact the iOS operating system and can be exploited via the iMessage client […]
According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item […]
The fifth and sixth bugs […] allow an attacker to leak data from a device’s memory and read files off a remote device – also with no user interaction.
Although Apple attempted to remove all six vulnerabilities in iOS 12.4, Google says that it didn’t completely succeed with one of them.
Details about one of the “interactionless” vulnerabilities have been kept private because Apple’s iOS 12.4 patch did not completely resolve the bug, according to Natalie Silvanovich, one of the two Google Project Zero researchers who found and reported the bugs.
Details of the remaining five exploits will be shared at the Black Hat security conference in Las Vegas next week. In keeping with responsible practice, Google first reported the issues to Apple in order to allow it to issue patches before the team revealed the details.
‘Zero-interaction’ or ‘frictionless’ vulnerabilities are particularly dangerous. Most iOS and macOS exploits work by tricking the user into running an app, or revealing their Apple ID credentials. A zero-interaction one doesn’t rely on anything other than opening a message. Silvanovich said that the message could be sent via SMS, MMS, iMessage, Mail or even Visual Voicemail.
Such discoveries are worth huge sums of money on the black market, with both corporations and governments keen to buy them.
Such vulnerabilities, when sold on the black market, can bring a bug hunter well over $1 million, according to a price chart published by Zerodium. It wouldn’t be an exaggeration to say that Silvanovich just published details about exploits worth well over $5 million, and most likely valued at around $10 million.
If you haven’t yet updated to iOS 12.4, now would be a good time to do so. Many bad actors exploit vulnerabilities after they have been published, knowing that there’s a high percentage of device owners who don’t update promptly.