As a general rule, if you avoid clicking on suspicious links that might pop on your phone — whether they’re sent via text message or appear as an in-browser pop-up ad — the odds of your device becoming infected with malware is slim to none.
That notwithstanding, security researchers from Google’s Project Zero team recently divulged a sophisticated exploit that would allow a malicious actor to take control of a targeted device with no interaction required from the device owner at all. As Google researcher Natalie Silvanovich detailed during a presentation at the Black Hat security conference this week, there are a handful of iOS 12 exploits — which have since been patched by Apple with iOS 12.4 — that can let a third-party gain full control of a device simply by sending over a text message.
“These can be turned into the sort of bugs that will execute code and be able to eventually be used for weaponized things like accessing your data,” Silvanovich said in remarks picked up by Wired. “So the worst-case scenario is that these bugs are used to harm users.
Interestingly, Silvanovich noted that she didn’t find any similar exploits involving regular SMS, MMS, and visual voicemail. iMessage, however, yielded a surprising number of exploits, a fact which can perhaps be attributable to how feature-rich the application is.
Wired notes:
This may be because iMessage is such a complex platform that offers an array of communication options and features. It encompasses Animojis, rendering files like photos and videos, and integration with other apps—everything from Apple Pay and iTunes to Fandango and Airbnb. All of these extensions and interconnections increase the likelihood of mistakes and weaknesses.
On the open market, an interaction-less iOS bug like the ones discovered by Silvanovich and her Project Zero partner Samuel Groß can easily be sold for millions of dollars. In other words, it’s fortuitous that the iOS 12 exploits were unearthed by Google’s Project Zero team as opposed to anyone else.
To this point, you may recall that a Dubai-based startup last year began offering hackers upwards of $3 million for zero-day iOS exploits. Previously, you may recall that a firm called Zerodium paid out $1 million to a group of hackers who came up with a way to remotely jailbreak an iPhone.
Silvanovich’s presentation deck can be viewed in its entirety over here.