Monday, September 13, 2021

Zero-click iMessage Attacks

Lily Hay Newman (Hacker News):

These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to resolve the issue haven’t been working—and that there are other steps the company could take to protect its most at-risk users.

[…]

Apple did make a major push to comprehensively address iMessage zero-clicks in iOS 14. The most prominent of those new features, BlastDoor, is a sort of quarantine ward for incoming iMessage communications that’s meant to weed out potentially malicious components before they hit the full iOS environment. But the interactionless attacks keep coming. This week’s Citizen Lab findings and research published in July by Amnesty International both specifically show that it’s possible for a zero-click attack to defeat BlastDoor.

Apple hasn’t issued a fix for this particular vulnerability and corresponding attack, dubbed “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to harden iMessage security beyond BlastDoor, and that new defenses are coming with iOS 15, which will likely come out next month.

[…]

In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely.

Lorenzo Franceschi-Bicchierai (tweet):

Security researchers found the vulnerability when they were investigating the potential hack of a Saudi activist’s iPhone, according to a new report by Citizen Lab, a digital rights group housed at the University of Toronto’s Munk School that has investigated NSO spyware for years.

The researchers told Motherboard that they believe the attack was carried out by a customer of NSO, the infamous Israeli company that sells spyware to dozens of governments all over the world.

Bill Marczak:

The exploit is invisible to the target, but in our forensic analysis, we found 31 files with the “.gif” extension on a target’s phone. Of course, they weren’t GIFs at all! 27 of them were the same 748-byte Adobe PSD file, and four were PDFs.

See also: Goodbye, iMessage.

Previously:

Update (2021-09-14): Juli Clover:

Today’s iOS 14.8 update addresses a critical vulnerability that Apple engineers have been working around the clock to fix, reports The New York Times.

See also: Hacker News.

Update (2021-09-17): Tom McGuire:

This blog post will analyze the integer overflow in CoreGraphics, CVE-2021-30860. After examining the modified .dylib, it appears that there were other issues that were resolved as well, related to imaging processing. We will focus in on the JBIG2 processing, specifically in the JBIG2::readTextRegionSeg.

6 Comments RSS · Twitter


Kevin Schumacher

iOS 14.8, out today, addresses FORCEDENTRY.


Apple already provides a slider to disable iMessage. It’s the first option under Messages in Settings.


Kevin Schumacher

@Bruce Maybe they meant the Messages app itself? Then again this is Wired we're talking about...


"In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely."

Settings > Messages > iMessage > Disable


I mean, if I could keep the text message forwarding bits, I'd turn off iMessage myself. I already have SMS fallback on. And why can't text message forwarding work without iMessage, anyway? Call forwarding only needs the devices to be on the same LAN. Probably an accidental design choice, but it's unfortunate all the same. I only need texts, no pics or sounds, no group chats, no silly reactions, stickers, etc, etc. And I already have the unlimited texts plan from my carrier. If iMessage is such a bother ...


Stupid question:

if "[…] Apple engineers have been working around the clock to fix […]" it, does this mean that the iOS release on the iPhone 13, which should be available in 10 days, does not include the fix?

And that, as soon as the phone is out of the box, you're in for a security update?

Leave a Comment