Even though the iPhone is one of the most secure consumer electronics devices on the market, it is still not completely immune. Last year, security researcher Ian Beer found 30 different vulnerabilities in iOS while working for Project Zero, a group of top Google hackers who are looking for security flaws in their products. Player as well as Google's own.
A recent report from Project Zero published by Natalie Silvanovich has shown 10 new ways to attack the iPhone. These new vulnerabilities were also performed by Silvanovich and his colleague Samuel Gross last week in the Black Hat security conference in Las Vegas. Not only the number of vulnerabilities, but the attack method also shows that these are extremely dangerous holes.
Vulnerabilities discovered by two researchers relate to many services such as text messaging, voicemail and email. In particular, iMessage, the default messaging application on iOS and Mac computers, is most affected with the most dangerous vulnerabilities and the most holes.
One of iMessage's vulnerabilities allows an attacker to send a message with a special content to deceive the iMessage server to deliver the entire contents of the recipient's text message (including text and images). . With this attack, the final target doesn't even see this message or knows that it's becoming a victim. They don't even need to open the app.
Other vulnerabilities also involve using text messages to bring malicious code into a victim's device without them knowing it. According to Silvanonvich, the complexity of iMessage and its degree of cross-dependence on a wide range of services, applications, and software libraries increase the risk of attacks because hackers can bypass iOS's containment measures.
The vast majority of vulnerabilities discovered by the Project Zero group involve remote attacks or "zero click" vulnerabilities – meaning the attacker does not need any physical interaction. from the victim (like clicking on a phishing link) to perform an attack. Such vulnerabilities are always hunted by hackers and criminal organizations because the victim is unaware of the ongoing attack.
The video demonstrates the ability to control the iOS daemon registration by exploiting the vulnerability of iMessage.
According to security researchers, six of the vulnerabilities have been patched, while others have not. And there are still many other holes that have yet to be discovered.
The motivation for them to search for additional zero click vulnerabilities from the recently discovered vulnerability on WhatsApp shows that even iPhone users can be installed on their phones with spyware, the researchers said. without any sign to recognize.
Researcher Natalie Silvanovich said in her report: "On top of that, the number and severity of the remote attack vulnerabilities we discovered are significant. Reducing the number of remote attacks targeting iPhone will help improve the security level of this device."
Just a few months ago, Project Zero researchers discovered a series of serious vulnerabilities on iMessage that could wipe a remote iPhone from a victim who couldn't do anything against it. Other vulnerabilities allow to steal the user's personal data on the target device.
Since 2016, Apple has begun offering six-figure bonuses for hackers to discover vulnerabilities in their products, largely because these vulnerabilities can cost millions of dollars in marketing. The school buys and sells software vulnerabilities, and can cause significant damage to end users. Last week, the company announced the bonus amount could now be up to $ 1 million for these vulnerabilities.
Silvanovich also made it clear that security vulnerabilities in iOS are still very high. While it is not possible to fully secure all such attacks, the best way to ensure the safety of your device is for users to update iOS and the latest applications. Six vulnerabilities in iMessage that Silvanovich mentioned were patched in Apple's iOS 12.4 and MacOS 10.13.6 updates.
Refer to Motherboard