Stealthy iPhone Hacks That Apple Has Not Stopped

exciting disclosure: The Bahraini government allegedly buys and distributes sophisticated malware against human rights activists, including spyware that requires no interaction from the victim-no link clicks, no authorization provided – to hold their iPhones. But as disturbing as that report this week from the University of Toronto’s Citizen Lab may be, it’s even more familiar.

These arezero-clickThe attacks can happen on any platform, but many high-profile hacks have shown that attackers homed vulnerabilities to Apple’s iMessage service to execute them. Safety researchers say the company’s efforts to address the issue have yet to work – and there are other steps the company can take to protect its most at -risk users.

Nothing to do ATTACKS against current versions of iOS is even more unique, and is almost exclusively used against a small population of high -profile targets around the world. That is, the average iPhone owner is less likely to encounter them. But the Bahrain incident shows that Apple efforts to forget the dangers of iMessage for the easiest to use it is not entirely successful. The question now is how far the company is willing to go to make its messaging platform less responsible.

“It’s annoying to think that there’s still this indelible iOS app that can receive data and messages from anyone,” said longtime macOS and iOS security researcher Patrick Wardle. “If someone has a zero-click use of iMessage, they can just send it from anywhere in the world at any hour and hit you.”

Apple has made a major push to address the comprehensive zero-click iMessage approach in iOS 14. The most famous of the new features, BlastDoor, is a class quarantine ward for future communications in iMessage which is intended to cut out potentially harmful components before they hit the whole. IOS environment. Even non-confrontational attacks keep coming. Citizen Lab findings this week and RESEARCH REVEALS published in July by Amnesty International both specifically showed that it was possible for a zero-click attack to defeat BlastDoor.

Apple did not issue for the specific vulnerability and corresponding attack, called “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to tighten iMessage security beyond BlastDoor, and there are new protections coming to iOS 15, which may come out next month. But it’s unclear what to look for in additional protections, and while there is no protection against BlastDoor-winning hacking both have been observed by Amnesty International and Citizen Lab.

“Attacks as defined are more sophisticated, cost millions of dollars to develop, always have a short shelf life, and are used to target specific individuals,” the security chief Apple’s engineering and architecture, Ivan Krstić, said in a statement. “While this means they are not a threat to most of our users, we continue to work tirelessly to protect all of our customers.”

Many functions and features of iMessage are difficult to protect, security researchers say. The “face to attack”Kaylap. Under the hood, it takes a lot of code and jerry-rigging to get all the green and blue bubbles-add photos, videos, links, Memojis, app interactions, and more-working smoothly. Each feature and connection to the rest of iOS creates a fresh opportunity for attackers to find bugs that can be exploited. Since the rise of iMessage zero-click a few years ago, it has become increasingly clear that comprehensive mitigation of service vulnerabilities will require some epic rearchitecture-which is probably not really the best.

Without a general fix, though, Apple still has options for dealing with sophisticated iMessage hacks. The company may offer special settings, suggested by the researchers, to select those at risk of locking the Messages app on their devices. That could include an option to block unreliable content like images and links altogether, and a setting to prompt the user before receiving messages from people who are not already in their contacts.

Source link


Leave a Reply

Your email address will not be published. Required fields are marked *