This iPhone Hack Let Google Access iOS Device Files

An Apple iMessage security vulnerability meant that researchers from Google's Project Zero team could remotely access files on a victim's iPhone. Here's how they did it.

The iMessage vulnerability

iPhone users were alerted that an iMessage security vulnerability had been uncovered, and a proof of concept exploit developed, back in July. That vulnerability armed an attacker with the ability to remotely read the files from an iPhone with no physical access required. The proof of concept exploit showed how by sending a specially constructed "hack" iMessage to an iPhone it was possible to reveal leaked bytes of memory from the SpringBoard application that manages the iOS home screen, in the output of the attacking server. Google Project Zero researcher Natalie Silvanovich disclosed the vulnerability, who earlier in the year had shown how an iMessage text attack could effectively "brick" an iPhone, and explained how it could also be used to read files remotely from an iPhone.

Silvanovich first disclosed the vulnerability (CVE-2019-8646) to Apple in May and produced the proof-of-concept exploit in June. As is the case with all such Google Project Zero vulnerability finds, Apple was given a 90-day deadline to make a patch available before public disclosure. Apple did, indeed, respond commendably quickly by making a fix available as part of the iOS 12.4 update. Now Silvanovich has published a deep dive technical post to the Project Zero blog that precisely reveals how an attacker could have exploited the vulnerability.

Exploiting the iPhone iMessage vulnerability

Before reading the deep dive posting, Silvanovich recommends that readers familiarize themselves with the "fully remote attack surface of the iPhone" first. This provides a still technical, but perhaps slightly more accessible, overview of the "several attack surfaces of the iPhone." If you survive that relatively intact, then head for the deep-dive.

Alternatively, the tl;dr of it is that Silvanovich found a particular class could be "deserialized by iMessage in a remote context," which brought with it the potential for a process to access a file without authorization.

Having explored all the possible options to exploit this vulnerability, Silvanovich was able to remotely read a file, a photo in this case, from an iPhone's memory. You can watch the exploit in action in this video produced by Google Project Zero:

Lessons learned from the iMessage vulnerability

"There were three small bugs that contributed to this bug's capabilities," Silvanovich said, adding that it reveals the security benefit in both avoiding and fixing bugs even if they don't seem to have any discernible impact on security. "Alone, none of these bugs, including the vulnerability were that serious," she concludes, "but together they allow a user's data to be accessed remotely."

That's good advice for the programmers and developers out there, but what about the average iPhone user? What lessons should they take from all of this? I think the advice given by Carl Gottlieb, data protection officer at Hudl and Duolingo, whom I contacted when writing the original iMessage vulnerability report, is worth repeating.

"This iMessage issue is a good reminder that iOS devices can be vulnerable too," Gottlieb said, adding that the good news is that Apple does at least release fixes promptly. "Whether it be on an Apple device, Windows or any other form of computer," Gottlieb concludes, "the boring security advice usually saves the day: Install the system updates ASAP and be extremely careful opening messages from anyone you don't know."