[ad_1]
It’s moving revelation: The Bahraini government allegedly bought and spread sophisticated malware against human rights activists, including spyware that required no victim interaction — no click-through link, no permission was granted — to seize iPhones. But just as disturbing this week’s report From the Citizen Lab at the University of Toronto, he is becoming more and more popular.
These “click zero”Attacks can occur on any platform, but a high-profile hacking chain shows that the attackers found vulnerabilities in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to fix the problem have failed – and there are other steps the company can take to protect the most at-risk users.
No interaction attacks They are still very rare against current versions of iOS, and are used almost exclusively against a small, high-end target population around the world. In other words, it is very difficult to find the owner of the iPhone. The events in Bahrain show that of Apple efforts Eliminating the dangers of iMessage for vulnerable users has not been entirely successful. Now the question is how far he is willing to go to make his messaging platform less responsible.
“It’s deceptive to think that this indelible app can still support anyone’s data and messages with iOS,” says Patrick Wardle, a longtime MacOS and iOS security researcher. send it from anywhere in the world at any time and hit it “.
Apple made a big push to address iMessage’s zero clicks in a comprehensive way in iOS 14. The most notable of these new features, BlastDoor, is a kind of quarantine space for incoming iMessage communications that seeks to potentially eliminate harmful components. iOS environment. But non-interactive attacks come. This week’s Citizen Lab findings and research both published by Amnesty International in July show exactly that it is possible to defeat BlastDoor with a zero-click attack.
Apple has not provided a solution to this particular vulnerability and the corresponding attack, which Amnesty International calls “Megalodon” and Citizen Lab “ForcedEntry.” An Apple spokesman told WIRED that it intends to tighten iMessage security beyond BlastDoor, and that new defenses are coming with iOS 15, which is likely to come out next month. But it’s not clear what those protections will bring, and while Amnesty International and Citizen Lab have both seen no defense against the hack to defeat BlastDoor.
“Attacks like the ones described are very sophisticated, cost millions of dollars to develop, are short-lived, and are used to target specific people,” said Ivan Krstić, Apple’s head of security engineering and architecture. “This means that there are no threats to the vast majority of our users. We are constantly working to defend all customers.”
Security researchers say it is difficult to defend the many functions and features of iMessage. Bere “attack surface“It’s massive. Under the hood, a lot of code and outfits are needed for all of these green and blue bubbles (plus photos, videos, links, memos, app integrations, etc.) to work properly. Interconnecting with each feature and another part of iOS creates a new opportunity for attackers to find exploitable bugs. Since the rise of zero clicks in iMessage a few years ago, it’s becoming increasingly clear that reducing service vulnerabilities in general would require some epic architectural flaws, which it seems unlikely.
Without a full review, however, Apple still has a chance to deal with sophisticated iMessage hacks. The researchers suggest that the company may offer special settings so that at-risk users can choose to block the Messages app on their devices. This can be an option to completely block trusted content from images and links and set the user to ask the user before accepting messages from people who are not in their contacts.
[ad_2]
Source link
