Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage

Graham Cluley

Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage

Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage

I do hope that owners of iPhones and iPads updated their devices to iOS 12.4 when it was released last week.

Details weren’t shared at the time, but we now know that the iOS security update addressed critical vulnerabilities discovered by Google security researchers Samuel Groß and Natalie Silvanovich that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage.

Thankfully the vulnerabilities, which could most likely have been sold to an intelligence agency for millions of dollars, were responsibly disclosed to Apple in May so that they could be addressed and fixed within the 90-day disclosure deadline imposed by Google.

Ios bug tweet

The vulnerabilities are said to allow a remote attacker to run malicious code on an iOS device without requiring any action by the targeted user, opening up opportunities for iPhones and iPads to be spied upon without the knowledge of their owners and without the snooper requiring any physical access to the device.

Google security engineer Natalie Silvanovich is scheduled to give a talk at Black Hat in Las Vegas next week, entitled “Look, No Hands! – The Remote, Interaction-less Attack Surface of the iPhone”

iPhone and iPad users often have their devices configured to automatically install updates like iOS 12.4, but – if you want to make sure that you are protected – follow these instructions:

Click on Settings > General > Software Update, and choose Download and Install.

To hear further discussion about this issue, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #139: 'Capital One hacked, iMessage flaws, and anonymity my ass!'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.