Get the new Samsung Galaxy S21 Ultra 5G!

 View

Get the new Samsung Galaxy S21 Ultra 5G!

 View
iOS Apple

New iMessage exploit allows hackers to hijack your iPhone by simply sending you a message

Milen Yanachkov
by Milen Yanachkov
@MilenYanachkov
Aug 08, 2019, 3:51 AM
New iMessage exploit allows hackers to hijack your iPhone by simply sending you a message
A new, "interaction-less" bug in iMessage was recently discovered that could allow hackers to gain access to your iPhone. The exploit being interaction-less means that you don't need to do anything—download any files or click any suspicious links—to get your device compromised. What's even worse, you don't even need to open the iMessage app for the exploit to work.

At the Black Hat security conference in Las Vegas this week, Google Project Zero researcher Natalie Silvanovich showed off a number of these so-called interaction-less bugs in iMessage that could be used to gain remote access to an iPhone. Wired reports that Apple has already patched five of them, but there are a handful that are yet to receive the company;s attention.

Following the recently uncovered vulnerabilities in WhatsApp, Silvanovich and her colleague Samuel Groß started investigating for similar exploits in SMS, MMS, and voicemail, but found none. Then, they shifted their attention to iMessage and started reverse engineering the app, which lead to some worrisome discoveries.

According to the researchers, the vulnerabilities that they uncovered in iMessage are likely a result of the complex (and ever-expanding) nature of the app. Apple's messaging client not only allows users to send each other files, voice messages, photos, and Animojis, but also has many integrations with third-party apps, like OpenTable and Airbnb. This makes securing every potential backdoor increasingly difficult, though the researchers claim that Apple is actually doing a good job.

Silvanovich says that iOS has many security checks in place, but the bug she and Groß discovered takes advantage of the underlying logic of the operating system, which makes it possible to bypass the security net. A potential attacker could send a targeted iMessage with specific content in it that Apple's servers would interpret in a certain way and send the target a message that would then automatically trigger the exploit, granting the attacker access to the phone.

Interaction-less bugs are highly sought after in the hacking community, as they don't require the target to do anything. The iMessage vulnerabilities discovered by the Google Project Zero members could fetch prices in the vicinity of "millions or even tens of millions" on the exploit market.

FEATURED VIDEO

Featured stories

Popular stories
New 50MP Samsung camera sensor with Dual Pixel Pro brings one autofocus to rule them all
Popular stories
Google Pixel 5a leaks in full with dual-camera setup, very familiar design
Popular stories
T-Mobile blows Verizon out of the water with a new maxed-out 5G plan
Popular stories
The best unlocked Samsung Galaxy S21 5G family deals are back with a bang

Popular stories

Popular stories
5G iPhone 13 Pro renders reveal something that many iPhone users have prayed for
Popular stories
Possible 5G alliance between Amazon and Dish could prove a 'nightmare' for existing US carriers
Popular stories
Full OnePlus 9 Pro and 9E specs sheet leaks out, not the cameras you were looking for
Popular stories
Hidden code points to in-display face unlock, fingerprint scanner for Pixel 6 5G
Popular stories
Apple iPhone users need to install iOS 14.5 as soon as it's released; here's why
Popular stories
Android 12 Developer Preview hints that a 5G Pixel 6 XL is coming

Hot phones

Latest Stories

View more news
This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless