[HN Gopher] Apple iMessage Zero-Click Hacks
___________________________________________________________________
Apple iMessage Zero-Click Hacks
Author : curmudgeon22
Score : 93 points
Date : 2021-09-06 18:53 UTC (4 hours ago)
(HTM) web link (www.wired.com)
(TXT) w3m dump (www.wired.com)
| sonthonax wrote:
| How do Zero click hacks work?
|
| Does iMessage accept arbitrary code that it can execute?
| dagmx wrote:
| Depends on the hack but the majority seem to be from parsers
| for various formats, from images, to unicode and text data
| etc...
|
| A message has to be able to display so many different types of
| content. A flaw in any one of those could be exploited. Combine
| a bunch of flaws together and you suddenly can do quite a bit.
| kevingadd wrote:
| Similarly to Android there have been attacks that involve
| exploiting bugs in the code that parses incoming messages, and
| then via the exploit you can get remote code execution
|
| For example (IIRC this was a real bug), if you exploit a bug in
| the text layout code, you could attack a device by getting a
| notification to appear on the lock screen - and SMS messages
| usually trigger a notification
| gjsman-1000 wrote:
| There was a developer who discovered a bug with the XML
| parser, and wrote a whole blog post about how he was able to
| cause iOS's security system to malfunction using a specially-
| crafted XML permissions file and allow his app to do anything
| he wanted, even escape the sandbox. He kept it secret for
| years for his private experimentation until Apple patched it
| by accident, by adding a 5th XML parser to the other 4 for
| some reason and using that one instead for the permissions.
| [deleted]
| saagarjha wrote:
| https://siguza.github.io/psychicpaper/
| andreasley wrote:
| Usually by exploiting holes in some code that does parsing,
| e.g. for images. Here [1] is a nice write-up.
|
| [1] https://googleprojectzero.blogspot.com/2020/04/fuzzing-
| image...
| heavyset_go wrote:
| Similarly, homebrew on the PSP exploited libjpeg or libtiff,
| so this is one of those vectors that we're still dealing with
| 16 years later.
| kylehotchkiss wrote:
| A small way to reduce attack surface - have iMessage just setup
| for your iCloud email address instead of phone number. Phone
| numbers are becoming increasingly useless.
|
| > In fact, Citizen Lab researchers and others suggest that Apple
| should simply provide an option to disable iMessage entirely.
|
| There's a checkbox in Settings > Messages that does exactly this?
| It seems strange they published this.
| sneak wrote:
| iCloud isn't end to end encrypted for the most part - anyone
| security conscious should be avoiding iCloud in the first
| place.
| kevingadd wrote:
| Maybe what they mean is that some or all of the iMessage code
| is still running on the device even if you disable it?
| judge2020 wrote:
| SMS will still enter through Messages.app if you have SMS
| enabled through your carrier and plan. But no, iMessage is
| not used when it's disabled.
| easton wrote:
| SMS is also exploitable though, right (Both types of messages
| go through Messages.app)? And you can't disable SMS entirely I
| don't think.
| gruez wrote:
| >SMS is also exploitable though, right
|
| it's less feature rich, so presumably there's less attack
| surface.
| codetrotter wrote:
| > you can't disable SMS entirely I don't think
|
| Buy a data-only subscription, and use Google Voice or some
| sort of PBX powered app to still be able to receive regular
| phone calls.
|
| Preferably I'd want a really basic voice only, open source
| PBX powered app for iOS that I could use. Then I could get me
| a data-only plan and SIM.
|
| Caveat: I still need Norwegian BankID to work with my SIM
| though. I dunno if any of the data-only plans available in
| Norway support BankID, or if you need a regular subscription
| like I have now in order to use that.
| p49k wrote:
| Data-only subscriptions can still receive SMS messages in
| my experience, you just can't send them.
| hexa22 wrote:
| And you still need them because some services only
| provide sms verification.
| vxNsr wrote:
| I know both TMobile and ATT frown upon this and have been
| known to shut down accounts that do this. Data only is for
| non-phone accounts in their eyes and anyone trying to
| circumvent that is committing some sorta fraud (in their
| eyes).
| CyberRage wrote:
| whatsapp doesn't rely on SMS protocols nor does it rely solely
| on phone numbers but is still being exploited quite often.
|
| Instant-Messaging = Worthy target for exploits.
|
| Just like web-browsers get exploited after years of patching.
| gjsman-1000 wrote:
| I wonder if Apple's devs are just going to say, screw it, we'll
| rewrite the whole thing in Rust with audits and formal analysis
| the whole way...
| raspasov wrote:
| Rust or Swift. I am not a security expert, but I'd bet that re-
| writing in either would reduce the amount of such embarrassing
| exploits at least 10x.
|
| From what I can tell, the combination of unsafe-by-default
| languages like C/C++/Obj-C and the way the human brain works is
| Not-A-Good-Combination(c) . Too many opportunities for error.
| coldcode wrote:
| Some Apple devs still seem to love C and Obj-C (at least the
| ones my former employer worked with directly) and hate on
| Swift. Both Swift and Rust can be written to a much higher
| standard where the language protects you from stupidity, but
| only if you give up the past and use them. While you can
| write pretty good C-ish code (i.e. Linux), its far too easy
| to slip up once and the language does nothing to save your
| ass.
|
| Some of Apple's OS code is pretty ancient. Switching to Swift
| or Rust is not necessarily a panacea if you call too many OS
| routines still in C-ish.
| raspasov wrote:
| I agree. Swift is a nice language, compared to the
| alternatives.
|
| I have a few months experience in it, and I can definitely
| agree that if you're writing Swift-only, it's very nice.
| The emphasis on values, and value semantics is definitely a
| differentiator from most other languages.
|
| However, anytime you have to use/interop with an older API
| designed for Obj-C (for example, AVFoundation), it's much
| more of a pain. Effectively, you're writing Obj-C in Swift.
|
| If someone is insisting on Obj-C instead of Swift in 2021,
| I would attribute it to a form of a Stockholm Syndrome.
| Many people form psychological bonds with whatever they are
| familiar with.
| setpatchaddress wrote:
| Yes, there are some people who simply prefer Objective-C,
| but you need to also realize that Swift is still not
| ready for system-level programming. Analysis tools aren't
| ready; debugging basically means you go to printing
| variables to stderr and praying. The standard library
| defaults to crashing at runtime for simple float <->
| integer conversion bounds errors which you'd think would
| be caught statically with more thoughtful design. Still a
| lot of rough edges.
|
| SwiftUI in particular is excellent and if you can use it
| you should. But you can't say Swift in general is ready
| to replace Objective-C. It's not.
| saagarjha wrote:
| Swift is not ready, but it's not for those reasons. The
| real problem is that Swift needs a hefty runtime and is
| fairly slow due to excessive ARC traffic, plus it has no
| way of recovering from memory exhaustion. So you can't
| really use it in the kernel, but it's perfectly fine for
| writing system frameworks and daemons.
| brobinson wrote:
| Apple had job postings last year looking for Rust developers to
| rewrite a service that was written in C so it's not without
| precedent.
|
| Job posting links are dead now, but there was a reddit thread
| about it:
| https://old.reddit.com/r/rust/comments/fkngza/apple_hiring_r...
| est31 wrote:
| A more fresh job posting from Apple: https://old.reddit.com/r
| /rust/comments/ou5szr/official_rrust...
|
| Also: https://jobs.apple.com/en-
| us/search?search=rust&sort=relevan...
| CyberRage wrote:
| Well I would dare to say iMessage isn't the biggest target to
| convert to Rust.
|
| At the end of the day, it is still an app with app level
| permissions, sandbox etc.
|
| Kernel\Kernel modules are far more likely to be written as they
| allow for vastly more access than an app.
| dylan604 wrote:
| Unless someone applies the squeaky wheel rule. The thing
| causing everyone to look at you gets pushed to the top of the
| list.
| saagarjha wrote:
| It's a great target considering that a lot of other exploits
| go through the kernel just to get access to your iMessages.
| raspasov wrote:
| Is it a fair assumption that any code written in C / C++ /
| Objective-C has a high likelihood of allowing zero-click hacks?
| tyingq wrote:
| Aren't these making it past BlastDoor, written in Swift?
| Pulcinella wrote:
| Swift has e.g. UnsafePointer if you want to work more
| directly with memory. Presumably if BlastDoor uses them to
| work directly with memory then it could still be vulnerable,
| though I am not sure because I am not very familiar with
| them. If I was excited about pointers I wouldn't be using
| Swift...
| saagarjha wrote:
| It is highly unlikely BlastDoor is using much of those,
| except when interacting with system frameworks.
| azinman2 wrote:
| Objective-c has bounds checks and lengths built into NSData,
| NSArray, and NSString... so many of the buffer overflow
| techniques likely won't work against it. However, images and
| video seem to hit C++ code and from all of the past CVEs it
| seems this is a giant attack surface over and over again.
|
| I'm surprised this code isn't being rewritten in something like
| Rust, but perhaps there are more things going on at play, like
| the plist serialization attacks that end up coding for esoteric
| classes that contained various bugs.
| thenewwazoo wrote:
| As a certified member of the Rewrite It In Rust (RIIR)
| Reaction Force, let me answer this by saying that it's very,
| very hard to get the software right, even the second time,
| and RIIR trades one set of unknowns for another. There are
| also a _huge_ number of people who are convinced that Rust is
| a fad, or that C is good enough, or whatever. The same people
| who swore they could outbrake ABS decades ago. They do not
| want to learn a new, hard thing, and Rust can be hard at
| first.
| raspasov wrote:
| Haha, love the ABS analogy!
| saagarjha wrote:
| Objective-C can run into other issues, though: NSSecureCoding
| exists for a reason ;)
| SalimoS wrote:
| Wouldn't be not parsing incoming media unless it's for someone
| from contact is a first step that can reduce largely the thread ?
|
| So it will stay the same for people in your contact list but a
| new touch to load for message from unknown person
| CyberRage wrote:
| That might sound good in theory by in practice it's unlikely to
| go well(by default).
|
| Many services from banks to healthcare utilize SMS as a main
| way of communicating with end-users. many rely on dynamic
| numbers.
|
| Moreover, spoofing SMS messages is not that hard.
|
| Messaging apps whether it is SMS or alternatives like whatsapp,
| telegram etc. will always offer a powerful vector to infect
| devices.
| lostmsu wrote:
| I think banks don't use inline media in their messages too
| often.
| est31 wrote:
| https://en.wikipedia.org/wiki/Dancing_pigs
| YLYvYkHeB2NRNT wrote:
| NMP.
|
| Ditched them and shelved all my iShit. I'm done.
|
| Edit > sorry for the LQP - But, it's how I feel. And, my
| therapist said I should tell others how I really feel.
|
| And since you iCucks are downvoting me, to hell with HEIC.
| eyeball wrote:
| I turned off imessage.
|
| I seem to be under attack lately.
|
| 3-4 times a day random links sent from gmail addresses or unknown
| phone numbers to imsg with sketchy looking links in them.
| cyckl wrote:
| I'm also getting these--no idea what the exploits actually are
| or how they work. Am I theoretically already exploited?
| gruez wrote:
| Not really.
|
| 1. There's no reason why a threat actor would have to send
| you 3-4 messages per day. Of the exploits I've seen, they
| only need to send one. Sending 3-4 messages per day just
| unnecessarily increases the risk of getting caught (ie. the
| target getting suspicious and asking on hacker news whether
| they're getting hacked)
|
| 2. There's no reason why the message has to contain sketchy
| links. They could very well disguise messages as
| ads/notifications for well known businesses, political
| organizations, or from random people who got the wrong phone
| number.
|
| 3. There's no reason why the attacker can't erase any trace
| of the initial message after your device is infected, so
| unless you're staring at your phone 24/7 it's very easy to
| miss the message.
| dylan604 wrote:
| Can you war-dial attack with these? Seems like it would be
| super easy for a script kiddie to just start at 111-111-1111,
| send message, increment by 1, repeat. Maybe narrow it down to
| valid area codes and what not, but seems like a super low
| budget thing to do.
| zsmi wrote:
| Sure.
|
| https://calleridreputation.com/blog/robotexts-are-
| replacing-...
|
| "Robotech spammers are also targeting group messages by using
| automated programs to send thousands, even millions of group
| texts to random phone numbers with the hopes that somebody
| will take the prey and respond."
|
| Also, some users give random apps access to their address
| book for whatever reason then there is a whole list of known
| good emails and numbers to spam.
| rmorey wrote:
| Well, send from what? Every iMessage comes from an account
| with an Apple ID, so I presume stolen credentials would be
| the only way to really do this, adding to the cost.
___________________________________________________________________
(page generated 2021-09-06 23:00 UTC)