Google researchers reveal security threats to iOS

Two members of Project Zero, Google’s security team, have published details and demo code for five of the six “interactionless” security holes in iOS.

Weaknesses can be exploited via the iMessage app on iPhones. The six security holes were also fixed in iOS 12.4 on 22 July. Details about one of the vulnerabilities have not been disclosed because patch 12.4 does not yet fully resolve this issue.

According to Natalie Silvanovich, one of the researchers, four of the five security holes investigated can lead to malicious code being run on an iOS device without the need for user interaction. All cybercriminals have to do is send a message to a victim’s phone, the malicious code is executed automatically as soon as the user opens the received item.

The fifth and sixth bug give attackers the ability to obtain data from the memory of devices and read files from external devices. While it is always advisable to install security updates as soon as they are available, this proof-of-concept code means that users should install iOS 12.4 as soon as possible to avoid risks.

Information with high street value

ZDNet reports that information on such weaknesses could generate more than a million dollars in the black market, bringing the total of this information to a value of five million dollars.

The bugs were discovered by Silvanovich and fellow researcher Samuel Groß. According to ZDnet, Silvanovich is giving a presentation on interaction-less security weaknesses in iPhones at the Black Hat conference, which takes place next week in Las Vegas.

“The presentation explores the external, non-interactional attack capabilities of iOS. It discusses the possibility of vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how you can use tooling to test them. The presentation also contains two examples of vulnerabilities discovered using these methods”, as can be read in a summary.