I do hope that owners of iPhones and iPads updated their devices to iOS 12.4 when it was released last week.
Details weren’t shared at the time, but we now know that the iOS security update addressed critical vulnerabilities discovered by Google security researchers Samuel Groß and Natalie Silvanovich that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage.
Thankfully the vulnerabilities, which could most likely have been sold to an intelligence agency for millions of dollars, were responsibly disclosed to Apple in May so that they could be addressed and fixed within the 90-day disclosure deadline imposed by Google.
The vulnerabilities are said to allow a remote attacker to run malicious code on an iOS device without requiring any action by the targeted user, opening up opportunities for iPhones and iPads to be spied upon without the knowledge of their owners and without the snooper requiring any physical access to the device.
Google security engineer Natalie Silvanovich is scheduled to give a talk at Black Hat in Las Vegas next week, entitled “Look, No Hands! – The Remote, Interaction-less Attack Surface of the iPhone”
iPhone and iPad users often have their devices configured to automatically install updates like iOS 12.4, but – if you want to make sure that you are protected – follow these instructions:
Click on Settings > General > Software Update, and choose Download and Install.
To hear further discussion about this issue, be sure to listen to this episode of the “Smashing Security” podcast: