Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X aren’t immune. According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.
Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.
How does the hack work?
For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.
Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.
Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.
“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”
According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write copy malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.
“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”
This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.