Next week in Las Vegas at the Black Hat security conference, Google Project Zero researcher Natalie Silvanovich is set to give a presentation about interactionless iPhone vulnerabilities that can run without the victim taking any action at all. The talk will come on the heels of Silvanovich and a Google Project Zero colleague, Samuel Groß, discovering half a dozen iOS vulnerabilities that can be exploited via iMessage — although five of those flaws, according to ZDNet, were fixed with last week’s iOS 12.4 update.
However, Apple has as of the time of this writing apparently not yet completely fixed the final bug. The iOS 12.4 release actually patched all six flaws, but according to Silvanovich, the release didn’t fully resolve the sixth flaw, which is consequently being kept under wraps for now.
It should go without saying, if you’re not yet running the latest iOS release, certainly stop what you’re doing and update right now. Details about flaws like these are so sought-after by hackers that they can fetch more than $1 million each on the black market. Meaning, the vulnerabilities the Google researchers told Apple about could have easily been worth more than $5 million, with a more optimistic estimate of their value being as high as almost $10 million.
A quick note about the flaws themselves: It seems that the not-yet-fully-fixed sixth flaw, along with three others, present themselves after a hacker sends an iMessage to someone that contains code which can attack a phone that’s not running the latest iOS software. The other two flaws utilize a memory exploit.
These kinds of interactionless vulnerabilities are frequently described as “holy grails” for attackers, and ZDNet’s report even cites one estimate that Google’s researchers could have stood to make as much as $24 million if they’d sold them to shady actors. Needless to say, Silvanovich’s talk scheduled for next week has already attracted significant interest.