It’s a shocking revelation: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim—no clicked links, no permissions granted—to take hold on their iPhones. But as disturbing as this week’s report from the University of Toronto’s Citizen Lab may be, it’s also increasingly familiar.
These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple’s iMessage service to execute them. Security researchers say the company’s efforts to resolve the issue haven’t been working—and that there are other steps the company could take to protect its most at-risk users.
Interactionless attacks against current versions of iOS are still extremely rare, and almost exclusively used against a small population of high-profile targets around the world. In other words, the average iPhone owner is very unlikely to encounter them. But the Bahrain incident shows that Apple’s efforts to defuse iMessage risks for its most vulnerable users have not fully succeeded. The question now is how far the company is willing to go to make its messaging platform less of a liability.
“It’s frustrating to think that there is still this un-deletable app on iOS that can accept data and messages from anyone,” says longtime macOS and iOS security researcher Patrick Wardle. “If somebody has a zero-click iMessage exploit, they can just send it from anywhere in the world at any time and hit you.”
Apple did make a major push to comprehensively address iMessage zero-clicks in iOS 14. The most prominent of those new features, BlastDoor, is a sort of quarantine ward for incoming iMessage communications that’s meant to weed out potentially malicious components before they hit the full iOS environment. But the interactionless attacks keep coming. This week’s Citizen Lab findings and research published in July by Amnesty International both specifically show that it’s possible for a zero-click attack to defeat BlastDoor.
Apple hasn’t issued a fix for this particular vulnerability and corresponding attack, dubbed “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to harden iMessage security beyond BlastDoor, and that new defenses are coming with iOS 15, which will likely come out next month. But it’s unclear what those further protections will entail, and there’s meanwhile seemingly no defense against the BlastDoor-defeating hack that Amnesty International and Citizen Lab both observed.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple’s head of security engineering and architecture Ivan Krstić said in a statement. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers.”
iMessage’s many functions and features make it difficult to defend, security researchers say. Its “attack surface” is massive. Under the hood, it takes a lot of code and jerry-rigging to get all those green and blue bubbles—plus photos, videos, links, Memojis, app integrations, and more—working smoothly. Each feature and interconnection with another part of iOS creates a fresh opportunity for attackers to find flaws that could be exploitable. Since the rise of iMessage zero-clicks a few years ago, it’s become increasingly clear that comprehensively reducing the service’s vulnerabilities would take some epic rearchitecting—which seems unlikely at best.
Absent a total overhaul, though, Apple still has options for dealing with sophisticated iMessage hacks. The company could offer special settings, researchers suggest, so at-risk users can choose to lock down the Messages app on their devices. That could include an option to block untrusted content like images and links altogether, and a setting to prompt the user before accepting messages from people not already in their contacts.
