It’s a shock revelation: The Bahraini government allegedly bought and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim – no links clicked, no permission granted – to get hold of it their iPhones. But as worrying as this week’s report from the Citizen Lab at the University of Toronto, it’s also increasingly familiar.
Those “zero-click“Attacks can happen on any platform, but a series of high-profile hacks shows attackers focused on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to fix the problem have not worked and that there are other steps the company could take to protect its most-at-risk users.
Without interaction attacks against current versions of iOS are still extremely rare and almost exclusively used against a small population of high profile targets around the world. In other words, the average iPhone owner is highly unlikely to encounter them. But the Bahrain incident shows that Apple efforts Defusing iMessage’s risks for its most vulnerable users has not been fully successful. The question now is how far the company is willing to go to make its messaging platform less burdensome.
“It’s frustrating to think that there is still this non-removable app on iOS that can accept data and messages from anyone,” says Patrick Wardle, longtime macOS and iOS security researcher. “If someone has a clickless iMessage exploit, they can just send it from anywhere in the world anytime and hit you.
Apple has made a major effort to comprehensively address iMessage zero-clicks in iOS 14. The most important of these new features, BlastDoor, is a sort of quarantine room for inbound iMessage communications, intended to eliminate components. potentially malicious before they reach the maximum iOS environment. But attacks without interaction keep coming. Findings from this week’s Citizen Lab and research published in July by Amnesty International, the two specifically show that it is possible for a clickless attack to defeat BlastDoor.
Apple has not released a patch for this particular vulnerability and the corresponding attack, dubbed “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to tighten the security of iMessage beyond BlastDoor, and that new defenses are coming with iOS 15, which will likely be released next month. But it’s unclear what those extra protections will entail, and there is apparently no hacking defense against BlastDoor that both Amnesty International and Citizen Lab have observed.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, often have a short lifespan, and are used to target specific individuals,” said Ivan Krstić, head of engineering and architecture. Apple Security, in a statement. “While this means that they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all of our customers. “
The many features and functions of iMessage make it difficult to defend, according to security researchers. His “attack surface“is huge. Under the hood, it takes a lot of code and manipulation to get all those green and blue bubbles to work, along with photos, videos, links, Memojis, app integrations, etc. Every feature and interconnecting with another part of iOS creates a new opportunity for attackers to find loopholes that could be exploitable. Since the zero-click boom in iMessage a few years ago, it has become increasingly clear that reducing overall vulnerabilities in the service would require an epic re-architecture, which seems unlikely at best.
In the absence of a complete overhaul, Apple still has options to deal with sophisticated iMessage hacks. The company could offer special settings, the researchers suggest, so that at-risk users can choose to lock the Messages app on their devices. This could include an option to completely block untrusted content like images and links, and a setting to prompt the user before accepting messages from people who are not already in their contacts.