Google found a way to remotely attack Apple iOS devices by sending a boobytrapped iMessage

Graham Cluley
@gcluley

I do hope that owners of iPhones and iPads updated their devices to iOS 12.4 when it was released last week.

Details weren’t shared at the time, but we now know that the iOS security update addressed critical vulnerabilities discovered by Google security researchers Samuel Groß and Natalie Silvanovich that could allow a remote attacker to attack an iPhone just by sending a maliciously-crafted iMessage.

Thankfully the vulnerabilities, which could most likely have been sold to an intelligence agency for millions of dollars, were responsibly disclosed to Apple in May so that they could be addressed and fixed within the 90-day disclosure deadline imposed by Google.

Sign up to our newsletter
Security news, advice, and tips.

The vulnerabilities are said to allow a remote attacker to run malicious code on an iOS device without requiring any action by the targeted user, opening up opportunities for iPhones and iPads to be spied upon without the knowledge of their owners and without the snooper requiring any physical access to the device.

Google security engineer Natalie Silvanovich is scheduled to give a talk at Black Hat in Las Vegas next week, entitled “Look, No Hands! – The Remote, Interaction-less Attack Surface of the iPhone”

iPhone and iPad users often have their devices configured to automatically install updates like iOS 12.4, but – if you want to make sure that you are protected – follow these instructions:

Click on Settings > General > Software Update, and choose Download and Install.

To hear further discussion about this issue, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #139: 'Capital One hacked, iMessage flaws, and anonymity my ass!'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/e6fbf928-ab21-45f1-9b17-c1d50a7f7cec.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.