Google researcher beefs up iMessage security by demonstrating clickless exploit

Written by

Software exploits that don’t require a victim to click a link to be compromised are an intriguing and growing area of research for white-hat hackers. So it is no surprise that Google’s elite team of hackers, Project Zero, has dug into this stealthy mode of attack in recent months.

On Thursday, Samuel Gross laid out how, armed with only a target’s Apple ID, he could remotely compromise an iPhone within minutes to steal passwords, text messages and emails, and activate the camera and microphone.

The attack, which exploited an iOS 12.4 vulnerability for which Apple issued a patch in last August, shows how “small design decisions can have significant security consequences,” Gross wrote in a blog post.

Gross poked holes in some conventional wisdom around security features used in the iPhone operating system. A data-randomizing security feature known as ASLR meant to guard against exploits “is not as strong in practice,” he said. It could be broken, in part, through a side communications channel set up by the attacker to interact with the victim device, he said. By abusing the “receipts” feature that lets users know their iMessages have been delivered, Gross demonstrated remote code execution.

Clickless exploits are anything but hypothetical. Last October, Facebook sued software surveillance company NSO Group for allegedly developing an exploit that infected about 1,400 mobile devices with WhatsApp. Users were reportedly infected if their phone was called — regardless of whether they answered the call. NSO Group denied involvement in the attack.

Gross, who presented his research at a hacking conference last month, said that he recommended new security measures to Apple based on his research.

“As much code as possible should be put behind user interaction, in particular when receiving messages from unknown senders,” he advised.

Implementing all the recommendations, some of which Apple already has, “should make similar exploits significantly harder in the future,” Gross argued.

That, of course, is the whole point of Project Zero, which aims to take as many zero-day exploits — or those unknown to vendors — as possible out of attackers’ hands.