iOS Apple

New iMessage exploit allows hackers to hijack your iPhone by simply sending you a message

Milen Yanachkov by Milen Yanachkov   /  Aug 08, 2019, 3:51 AM
New iMessage exploit allows hackers to hijack your iPhone by simply sending you a message
A new, "interaction-less" bug in iMessage was recently discovered that could allow hackers to gain access to your iPhone. The exploit being interaction-less means that you don't need to do anything—download any files or click any suspicious links—to get your device compromised. What's even worse, you don't even need to open the iMessage app for the exploit to work.

At the Black Hat security conference in Las Vegas this week, Google Project Zero researcher Natalie Silvanovich showed off a number of these so-called interaction-less bugs in iMessage that could be used to gain remote access to an iPhone. Wired reports that Apple has already patched five of them, but there are a handful that are yet to receive the company;s attention.

Following the recently uncovered vulnerabilities in WhatsApp, Silvanovich and her colleague Samuel Groß started investigating for similar exploits in SMS, MMS, and voicemail, but found none. Then, they shifted their attention to iMessage and started reverse engineering the app, which lead to some worrisome discoveries.

According to the researchers, the vulnerabilities that they uncovered in iMessage are likely a result of the complex (and ever-expanding) nature of the app. Apple's messaging client not only allows users to send each other files, voice messages, photos, and Animojis, but also has many integrations with third-party apps, like OpenTable and Airbnb. This makes securing every potential backdoor increasingly difficult, though the researchers claim that Apple is actually doing a good job.

Silvanovich says that iOS has many security checks in place, but the bug she and Groß discovered takes advantage of the underlying logic of the operating system, which makes it possible to bypass the security net. A potential attacker could send a targeted iMessage with specific content in it that Apple's servers would interpret in a certain way and send the target a message that would then automatically trigger the exploit, granting the attacker access to the phone.

Interaction-less bugs are highly sought after in the hacking community, as they don't require the target to do anything. The iMessage vulnerabilities discovered by the Google Project Zero members could fetch prices in the vicinity of "millions or even tens of millions" on the exploit market.

FEATURED VIDEO

Options

29 Comments

Tsepz_GP
Reply

1. Tsepz_GP

Posts: 1175; Member since: Apr 12, 2012

The good thing here is that once they patch it up all of us will get the update at once and not have to wait for multiple variants to be updated, my iPad and iPhone will be updated on the same day. I hope the WhatsApp flaws can also be sorted out ASAP.

posted on Aug 08, 2019, 3:55 AM

Papa_Ji
Reply

3. Papa_Ji

Posts: 831; Member since: Jun 27, 2016

perfect reply...What someone can expect form iSheep

posted on Aug 08, 2019, 4:08 AM

Tizo101
Reply

5. Tizo101

Posts: 524; Member since: Jun 05, 2015

Android doesn't have this problem... android is almost perfect even without updates

posted on Aug 08, 2019, 4:23 AM

Tsepz_GP
Reply

12. Tsepz_GP

Posts: 1175; Member since: Apr 12, 2012

It does, did you not see the WhatsApp exploits?

posted on Aug 08, 2019, 6:07 AM

JCASS889
Reply

15. JCASS889

Posts: 503; Member since: May 18, 2018

Whatsapp is a 3rd party app not a system level app so it has nothing to do with Android, I don't use what app so it doesn't affect me.

posted on Aug 08, 2019, 7:15 AM

sgodsell
Reply

24. sgodsell

Posts: 7176; Member since: Mar 16, 2013

Well maybe if you just talk to Siri some more, then Apple might hear your issues and get around to fixing all of the privacy and security issues.

posted on Aug 08, 2019, 1:53 PM

cmdacos
Reply

8. cmdacos

Posts: 4084; Member since: Nov 01, 2016

This would only require an app update, not an update of the full phone.

posted on Aug 08, 2019, 4:41 AM

Back_from_beyond
Reply

10. Back_from_beyond

Posts: 1373; Member since: Sep 04, 2015

Or Apple can do as Google did and separate core apps like messaging, dialer, contacts and so on from OS updates and allow them to be updated as regular apps. That's one of the reasons system updates on Android are much less of a necessity.

posted on Aug 08, 2019, 5:00 AM

ph00ny
Reply

11. ph00ny

Posts: 2024; Member since: May 26, 2011

and then same bug/exploit will reappear several versions down

posted on Aug 08, 2019, 5:42 AM

Back_from_beyond
Reply

4. Back_from_beyond

Posts: 1373; Member since: Sep 04, 2015

Apple say: Thank you, Google.

posted on Aug 08, 2019, 4:20 AM

Leo_MC
Reply

6. Leo_MC

Posts: 7190; Member since: Dec 02, 2011

To hijack what part of the iPhone? If they would say that the hacker has access to personal data (contacts for instance), I could understand, but in iOS an app can only have access to certain features and none in iMessages is about controlling the OS. Semantics aside, Apple should deal with iMessage core functionality, because over the time we've had numerous problems.

posted on Aug 08, 2019, 4:25 AM

cmdacos
Reply

9. cmdacos

Posts: 4084; Member since: Nov 01, 2016

Source article indicates sms message contents or images could be extracted.

posted on Aug 08, 2019, 4:43 AM

Leo_MC
Reply

18. Leo_MC

Posts: 7190; Member since: Dec 02, 2011

Well, than it's like I've said: "access to personal data", not "hijack your phone". Anyway, there is a problem that Apple should address asap.

posted on Aug 08, 2019, 10:51 AM

shiv179
Reply

7. shiv179

Posts: 150; Member since: Aug 08, 2012

Thank you again Google!

posted on Aug 08, 2019, 4:31 AM

blingblingthing
Reply

13. blingblingthing

Posts: 940; Member since: Oct 23, 2012

I thought iOS was secure, what happened here guys?

posted on Aug 08, 2019, 6:23 AM

Papa_Ji
Reply

14. Papa_Ji

Posts: 831; Member since: Jun 27, 2016

It's secure....but only for iSheep.

posted on Aug 08, 2019, 7:13 AM

lyndon420
Reply

16. lyndon420

Posts: 6715; Member since: Jul 11, 2012

Google has been coming to apple's rescue quite a bit lately. Hopefully apple is grateful.

posted on Aug 08, 2019, 7:44 AM

Vancetastic
Reply

17. Vancetastic

Posts: 1086; Member since: May 17, 2017

I guess nothing is perfect.

posted on Aug 08, 2019, 9:07 AM

tedkord
Reply

19. tedkord

Posts: 17296; Member since: Jun 17, 2009

Some things much less so than fanboys world have you believe.

posted on Aug 08, 2019, 11:39 AM

Vancetastic
Reply

22. Vancetastic

Posts: 1086; Member since: May 17, 2017

Right? The deflections and excuses are at lease somewhat amusing.

posted on Aug 08, 2019, 1:26 PM

Tipus
Reply

20. Tipus

Posts: 847; Member since: Sep 30, 2016

" Most secure Os" LMAO :)))

posted on Aug 08, 2019, 12:10 PM

TBomb
Reply

21. TBomb

Posts: 1379; Member since: Dec 28, 2012

Can someone give an unbiased explanation on how the imessage app is such an easy way to ruin someone's iphone experience? Between the text you send that can brick a phone to this, there has to be a reason why this is possible on an iPhone/imessage but not with other phones/apps.

posted on Aug 08, 2019, 1:25 PM

Vancetastic
Reply

23. Vancetastic

Posts: 1086; Member since: May 17, 2017

Well, you CAN use other messaging apps, but you can’t be sure everyone else on an iPhone does. Also, iMessage is for the cool kids. Blue bubbles rule, green bubbles drool. It’s actually incredibly stupid.

posted on Aug 08, 2019, 1:28 PM

lyndon420
Reply

25. lyndon420

Posts: 6715; Member since: Jul 11, 2012

Lmao...so true! It's also ironic that the most loyal of iOS users aren't here providing their feedback on this issue (probably hiding in a corner somewhere sobbing their hearts out)...

posted on Aug 08, 2019, 4:44 PM

Vancetastic
Reply

28. Vancetastic

Posts: 1086; Member since: May 17, 2017

I asked midan for his take, and he somewhat predictably didn’t answer.

posted on Aug 08, 2019, 8:47 PM

mackan84
Reply

26. mackan84

Posts: 359; Member since: Feb 13, 2014

Simple, Apple tries to compete with Facebooks messenger and f***s it up. More features doesn’t always mean happy customers. I mean weren’t we already able to play games with each other using a standalone app?

posted on Aug 08, 2019, 7:29 PM

andrewc31394
Reply

30. andrewc31394

Posts: 290; Member since: Jun 23, 2012

i love how people who despise "green bubble" people never like to mention how many times this has happened with iPhones lol.

posted on Aug 14, 2019, 8:18 AM

* Some comments have been hidden, because they don't meet the discussions rules.

view all comments
Want to comment? Please Log in or sign up.

Featured stories

Camera-comparison-Galaxy-Note-10-vs-iPhone-XS-Max-Pixel-3
Galaxy Note 10+ barely snags victory against iPhone XS Max and Pixel 3 in camera comparison
Samsung-Galaxy-Note-10-Review
Samsung Galaxy Note 10+ Review
Huawei-Mate-30-Pro-rides-the-subway-in-disguise
Huawei Mate 30 Pro spotted in public sporting a waterfall display
the-state-of-android-pie-updates-the-best-and-worst-brands
The state of Android Pie updates on the eve of Android Q: the best and worst brands
galaxy-note-10-best-cases
The best cases for Samsung Galaxy Note 10 and Note 10+: protect your shiny new jewel!
have-we-reached-the-end-of-smartphone-price-inflation
Have we reached the end of smartphone price inflation?
Apple-iPhone-11-announcement-date-leak
Apple seems to have revealed the date of its iPhone 11 event
Apple-iPhone-11-camera-specs-rainbow-colors-leak
Massive iPhone 11 leak details cameras, 'rainbow' logo, much more

Popular stories

Foldable-Motorola-RAZR-2019-Verizon-release-date-specs-review-price
Verizon's foldable Motorola RAZR 2019 specs and release price - preview of the new clamshell
Pokemon-GO-Harry-Potter-Wizards-Unite-anticheating-rules
Half a million accounts found cheating in Pokemon GO and Harry Potter: Wizards Unite
woot-deals-amazon-devices-echo-echo-show-fire-tv-alexa-voice-remote
A bunch of Amazon devices are on sale at crazy low prices, Echo and Echo Show included
Monday-is-the-last-day-to-enter-T-Mobiles-latest-sweepstakes
Last chance to win one of ten Samsung Galaxy Note 10 phones being given away by T-Mobile
best-buy-moto-g7-power-deal-verizon-installments-new-lines
Best Buy has the Moto G7 Power on sale for less than 20 bucks overall
Apple-iPhone-11-camera-specs-rainbow-colors-leak
Massive iPhone 11 leak details cameras, 'rainbow' logo, much more
Sonys-9-inch-aftermarket-Android-Auto-receiver-launches-in-December-for-600
Sony unveils impressive Android Auto / CarPlay receiver with giant screen
T-Mobile-Galaxy-Note-9-Night-Mode-update
T-Mobile plays nice with Galaxy Note 9 owners, rolls out Night Mode update

Hot phones

Latest Stories

View more
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.