A hacker can break into an iPhone by simply sending a text using an “interaction-less” bug in Apple’s iOS iMessage program, says Google Project Zero researcher Natalie Silvanovich.
“These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data,” said Silvanovich at a security conference in Los Angeles on Wednesday, according to a report by Wired.
“So the worst-case scenario is that these bugs are used to harm users,” added the researcher.
Silvanovich reportedly got interested in interaction-less bugs because of a WhatsApp vulnerability — which allowed nation-state spies to hack an iPhone just by calling it — so she began researching to find similar issues, and discovered that iMessage contained multiple exploitable bugs.
“One of the most interesting interaction-less bugs Silvanovich found was a fundamental logic issue that could have allowed a hacker to easily extract data from a user’s messages,” reports Wired. “An attacker could send a specially-crafted text message to a target, and the iMessage server would send specific user data back, like the content of their SMS messages or images.”
According to Silvanovich, the recipient wouldn’t even have to open the iMessage in order for the hacker to be successful, adding that while iOS has protections in place that would typically block this type of attack, the bug makes it so that iOS interprets the attack as legitimate.
Additional bugs discovered by the researcher showed that malicious code could be placed on someone’s iPhone due to, again, simply receiving an incoming text message.
The report added that at least six vulnerabilities Silvanovich found could potentially be worth millions, or even tens of millions of dollars on an exploit market. Silvanovich maintains, however, that iMessage security is generally strong.
“Maybe this is an area that gets missed in security,” said Silvanovich. “There’s a huge amount of focus on implementation of protections like cryptography, but it doesn’t matter how good your crypto is if the program has bugs on the receiving end.”
Wired noted that the best thing someone can do to protect themselves from being hacked by an interaction-less bug is to keep their iPhone operating system and apps updated.
Silvanovich has reportedly looked for similar interaction-less bugs in the Android operating system, but has yet to find any thus far.