All iOS versions below iOS 12.4 are severely vulnerable.

As of August 1, only 9.6% of enterprise devices have been updated.

Google’s Project Zero has uncovered six bugs in iOS that can be remotely exploited without any user interaction via the iMessage client. Apple has fully patched five of the six flaws with the 12.4 iOS update.

The scariest of these bugs (CVE-2019-8624 and CVE-2019-8646) allow an attacker to read files off an iOS device remotely, without any interaction from the victim. The exploit initiates a dump of the victim’s iMessage database and compromises the iOS sandbox putting files on the device at risk.

The code to exploit these vulnerabilities is now publicly available and is very easy for any bad actors to execute. Unlike the recent WhatsApp vulnerability, anyone with intermediate to advanced computing skills can use this code to hack any iPhone which hasn’t been updated.

Over 90% of iPhone users are still vulnerable. We urge all iPhone users to update immediately.

“I don’t need security software because iOS is so secure” – Wrong

This vulnerability calls into question the integrity of iOS sandboxing which is one of the most significant fundamentals of the entire iOS security model. There is a general mentality that iOS devices are secure so security software is not required, but the reality is, the sandbox that is built into iOS can be defeated.

Sandboxing is designed to safeguard apps and sensitive data by ensuring each app runs in its own private space, but this defense can be compromised in the unlikely event an iOS device is jailbroken. This iMessage exploit has similar implications to a jailbreak in that the weakness in iMessage exposes the file space on the device, which could include pictures, videos, notes, pdfs, etc.

In our testing (demonstrated in below video), the results of the exploit varied and the spoils of the data dump depended on the state of the victim’s device. For a persistent, malicious actor who knows the iOS file system well, and knows what they’re looking for, it is likely they could gain access to sensitive files outside of iMessage due to the sandbox compromise.

We haven’t seen such a severe vulnerability affecting iOS devices since Pegasus. This attack is similar to Pegasus in that it is remotely executed and it doesn’t require the victim to click on anything for the attack to work. Also in that it affects Apple’s native messaging app which is installed on every single iPhone, making the pool of potential victims immense.

Any app developer could release a poorly coded messaging app that can be exploited, but this is Apple’s messaging app we’re talking about so every iPhone user that hasn’t updated their software is at risk.Dan Cuddeford, Senior Director of Systems Engineering at Wandera.

“If it’s such a big deal, I would have been notified of the patch” – Wrong

The patch for iOS was rolled out on July 22nd in 12.4. But there was no notification within iOS to notify users that it was available. This highlights the inefficiency of Apple’s security patching methods.

Despite Google’s platform fragmentation, security patches are released in a more efficient way, separately to feature releases. Android feature releases can sometimes be slowed down by hardware providers and carriers, but its security patches are released as separate updates and pushed out by Google to patch devices automatically without the user needing to take action.

Apple works in a different way. Apple’s feature updates and security patches are rolled into software updates together and rely on the user to take action.

iOS users might see a new feature in an iOS update that they don’t want, so they might choose not to update their device and move on without an important security patch that was listed in that same update.Dan Cuddeford, Senior Director of Systems Engineering at Wandera.

“I’ve seen iOS vulnerabilities before but hackers won’t target me” – Wrong

The way the vulnerability disclosure was handled reminds us of the difference between the two platforms and how they handle security patches and responsible disclosure. Google researchers gave Apple adequate time (90 days) to roll out a patch before disclosing the vulnerability publicly. But they also published the code needed to run the exploit.

According to the data in our network of enterprise devices, only 9.6% of devices have been updated to iOS 12.4, as of August 1st – 10 days after the patch was released on July 22nd and three days after the vulnerability was disclosed to the public on July 29th.

Maybe it’s the summer holidays, maybe it’s Apple’s weirdly quiet 12.4 release, or maybe it’s because people think these exploits are not accessible. This one is, so I’m shocked we haven’t seen a faster uptake of iOS 12.4.Dan Cuddeford, Senior Director of Systems Engineering at Wandera.

With the exploit script publicly available for download, all you need is a MacOS device and the phone number or iMessage account details of a victim in order to carry out the attack.

Security leaders need to work together to ensure patches are in place before easily executable exploits are made available to the public.

What should I do now?

Enterprises – to protect your employees’ local files on their devices, which could potentially contain business sensitive data as well as personal data, you should urge/enforce all your iPhone users to update to 12.4.

Wandera customers – log in to RADAR and go to Security > Threat View and click on Outdated OS to understand your risk exposure and manage your response.
iPhone users – you should make sure you are up to date with iOS 12.4 to ensure the security patches are in place.

For more insight speak to a Wandera mobile security expert and check out Threatpost and ZDNet for articles on this vulnerability.