It’s a shock disclosure: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no victim interaction (no clicked links or permissions granted) to take over their iPhones. But as disturbing as this week’s report from the University of Toronto’s Citizen Lab may be, it’s also becoming increasingly familiar.
These “zero-click” attacks can occur on any platform, but a number of high-profile hackers show that attackers have detected weaknesses in Apple’s iMessage service to run them. Security investigators say the company’s efforts to solve the problem have failed and that there are other measures the company could take to protect its most at-risk users.
Non-interaction attacks against current versions of iOS are still extremely rare and are used almost exclusively against a small population of high-profile targets around the world. In other words, the average iPhone owner is unlikely to come across them. But the Bahrain incident shows that Apple’s efforts to turn off the risks of iMessage for the most vulnerable users have been unsuccessful. The question now is to what extent the company is willing to make its messaging platform less responsible.
“It’s frustrating to think that there’s still this non-erasable app on iOS that can accept data and messages from anyone,” says Patrick Wardle, a longtime MacOS and iOS security researcher. send it from anywhere in the world at any time and hit you. “
Apple made a big push to completely address the zero clicks of iMessage in iOS 14. The most important of these new features, BlastDoor, is a kind of quarantine neighborhood for incoming iMessage communications that aims to eliminate components potentially malicious before reaching the maximum iOS environment. But uninterrupted attacks continue to arrive. This week’s Citizen Lab findings and research published in July by Amnesty International specifically show that a zero-click attack is likely to defeat BlastDoor.
Apple has not issued any solution for this particular vulnerability and the corresponding attack, called “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesman told WIRED that it intends to tighten iMessage security beyond BlastDoor and that new defenses will arrive with iOS 15, which will likely come out next month. But it is unclear what these additional protections will entail, and in the meantime there is apparently no defense against the BlastDoor-defeating hacking that Amnesty International and Citizen Lab observed.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan and are used to target specific people,” the head of engineering and architecture said in a statement. Security Officer, Ivan Krstić. “While this means they are not a threat to the vast majority of our users, we continue to work tirelessly to defend all of our customers.”
IMessage’s many features and functions make it difficult to defend, security researchers say. Its “attack surface” is massive. Under the hood, it takes a lot of code and manipulation to get all these green and blue bubbles, as well as photos, videos, links, memojis, app integrations and more, to work smoothly. Each feature and interconnection with another part of iOS creates a new opportunity for attackers to find flaws that can be exploited. Since the rise of zero clicks in iMessage a few years ago, it’s become increasingly clear that comprehensively reducing service vulnerabilities would require an epic architecture, which at best seems unlikely.
Although, if there isn’t a full overhaul, Apple still has options to deal with sophisticated iMessage hackers. Researchers suggest the company could offer special settings, so users at risk can choose to block the Messages app on their devices. It could include an option to block untrusted content, such as images and links, and a setting to prompt the user before accepting messages from people who were not in their contacts.