iOS flaw lets hackers access iPhones using an iMessage

Users urged to update their iPhone, iPad, Mac, Apple TV and Apple Watch to prevent attackers taking over devices with malicious images

A flaw in the way Apple software handles images allows hackers to take over an iPhone, iPad, Apple Watch, Mac or Apple TV with a simple iMessage or email.

The vulnerability in Apple’s picture-handling Image I/O API means that a malicious Tagged Image File Format (TIFF) file can force a so-called buffer overflow, which allows a hacker to break through Apple’s security and run their own code on a device.

Tyler Bohan from security firm Cisco Talos said: “This vulnerability is especially concerning as it can be triggered in any application that makes use of the Apple Image I/O API when rendering tiled TIFF images.”

Most apps on an iPhone, for instance, use the Image I/O API to render pictures, including Messages, MMS, Safari, Mail and others, leaving them all vulnerable to this attack.

“Depending on the delivery method chosen by an attacker, this vulnerability is potentially exploitable through methods that do not require explicit user interaction since many applications (ie iMessage) automatically attempt to render images when they are received in their default configurations,” said Bohan.

Should the image be viewed automatically or manually, the attacker could then gain full control of the device, steal passwords and other information, all potentially without the user knowing.

Apple released iOS 9.3.3, OS X 10.11.6, tvOS 9.2.2 and watchOS 2.2.2 software updates to address the bug and several others on Monday, but those who have not updated either through the Settings app on their iOS device, iTunes or the Mac App Store are still vulnerable to attack.

The iOS 9.3.3 update is not available for the iPhone 4 and older models, which are still at risk. There are 1bn iOS devices around the globe, all of which will be affected by this security hole unless updated.

Google’s Android faced two similar security holes known as Stagefright and Stagefright 2, which affected almost a billion devices, but the updates required to fix the hole were slow in their release from various smartphone manufacturers and mobile phone networks.

Contributor

Samuel Gibbs

The GuardianTramp

Related Content

Article image
Your iPhone's password demands aren't just annoying. They're a security flaw
A developer has warned it is possible to create a phishing attack based on a fake sign-in request for Apple ID credentials

Alex Hern

12, Oct, 2017 @11:17 AM

Article image
WWDC 2018 keynote: Apple to stop Facebook tracking on iOS 12 – as it happened
Tim Cook and friends kick off ‘dubdub’ in California, with new Apple Watch features, Siri Shortcuts, new Animoji, group FaceTime, ARKit and more

Alex Hern

04, Jun, 2018 @8:37 PM

Article image
WWDC 2019: Apple unveils new iOS, iPad OS, macOS and Mac Pro
The iTunes app is dead, your iPhone will be faster and the $5,999 Mac Pro becomes firm’s most expensive computer

Samuel Gibbs

03, Jun, 2019 @7:45 PM

Article image
iPhones vulnerable to hacking tool for months, researchers say
NSO Group’s Pegasus spyware could allegedly track locations and access passwords

Alex Hern

20, Dec, 2020 @8:05 PM

Article image
iPhone text message bug can crash Apple Watch, iPad and Mac too
Bug in Apple’s Messages that allows anyone to crash someone’s iPhone with a text can also nuke an Apple Watch, iPad or Mac

Samuel Gibbs

28, May, 2015 @10:22 AM

Article image
iPhone 6S security hole lets attackers access contacts and photos without passcode
Security hole allows attackers to quickly access personal information on a locked iPhone 6S or 6S Plus using Siri, Twitter and 3D Touch

Samuel Gibbs

05, Apr, 2016 @10:02 AM

Article image
Apple fixes HomeKit bug that allowed remote unlocking of users' doors
Security flaw in latest iPhone and iPad iOS 11.2 software meant hackers could potentially gain remote control of lights, cameras and locks in smart homes

Samuel Gibbs

08, Dec, 2017 @10:41 AM

Article image
'Jailbreak' for iPhones wins $1m bounty
Computer exploit merchant Zerodium says it paid research team that worked out how to ‘jailbreak’ latest version of Apple’s mobile operating system, iOS 9.1.

Alex Hern

03, Nov, 2015 @4:13 PM

Article image
Apple accidentally reopens security flaw in latest iOS version
Vulnerability could be exploited to gain control of iPhone, users are warned

Alex Hern

20, Aug, 2019 @2:41 PM

Article image
Apple: expect a radical iPhone redesign for its 10th anniversary
On 12 September Tim Cook’s company will hold its first event at the new Steve Jobs Theater in Cupertino, California. Here’s what they will (probably) talk about

Samuel Gibbs

01, Sep, 2017 @11:42 AM