A Single iMessage Can Now Hack Your iPhone Or Mac
By Paul Liu
Thursday, March 2nd, 2017
Security experts have come across a serious security vulnerability which allows hackers to compromise the security of Apple devices by sending just a single iMessage. Discovered by Tyler Bohan, a senior security researcher working for Cisco; the vulnerability is found in both OS X as well as iOS and is capable of infecting almost every version of these two operating systems. Security experts are comparing the bug with Android’s StageFright vulnerability (which wreaked havoc last year) since both of them have similar modes of propagation.
As per the details published by Bohan, the vulnerability is associated with the ImageIO program. The program contains a set of libraries that are used by both OS X and iOS to handle operations related to images (including reading and writing of different types of image files such as images, videos, animated images and so on). The flaw make use of malicious TIF files (which is an image file format very similar to JPEG format used for capturing photographs) and is propagated via MMS to infect Apple devices. S you can guess, the TIF file sent by hackers is specially crafted to make use of the vulnerability present in the ImageIO program.
Once the iMessage arrives on the target device, it captures the information from the device without leaving any kind of footprints. The malicious code not only provides unrestricted access to internal storage of the device, it even leaks credentials stored on the device. As it can be imagined, this can severely compromise personal and sensitive information of the targeted user. What’s worse, the vulnerability can also be delivered via the Safari browser. Mac users just need to visit an infected website containing the malicious code and Safari browser would do the rest (such as capture email credentials of the user). However, it is not possible to gain complete control of an Apple device by exploiting this vulnerability.
The most dangerous aspect of the vulnerability is that it exploits the store and deliver mechanism of MMS messages. As such, target users can do next to nothing to prevent getting hacked by the vulnerability. The flaw can even infect your device if it is switched off for a number of days; your device would receive the infected message as soon as you switch it on. Apart from iOS and OS X, the vulnerability is also capable of infecting tvOS and watchOS; OS’ used in Apple TV and Apple Watch.
The good news is that Apple has already released patches to fix the security flaw. The company has released iOS 9.3.3 and El Capitan 10.11.6 to address the vulnerability. However, users would need to upgrade the OS of all of their Apple devices to remain safe from the bug. If you delay updating OS of any of your Apple device for one reason or the other, your devices would be at risk. Remember, you can do nothing to prevent the bug from infecting your device so updating your Apple OS is your only chance to remain safe from this critical security flaw.