Think your iPhone is hard to hack? By the size of rewards for remote iPhone hacks, it would appear to be. But Google's crack squad of hackers at Project Zero recently showed that with skill and determination, iPhones can be hacked just by receiving an SMS message.
Thanks to Google Project Zero, who were behind a fistful of patches in Apple's recent iOS update, iOS devices are more secure than they were a few months ago.
But the team that found all those iOS bugs has now called on Apple to make iMessage less prone to remote attacks by reducing the 'attack surface' of its software, or in tech slang, cutting the 'cruft' from iMessage, so that attackers have fewer vulnerable parts to exploit.
"The majority of vulnerabilities occurred in iMessage due to its broad and difficult to enumerate attack surface. Most of this attack surface is not part of normal use, and does not have any benefit to users," Google Project Zero researcher Natalie Silvanovich wrote in a blogpost.
Silvanovich presented her and her colleagues' findings at BlackHat on Wednesday, detailing 10 iOS bugs they found, including five of the six that were patched in iOS 12.4. One of them, CVE-2019-8641, still remains under wraps because Apple's fix "did not fully remediate the issue".
The fixes Apple released in response to Google Project Zero's findings are notable because they are 'interactionless' or 'zero click', meaning the flaws don't require a single click by the end user to exploit.
There have been a few stories about zero-click exploits for iOS, but not much evidence they exist. For example, a 2017 report by Reuters exposed a group of ex-NSA hackers working in the Middle East who were reportedly using an iPhone hacking tool called Karma.
The tool was said to partly rely on a zero-day flaw in Apple's messaging app, iMessage. However, the users didn't understand how the vulnerability worked. Karma reportedly allowed the hackers to open a line to an iPhone even if the user didn't use iMessage.
And when it comes to messaging apps, exploit broker Zerodium – which offers $2m for zero-click iPhone exploits – has also claimed that iMessage is the least secure from a zero-day exploit perspective compared with Signal, WhatsApp, and even Telegram.
But again, there was no evidence, which was the motivation for Google Project Zero's research into zero-click attacks on iOS.
Several of the bugs affected Apple's iMessage messaging system. In some cases, just receiving an SMS or MMS message iMessage would be enough to do the trick for an attacker, putting this set of bugs on a similar severity scale to Google's Android Stagefright bugs in 2015.
Stagefright bugs could lead to a complete compromise just by an Android device receiving an SMS or MMS message and it affected 95% of Android handsets.
Project Zero researchers focused on SMS, MMS, and newer fancy features of iMessage like Digital Touch, which arrived in iOS 10 and let iPhone users send drawings and animations to one another to keep up with WhatsApp and Facebook Messenger. One of the flaws Silvanovich found was due to an issue in Digital Touch.
SEE: 10 tips for new cybersecurity pros (free PDF)
As she notes, SMS in iOS was a "good starting point" for their research because of Apple's design choices.
"Unlike Android, SMS messages are processed in native code by the iPhone, which increases the likelihood of memory corruption vulnerabilities," she explained.
Silvanovich suggests that Apple could help improve iPhone security by cutting out unnecessary avenues for remote attackers to use.
"Overall, the number and severity of the remote vulnerabilities we found was substantial. Reducing the remote attack surface of the iPhone would likely improve its security," she wrote.
Apple's head of security engineering and architecture, Ivan Krstić, is scheduled to deliver a presentation today at Black Hat about iOS and Mac security.