A team of security analysts at Google has shared their findings regarding ‘interactionless’ vulnerabilities affecting iOS via the iMessage app. More precisely, we’re talking about six vulnerabilities that could be used to attack iOS devices without any input from the user - and as such, all of these are considered to be the 'holy grail' for any hacker. These iOS vulnerabilities have been discovered by Natalie Silvanovich and Samuel Groß, who are members of the Google Project Zero team.
Four of the six security vulnerabilities can be used to gain access to the victim’s iOS device by implementing a code via the iMessage app. This means that the attacker could send a malformed message to the victim to begin this process. Once the victim opens the message, a malicious code is executed in the background, providing access to the attacker. These four bugs are CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, and CVE-2019-8641. As you can see, the final bug is being kept private for now, as Apple is yet to implement a fix via an iOS update.
We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability
— Natalie Silvanovich (@natashenka) July 29, 2019
Two additional bugs are of a different kind. Named CVE-2019-8624 and CVE-2019-8646, these two allow an attacker to access the victim device’s memory and read files off a remote device. Once again, this happens with no user interaction, whatsoever – and this is precisely what makes all six of these iOS vulnerabilities so important.
Natalie Silvanovich is scheduled to hold a presentation next week, at the Black Hat security conference in Las Vegas. As per the abstract of Silvanovich’s talk, she will be talking about “the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail.” The presentation will also include two examples of vulnerabilities discovered using these methods.
Interestingly enough, the iOS vulnerabilities in question hold a lot of value on the exploit market. As per a price chart by Zerodium, the security analysts could have earned from $5 to $10 million for the exploits. Another exploit vendor, Crowdfense, values these exploits between $2 and $4 million each.
Finally, you’re probably wondering how to protect your device against these iOS vulnerabilities? As Apple’s notes about iOS 12.4 are saying, the company has already fixed vulnerabilities related to ‘interactionless’ methods of a device takeover. Therefore, it’s strongly recommended to update your device to iOS 12.4 – which also fixes vulnerabilities related to Apple’s AWDL protocol.
Have you already updated to iOS 12.4? If not, do you plan to update after reading about these iOS vulnerabilities? Let us know in the comments section below, and don’t forget to follow us via our social media profiles, on Facebook and Twitter. Thanks!