Two researchers, Natalie Silvanovich and Samuel Groß, who work alongside Google’s security initiative Project Zero, have found some “interactionless” malicious bugs in iOS that allow hackers to take control of an iPhone through iMessage without even making the victim engage with the texts or click a link, according to reports.
They found a total of six bugs, and if they were sold on the market, they would be worth upwards of $5 million.
The details of the exploits are being kept a secret because Apple’s iOS 12.4 path hasn’t completely fixed the issue. Four out of the six bugs can trigger a malicious code on an iOS device, and a user doesn’t even need to do anything. Simply sending the message to the phone will execute the code once a person opens and looks at the message.
The researchers detailed all the bugs: CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624 and CVE-2019-8646. The last two bugs allow a malicious attacker to leak data from memory and then read files off of the device, with no user interaction.
The researchers are not revealing the details of the final bug: CVE-2019-8641.
Silvanovich is going to give a presentation about the vulnerabilities at the Black Hat security conference in Las Vegas next week.
“There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices,” Silvanovich said in an abstract of her talk. “This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.”
The talk will probably garner wide attention because the type of vulnerability that the researchers found is considered a sort of holy grail for hackers; something that can hack into someone else’s device and not be detected.