Software exploits that don’t require a victim to click a link to be compromised are an intriguing and growing area of research for white-hat hackers. So it is no surprise that Google’s elite team of hackers, Project Zero, has dug into this stealthy mode of attack in recent months.
On Thursday, Samuel Gross laid out how, armed with only a target’s Apple ID, he could remotely compromise an iPhone within minutes to steal passwords, text messages and emails, and activate the camera and microphone.
The attack, which exploited an iOS 12.4 vulnerability for which Apple issued a patch last August, shows how “small design decisions can have significant security consequences,” Gross wrote in a blog post.
Gross poked holes in some conventional wisdom around security features used in the iPhone operating system. A data-randomizing security feature known as ASLR meant to guard against exploits “is not as strong in practice,” he said. It could be broken, in part, through a side communications channel set up by the attacker to interact with the victim device, he said. By abusing the “receipts” feature that lets users know their iMessages have been delivered, Gross demonstrated remote code execution.
Clickless exploits are anything but hypothetical. Last October, Facebook sued software surveillance company NSO Group for allegedly developing an exploit that infected about 1,400 mobile devices that had WhatsApp installed. Users were reportedly infected if their phone was called — regardless of whether they answered the call. NSO Group denied involvement in the attack.
Gross, who presented his research at a hacking conference last month, said that he recommended new security measures to Apple based on his research.
“As much code as possible should be put behind user interaction, in particular when receiving messages from unknown senders,” he advised.
Implementing all the recommendations, some of which Apple already has, “should make similar exploits significantly harder in the future,” Gross argued.