[HN Gopher] Apple iMessage Zero-Click Hacks ___________________________________________________________________ Apple iMessage Zero-Click Hacks Author : curmudgeon22 Score : 93 points Date : 2021-09-06 18:53 UTC (4 hours ago) (HTM) web link (www.wired.com) (TXT) w3m dump (www.wired.com) | sonthonax wrote: | How do Zero click hacks work? | | Does iMessage accept arbitrary code that it can execute? | dagmx wrote: | Depends on the hack but the majority seem to be from parsers | for various formats, from images, to unicode and text data | etc... | | A message has to be able to display so many different types of | content. A flaw in any one of those could be exploited. Combine | a bunch of flaws together and you suddenly can do quite a bit. | kevingadd wrote: | Similarly to Android there have been attacks that involve | exploiting bugs in the code that parses incoming messages, and | then via the exploit you can get remote code execution | | For example (IIRC this was a real bug), if you exploit a bug in | the text layout code, you could attack a device by getting a | notification to appear on the lock screen - and SMS messages | usually trigger a notification | gjsman-1000 wrote: | There was a developer who discovered a bug with the XML | parser, and wrote a whole blog post about how he was able to | cause iOS's security system to malfunction using a specially- | crafted XML permissions file and allow his app to do anything | he wanted, even escape the sandbox. He kept it secret for | years for his private experimentation until Apple patched it | by accident, by adding a 5th XML parser to the other 4 for | some reason and using that one instead for the permissions. | [deleted] | saagarjha wrote: | https://siguza.github.io/psychicpaper/ | andreasley wrote: | Usually by exploiting holes in some code that does parsing, | e.g. for images. Here [1] is a nice write-up. | | [1] https://googleprojectzero.blogspot.com/2020/04/fuzzing- | image... | heavyset_go wrote: | Similarly, homebrew on the PSP exploited libjpeg or libtiff, | so this is one of those vectors that we're still dealing with | 16 years later. | kylehotchkiss wrote: | A small way to reduce attack surface - have iMessage just setup | for your iCloud email address instead of phone number. Phone | numbers are becoming increasingly useless. | | > In fact, Citizen Lab researchers and others suggest that Apple | should simply provide an option to disable iMessage entirely. | | There's a checkbox in Settings > Messages that does exactly this? | It seems strange they published this. | sneak wrote: | iCloud isn't end to end encrypted for the most part - anyone | security conscious should be avoiding iCloud in the first | place. | kevingadd wrote: | Maybe what they mean is that some or all of the iMessage code | is still running on the device even if you disable it? | judge2020 wrote: | SMS will still enter through Messages.app if you have SMS | enabled through your carrier and plan. But no, iMessage is | not used when it's disabled. | easton wrote: | SMS is also exploitable though, right (Both types of messages | go through Messages.app)? And you can't disable SMS entirely I | don't think. | gruez wrote: | >SMS is also exploitable though, right | | it's less feature rich, so presumably there's less attack | surface. | codetrotter wrote: | > you can't disable SMS entirely I don't think | | Buy a data-only subscription, and use Google Voice or some | sort of PBX powered app to still be able to receive regular | phone calls. | | Preferably I'd want a really basic voice only, open source | PBX powered app for iOS that I could use. Then I could get me | a data-only plan and SIM. | | Caveat: I still need Norwegian BankID to work with my SIM | though. I dunno if any of the data-only plans available in | Norway support BankID, or if you need a regular subscription | like I have now in order to use that. | p49k wrote: | Data-only subscriptions can still receive SMS messages in | my experience, you just can't send them. | hexa22 wrote: | And you still need them because some services only | provide sms verification. | vxNsr wrote: | I know both TMobile and ATT frown upon this and have been | known to shut down accounts that do this. Data only is for | non-phone accounts in their eyes and anyone trying to | circumvent that is committing some sorta fraud (in their | eyes). | CyberRage wrote: | whatsapp doesn't rely on SMS protocols nor does it rely solely | on phone numbers but is still being exploited quite often. | | Instant-Messaging = Worthy target for exploits. | | Just like web-browsers get exploited after years of patching. | gjsman-1000 wrote: | I wonder if Apple's devs are just going to say, screw it, we'll | rewrite the whole thing in Rust with audits and formal analysis | the whole way... | raspasov wrote: | Rust or Swift. I am not a security expert, but I'd bet that re- | writing in either would reduce the amount of such embarrassing | exploits at least 10x. | | From what I can tell, the combination of unsafe-by-default | languages like C/C++/Obj-C and the way the human brain works is | Not-A-Good-Combination(c) . Too many opportunities for error. | coldcode wrote: | Some Apple devs still seem to love C and Obj-C (at least the | ones my former employer worked with directly) and hate on | Swift. Both Swift and Rust can be written to a much higher | standard where the language protects you from stupidity, but | only if you give up the past and use them. While you can | write pretty good C-ish code (i.e. Linux), its far too easy | to slip up once and the language does nothing to save your | ass. | | Some of Apple's OS code is pretty ancient. Switching to Swift | or Rust is not necessarily a panacea if you call too many OS | routines still in C-ish. | raspasov wrote: | I agree. Swift is a nice language, compared to the | alternatives. | | I have a few months experience in it, and I can definitely | agree that if you're writing Swift-only, it's very nice. | The emphasis on values, and value semantics is definitely a | differentiator from most other languages. | | However, anytime you have to use/interop with an older API | designed for Obj-C (for example, AVFoundation), it's much | more of a pain. Effectively, you're writing Obj-C in Swift. | | If someone is insisting on Obj-C instead of Swift in 2021, | I would attribute it to a form of a Stockholm Syndrome. | Many people form psychological bonds with whatever they are | familiar with. | setpatchaddress wrote: | Yes, there are some people who simply prefer Objective-C, | but you need to also realize that Swift is still not | ready for system-level programming. Analysis tools aren't | ready; debugging basically means you go to printing | variables to stderr and praying. The standard library | defaults to crashing at runtime for simple float <-> | integer conversion bounds errors which you'd think would | be caught statically with more thoughtful design. Still a | lot of rough edges. | | SwiftUI in particular is excellent and if you can use it | you should. But you can't say Swift in general is ready | to replace Objective-C. It's not. | saagarjha wrote: | Swift is not ready, but it's not for those reasons. The | real problem is that Swift needs a hefty runtime and is | fairly slow due to excessive ARC traffic, plus it has no | way of recovering from memory exhaustion. So you can't | really use it in the kernel, but it's perfectly fine for | writing system frameworks and daemons. | brobinson wrote: | Apple had job postings last year looking for Rust developers to | rewrite a service that was written in C so it's not without | precedent. | | Job posting links are dead now, but there was a reddit thread | about it: | https://old.reddit.com/r/rust/comments/fkngza/apple_hiring_r... | est31 wrote: | A more fresh job posting from Apple: https://old.reddit.com/r | /rust/comments/ou5szr/official_rrust... | | Also: https://jobs.apple.com/en- | us/search?search=rust&sort=relevan... | CyberRage wrote: | Well I would dare to say iMessage isn't the biggest target to | convert to Rust. | | At the end of the day, it is still an app with app level | permissions, sandbox etc. | | Kernel\Kernel modules are far more likely to be written as they | allow for vastly more access than an app. | dylan604 wrote: | Unless someone applies the squeaky wheel rule. The thing | causing everyone to look at you gets pushed to the top of the | list. | saagarjha wrote: | It's a great target considering that a lot of other exploits | go through the kernel just to get access to your iMessages. | raspasov wrote: | Is it a fair assumption that any code written in C / C++ / | Objective-C has a high likelihood of allowing zero-click hacks? | tyingq wrote: | Aren't these making it past BlastDoor, written in Swift? | Pulcinella wrote: | Swift has e.g. UnsafePointer if you want to work more | directly with memory. Presumably if BlastDoor uses them to | work directly with memory then it could still be vulnerable, | though I am not sure because I am not very familiar with | them. If I was excited about pointers I wouldn't be using | Swift... | saagarjha wrote: | It is highly unlikely BlastDoor is using much of those, | except when interacting with system frameworks. | azinman2 wrote: | Objective-c has bounds checks and lengths built into NSData, | NSArray, and NSString... so many of the buffer overflow | techniques likely won't work against it. However, images and | video seem to hit C++ code and from all of the past CVEs it | seems this is a giant attack surface over and over again. | | I'm surprised this code isn't being rewritten in something like | Rust, but perhaps there are more things going on at play, like | the plist serialization attacks that end up coding for esoteric | classes that contained various bugs. | thenewwazoo wrote: | As a certified member of the Rewrite It In Rust (RIIR) | Reaction Force, let me answer this by saying that it's very, | very hard to get the software right, even the second time, | and RIIR trades one set of unknowns for another. There are | also a _huge_ number of people who are convinced that Rust is | a fad, or that C is good enough, or whatever. The same people | who swore they could outbrake ABS decades ago. They do not | want to learn a new, hard thing, and Rust can be hard at | first. | raspasov wrote: | Haha, love the ABS analogy! | saagarjha wrote: | Objective-C can run into other issues, though: NSSecureCoding | exists for a reason ;) | SalimoS wrote: | Wouldn't be not parsing incoming media unless it's for someone | from contact is a first step that can reduce largely the thread ? | | So it will stay the same for people in your contact list but a | new touch to load for message from unknown person | CyberRage wrote: | That might sound good in theory by in practice it's unlikely to | go well(by default). | | Many services from banks to healthcare utilize SMS as a main | way of communicating with end-users. many rely on dynamic | numbers. | | Moreover, spoofing SMS messages is not that hard. | | Messaging apps whether it is SMS or alternatives like whatsapp, | telegram etc. will always offer a powerful vector to infect | devices. | lostmsu wrote: | I think banks don't use inline media in their messages too | often. | est31 wrote: | https://en.wikipedia.org/wiki/Dancing_pigs | YLYvYkHeB2NRNT wrote: | NMP. | | Ditched them and shelved all my iShit. I'm done. | | Edit > sorry for the LQP - But, it's how I feel. And, my | therapist said I should tell others how I really feel. | | And since you iCucks are downvoting me, to hell with HEIC. | eyeball wrote: | I turned off imessage. | | I seem to be under attack lately. | | 3-4 times a day random links sent from gmail addresses or unknown | phone numbers to imsg with sketchy looking links in them. | cyckl wrote: | I'm also getting these--no idea what the exploits actually are | or how they work. Am I theoretically already exploited? | gruez wrote: | Not really. | | 1. There's no reason why a threat actor would have to send | you 3-4 messages per day. Of the exploits I've seen, they | only need to send one. Sending 3-4 messages per day just | unnecessarily increases the risk of getting caught (ie. the | target getting suspicious and asking on hacker news whether | they're getting hacked) | | 2. There's no reason why the message has to contain sketchy | links. They could very well disguise messages as | ads/notifications for well known businesses, political | organizations, or from random people who got the wrong phone | number. | | 3. There's no reason why the attacker can't erase any trace | of the initial message after your device is infected, so | unless you're staring at your phone 24/7 it's very easy to | miss the message. | dylan604 wrote: | Can you war-dial attack with these? Seems like it would be | super easy for a script kiddie to just start at 111-111-1111, | send message, increment by 1, repeat. Maybe narrow it down to | valid area codes and what not, but seems like a super low | budget thing to do. | zsmi wrote: | Sure. | | https://calleridreputation.com/blog/robotexts-are- | replacing-... | | "Robotech spammers are also targeting group messages by using | automated programs to send thousands, even millions of group | texts to random phone numbers with the hopes that somebody | will take the prey and respond." | | Also, some users give random apps access to their address | book for whatever reason then there is a whole list of known | good emails and numbers to spam. | rmorey wrote: | Well, send from what? Every iMessage comes from an account | with an Apple ID, so I presume stolen credentials would be | the only way to really do this, adding to the cost. ___________________________________________________________________ (page generated 2021-09-06 23:00 UTC)