A duo of Google bug-hunting researchers have disclosed several “interactionless” vulnerabilities in iOS that made it possible for hackers to hijack your iPhone via iMessage – without even engaging with the malicious texts.
The researchers, Natalie Silvanovich and Samuel Groß, who work with Google’s security task force Project Zero have so far released details for only five out of the six bugs found, ZDNet reports. Four out of these bugs can lead to the execution of malicious code on remote iOS devices, without any significant user interaction.
All it takes to perform the attacks successfully is delivering an infectious message and enticing the recipient into viewing it.
The reason for withholding the specifics for one of the bugs is that it hasn’t been sufficiently addressed by Apple’s iOS 12.4 security patch posted on July 22, according to Silvanovich. Updating to iOS 12.4 will, however, protect iPhone users against the other five exploits.
For more details about the attacks and proof-of-concept documentation, check out this list of the exploits:
- CVE-2019-8641 (still not fully diclosed)
- CVE-2019-8647
- CVE-2019-8660
- CVE-2019-8662
- CVE-2019-8624
- CVE-2019-8646
Interestingly, a chart by security firm Zerodium suggests five of the exploits are valued at $1 million each.
Since the disclosure includes proof-of-concept code for executing the attacks, iOS users are advised to immediately update to the latest version of iOS.
On August 7, Silvanovich will give a keynote at Black Hat on the topic of interactionless exploits for iPhone and iOS in general. There, she’ll touch on some of the potential vulnerabilities in SMS, MMS, Visual Voicemail, iMessage, and Mail that make these attacks possible in the first place.
This is hardly the first time the Big G has found kinks in Apple’s software. Back in February 2019, the iPhone-maker had to release a security patch after Project Zero researchers unearthed two zero-day vulnerabilities in iOS.
Get the TNW newsletter
Get the most important tech news in your inbox each week.