While the iPhone is one of the most secure consumer devices on the market, it’s certainly not infallible. Security researcher Ian Beer drove that point home just about a year ago when he found 30 different iOS vulnerabilities while working for Project Zero, Google’s team of elite hackers tasked with finding vulnerabilities in competitors’ (and Google) products.
Project Zero has returned with a new report by researcher Natalie Silvanovich highlighting 10 new ways that the iPhone can be covertly compromised by hackers. Silvanovich and fellow Project Zero researcher Samuel Groß revealed the flaws last week at the Black Hat hacking and security conference in Las Vegas.
"There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices," the presentation proclaimed.
The vulnerabilities found by Silvanovich and Groß run the gamut and involve services like text messaging, visual voicemail, and email. But iMessage, the default messaging app on iOS and Mac devices, suffered from the highest number of high-impact bugs.
One of the iMessage vulnerabilities allows a hacker to send a specially crafted text message to a target tricking the iMessage server into coughing up the content of user text messages (both text and images). Under this scenario, the end target would never even see the message, or be aware that they’d been targeted. They wouldn’t even need to open the app.
Other vulnerabilities opened the door to text messages being used to plant malicious code on a user’s device without the target’s knowledge. The complexity of iMessage, and its cross dependency on numerous other services, apps, and libraries, increases the risk that these attacks will be able to bypass the broader iOS defenses, Silvanovich says.
The lion’s share of the flaws are what the Project Zero team termed remote or “zero click” vulnerabilities, given they don’t require any physical interaction from the target (like clicking on a phishing link) in order to succeed. Such flaws are highly sought after by state actors and others given the target remains utterly oblivious to the fact that any attack has even occurred.
While six of the vulnerabilities have already been patched, several of them have not, the researchers said. And there’s more yet to be revealed.
The researchers say they were motivated to hunt for more zero click vulnerabilities after a Whatsapp vulnerability recently highlighted how iPhone users could have spyware installed on their phones—and calls listened in on—without any indication whatsoever the end user had been compromised.
“Overall, the number and severity of the remote vulnerabilities we found was substantial,” Project Zero researcher Natalie Silvanovich said of the findings. “Reducing the remote attack surface of the iPhone would likely improve its security.”
Just months earlier, Project Zero researchers had discovered another suite of iMessage vulnerabilities so severe they could result in a target’s iPhone being wiped completely by a remote attacker, again with zero action ever being taken by the target. Other bugs allowed for the covert siphoning of private user data from a target device.
Apple began offering six figures rewards to hackers for discovering vulnerabilities in its products in 2016, likely due to the fact that such vulnerabilities can net millions of dollars on the gray market where they’re likely to cause significantly more harm to end users in the wild. Last week, the company announced that it will pay up to $1 million for vulnerabilities.
Last year, Beer urged Apple to donate $2.45 million to to human rights group Amnesty International as payment for the laundry list of exploits he’d discovered, though Apple has yet to take him up on the proposal.
Silvanovich has made it clear that iOS security generally remains high. And while it’s impossible to be entirely secure in the face of such attacks, the best course of action is to keep your OS and apps updated. All six of the iMessage bugs Silvanovich presented last week at Def Con were patched via Apple’s recently released iOS 12.4 and macOS 10.13.6 updates.