Apple recently announced that it will pay up to $1 million as rewards to hackers for discovering vulnerabilities in its products. The tech giant's move was likely prompted by the fact that such vulnerabilities can cause significantly more harm to end-users.
Security researcher Ian Beer had revealed 30 distinct iOS vulnerabilities while working for Google's Project Zero about a year ago. Now, the Project Zero has made a sensational revelation with its new report, prepared by researcher Natalie Silvanovich and fellow Project Zero researcher Samuel Groß, that flags 10 new ways the iPhone can be compromised by hackers without even touching it. The shortcomings were revealed last week at the Black Hat hacking and security conference in Las Vegas. Project Zero is Google’s team of elite hackers, tasked with finding vulnerabilities in competitors’ and Google products.
iMessage, the default messaging app on iPhone and Mac devices, suffered from the highest number of vulnerabilities and high-impact bugs. Some vulnerabilities allow hackers to covertly plant malicious code on a user's device through text messages. Silvanovich says that the complexity of iMessage and its interdependence on numerous other services, apps and libraries increases the risk that such attacks would bypass the scrutiny of the broader iOS defence system.
Referring to remote flaws as "zero click" vulnerabilities as they don't require physical interaction, the Project Zero team found that such flaws constitute the largest share of flaws inflicting the iMessage. Such vulnerabilities are often sought after by state actors as the target remains oblivious to the fact that any attack has even occurred.
The researchers say that six of the other vulnerabilities have already been patched but still several of them are still lingering on and many more are yet to be revealed. The researchers say they dug deeper to hunt for more zero-click vulnerabilities. Recently, a WhatsApp vulnerability highlighted how iPhone users could have spyware installed on their phones and calls listened in on without any indication whatsoever the end user had been compromised.
Earlier, Project Zero researchers had found a severe iMessage bug that could target the iPhone and wipe out its data completely by a remote attacker using zero action. Some bugs even allowed for the covert siphoning of user data from a target device.
"There have been rumours of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices," the report proclaimed.