“Look, No Hands!” – Google Researchers Disclose Zero Interaction Vulnerabilities in iOS
Security researchers at Google's Project Zero have discovered six bugs in iOS that can enable attackers to execute code remotely on an iPhone without any user interaction. Apple addressed five of these vulnerabilities with iOS 12.4, however, one still remains to be fixed.
These "interactionless" or "zero interaction" bugs resulted in the remote execution of malicious code on an iOS device. Since no user interaction was required, an attacker just needed to send a specially crafted message to the target's phone to be able to execute code remotely once the user opens the received message.
These latest bug discoveries are critical since there isn't enough information about the interactionless iOS attack surface. The vulnerabilities are tracked under CVE-2019-8641, CVE-2019-8647, CVE-2019-8660, CVE-2019-8662, CVE-2019-8624, and CVE-2019-8646.
Google researcher to present "Look, No Hands! The Remote, Interaction-less Attack Surface of the iPhone [iOS]" at Black Hat
On August 7, Google Project Zero security researchers Natalie Silvanovich (who discovered these bugs along with fellow researcher Samuel Groß) will present a talk at the next week's Black Hat USA 2019 conference on these no-interaction remote vulnerabilities. An abstract of the talk reads:
There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices. This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.
We always recommend users to install security updates as soon as they are released, however, it is critically important to do so when the proof of concept has been released to the public.
Note: no details have been shared about the sixth bug since Apple is yet to issue a fix for it.