Google discloses slew of iMessage vulnerabilities

Google's Project Zero has discovered six flaws in Apple's iMessage service that could allow attackers to execute malicious code on a user's device.

Extensive details and proof-of-concept (POC) code have been published by Natalie Silvanovich and Samuel Gro, two lead bug hunters on Project Zero, leaving the details of one "interactionless" vulnerability undisclosed while Apple works on a fix.

All disclosed vulnerabilities have been patched in Apple's latest iOS 12.4 update which all users are encouraged to update. The level of detail in the Project Zero disclosures, including examples of POC code would allow attackers to create working exploits to target all unpatched users.

See more

All that would be required to execute code on a user's phone would be to send a malformed message no user interaction would be needed.

One vulnerability would allow an attacker to extract files from a device to read them remotely and another was so effective that the only way to remove it would be to completely wipe the phone, erasing all data.

"For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," said an Apple spokesperson.

"Keeping your software up to date is one of the most important things you can do to maintain your Apple product's security," they added.

The bug disclosures highlight the importance of regularly updating devices when manufacturers roll them out. This is especially relevant to workplaces that enforce "bring your own device" (BYOD) policies employees could potentially bring vulnerable devices into work, connect to the company network and in turn, create an entry point for an attacker.

"These are serious vulnerabilities, which in the wrong hands could have been extremely dangerous," security analyst Graham Cluley told IT Pro. "Recent history has shown that intelligence agencies and authoritarian regimes have no qualms about exploiting smartphone vulnerabilities to spy on their enemies.

"It's great that Google has acted responsibly and informed Apple of the problem, and not disclosed details until Apple has had a chance to push out an update to its users," he added.

Silanovich is due to give a talk at next week's Black Hat security conference in Las Vegas on the remote vulnerabilities and attack surface of the iPhone.

An abstract of her talk reads: "There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices."

"[The presentation] discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods."

Google's Project Zero, founded in 2014, has a reputation for enforcing strict deadlines on companies whose products or services are found to have vulnerabilities.

The group disclosed a vulnerability in Microsoft Edge back in February 2018 after the Redmond-based company failed to fix it within the 90-day time frame afforded to it by Project Zero.

The disclosure meant Edge users became aware of a vulnerability that wouldn't be fixed for over a month, despite the creators having known about it for three months.

Luckily, the vulnerability wasn't as serious as a remote-code exploit: It just afforded attackers the opportunity to break down Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG), providing they already had a foothold on the system.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.