Lily Hay Newman
Hackers Can Break Into an iPhone Just by Sending a Text
When you think about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in. It turns out that’s not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.
At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device. And while Apple has already patched six of them, a few have yet to be patched.
“These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data,” Silvanovich says. “So the worst-case scenario is that these bugs are used to harm users.”
Silvanovich, who worked on the research with fellow Project Zero member Samuel Groß, got interested in interaction-less bugs because of a recent, dramatic WhatsApp vulnerability that allowed nation-state spies to compromise a phone just by calling it—even if the recipient didn’t answer the call.
But when she looked for similar issues in SMS, MMS, and visual voicemail, she came up empty. Silvanovich had assumed that iMessage would be a more scrutinized and locked-down target, but when she started reverse engineering and looking for flaws, she quickly found multiple exploitable bugs.
This may be because iMessage is such a complex platform that offers an array of communication options and features. It encompasses Animojis, rendering files like photos and videos, and integration with other apps—everything from Apple Pay and iTunes to Fandango and Airbnb. All of these extensions and interconnections increase the likelihood of mistakes and weaknesses.
One of the most interesting interaction-less bugs Silvanovich found was a fundamental logic issue that could have allowed a hacker to easily extract data from a user’s messages. An attacker could send a specially-crafted text message to a target, and the iMessage server would send specific user data back, like the content of their SMS messages or images. The victim wouldn’t even have to open their iMessage app for the attack to work. iOS has protections in place that would usually block an attack like this, but because it takes advantage of the system’s underlying logic, iOS’ defenses interpret it as legitimate and intended.
Other bugs Silvanovich found could lead to malicious code being placed on a victim’s device, again from just an incoming text.
Interaction-less iOS bugs are highly coveted by exploit vendors and nation-state hackers, because they make it so easy to compromise a target’s device without requiring any buy-in from the victim.
The six vulnerabilities Silvanovich found—with more yet to be announced—would potentially be worth millions or even tens of millions of dollars on the exploit market.
“Bugs like this haven’t been made public for a long time,” Silvanovich says. “There’s a lot of additional attack surface in programs like iMessage. The individual bugs are reasonably easy to patch, but you can never find all the bugs in software, and every library you use will become an attack surface. So that design problem is relatively difficult to fix.”
Silvanovich emphasizes that the security of iMessage is strong overall, and that Apple is far from the only developer that sometimes makes mistakes in grappling with this conceptual issue. Apple did not return a request from WIRED for comment.
“It doesn’t matter how good your crypto is if the program has bugs on the receiving end.”
Silvanovich says she also looked for interaction-less bugs in Android, but hasn’t found any so far. She notes, though, that it’s likely that such vulnerabilities exist in almost any target. Over the past year she’s found similar flaws in WhatsApp, FaceTime, and the video conferencing protocol webRTC.
“Maybe this is an area that gets missed in security,” Silvanovich says. “There’s a huge amount of focus on implementation of protections like cryptography, but it doesn’t matter how good your crypto is if the program has bugs on the receiving end.”
The best thing you can do to protect yourself against interaction-less attacks is to keep your phone operating system and apps updated; Apple patched all six of the iMessage bugs Silvanovich is presenting in the recently released iOS 12.4, and in macOS 10.14.6. But beyond that, it’s up to developers to avoid introducing these types of bugs in their code, or spot them as quickly as possible. Given how inexorable interaction-less attacks can be, there’s not a lot users can do to stop them once malicious messages or calls start pouring in.
LILY HAY NEWMAN, WIRED
Google warns that NSO hacking is on par with elite nation-state spies – ForcedEntry is “one of the most technically sophisticated exploits.”
The Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking tools that can target both Android and iOS devices. The company’s products have been so abused by its customers around the world that NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploit—deployed in a number of targeted attacks against activists, dissidents, and journalists this year—comes with an even more fundamental warning: Private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.
Google’s Project Zero bug-hunting group analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, which published extensively this year about targeted attacks utilizing the exploit. Researchers from Amnesty International also conducted important research about the hacking tool this year. The exploit mounts a zero-click, or interactionless, attack, meaning that victims don’t need to click a link or grant a permission for the hack to move forward. Project Zero found that ForcedEntry used a series of shrewd tactics to target Apple’s iMessage platform, bypass protections the company added in recent years to make such attacks more difficult, and adroitly take over devices to install NSO’s flagship spyware implant Pegasus.
Apple released a series of patches in September and October that mitigate the ForcedEntry attack and harden iMessage against future, similar attacks. But the Project Zero researchers write in their analysis that ForcedEntry is still “one of the most technically sophisticated exploits we’ve ever seen.” NSO Group has achieved a level of innovation and refinement, they say, that is generally assumed to be reserved for a small cadre of nation-state hackers.
Apple added an iMessage protection called BlastDoor in 2020’s iOS 14 on the heels of research from Project Zero about the threat of zero-click attacks. Beer and Groß say that BlastDoor does seem to have succeeded at making interactionless iMessage attacks much more difficult to deliver. “Making attackers work harder and take more risks is part of the plan to help make zero-day hard,” they told WIRED. But NSO Group ultimately found a way through.
ForcedEntry takes advantage of weaknesses in how iMessage accepted and interpreted files like GIFs to trick the platform into opening a malicious PDF without a victim doing anything at all. The attack exploited a vulnerability in a legacy compression tool used to process text in images from a physical scanner, enabling NSO Group customers to take over an iPhone completely. Essentially, 1990’s algorithms used in photocopying and scanning compression are still lurking in modern communication software, with all of the flaws and baggage that come with them.
The sophistication doesn’t end there. While many attacks require a so-called command-and-control server to send instructions to successfully placed malware, ForcedEntry sets up its own virtualized environment. The entire infrastructure of the attack can establish itself and run within a strange backwater of iMessage, making the attack even harder to detect. “It’s pretty incredible and, at the same time, pretty terrifying,” the Project Zero researchers concluded in their analysis.
Project Zero’s technical deep dive is significant not just because it explicates the details of how ForcedEntry works but because it reveals how impressive and dangerous privately developed malware can be, says John Scott-Railton, senior researcher at Citizen Lab.
“This is on par with serious nation-state capabilities,” he says. “It’s really sophisticated stuff, and when it’s wielded by an all-gas, no-brakes autocrat, it’s totally terrifying. And it just makes you wonder what else is out there being used right now that is just waiting to be discovered. If this is the kind of threat civil society is facing, it is truly an emergency.”
After years of controversy, there may be growing political will to call out private spyware developers. For example, a group of 18 US congresspeople sent a letter to the Treasury and State Departments on Tuesday calling on the agencies to sanction NSO Group and three other international surveillance companies, as first reported by Reuters.
“This isn’t ‘NSO exceptionalism.’ There are many companies that provide similar services that likely do similar things,” Beer and Groß told WIRED. “It was just, this time, NSO was the company that was caught in the act.”
Here is a lift up to the people that matter.
- Girls Who Code
- Natalie Silvanovich
- Google:- Project Zero
- WhiteHat Hackers
- Natalie Silvanovich
- Samuel Groß
- Ian Beer