Security researchers at Google have found six critical flaws with iMessage. These vulnerabilities fall into the “interactionless” category. The researchers highlight that these vulnerabilities have the potential to compromise the user’s phone without even interacting with the device. While six critical vulnerabilities have been revealed, Apple has already fixed five of them with iOS 12.4 update. Out of the six vulnerabilities, four of them require the attacker to send an executable code on iMessage.
Six vulnerabilities found in iMessage by Google Project Zero team
Once the victim opens the message, the malicious code will run. The other two vulnerabilities are memory exploits. Five of these vulnerabilities have already been fixed while the last one remains a mystery. Apple might patch it with the release of iOS 12 or when iOS 13 becomes officially available in September. If you have an iPhone then it is highly recommended that you get the iOS 12.4 update right away. These interactionless security bug were detailed by Google’s Project Zero team, an elite bug-hunting team.
According to ZDNet, one of the vulnerability has been kept private since iOS 12.4 did not completely resolve it. The four bugs are CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662. Details about CVE-2019-8641 has been kept private. The fifth and sixth bugs are CVE-2019-8624 and CVE-2019-8646 that allow an attacker to leak data from a device’s memory. The bug also allows the attacker to read files off a remote device, with no user interaction.
The bugs discovered by Natalie Silvanovich and fellow Google Project Zero security researcher Samuel Groß show that even iOS is not secure. Silvanovich will be holding a presentation about remote and interaction iPhone exploits at the Black Hat security conference. A price chart by Zerodium suggests that these vulnerabilities would be worth well over $5 million. Crowdfence, on the other hand, values these vulnerability between $2 million and $4 million each.