Google's Project Zero Finds Six 'Interactionless' iOS Vulnerabilities in iMessage App

We may earn a commission from links on this page.
An Apple Store in NYC, 2018.
An Apple Store in NYC, 2018.
Photo: Mark Lennihan (AP)

Apple released bug fixes for five major security issues in iOS that can be exploited via its iMessage client app last week after they were discovered by researchers for competitor Google’s exploit-hunting Project Zero, though an additional issue was reported and not totally resolved in the iOS 12.4 update, according to the BBC.

All of them were remote and interactionless, meaning that an attacker could exploit them without requiring the owner of the targeted device to do anything. Of the vulnerabilities that have been resolved, one was so serious that it could only be solved by wiping a device with the loss of all data, while another could be used to siphon data off a device, the BBC wrote. The sixth bug that was not resolved in iOS 12.4 and can still be exploited appears to be serious, the BBC wrote, but Project Zero researcher Natalie Silvanovich tweeted that they were withholding details until a bug-fix deadline has passed:

Apple’s own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it.

Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google’s other discoveries as well as a further range of glitches and threats.

“Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security,” it said in a statement.


Per ZDNet, it’s possible that if Silvanovich and fellow Project Zero researcher Samuel Groß had sold the five no-user-interaction vulnerabilities on the black market or to an exploit vendor, they would have easily been worth at least one million dollars apiece—because they offer hackers the capability to infiltrate a target device undetected. Crowdfense, an exploit vendor, told the site that since they required no clicks to set up an attack and affected recent versions of iOS, they could have been worth $2-4 million each for a total haul of $20-24 million.

So it’s rather fortunate these were discovered by Project Zero rather than someone looking to cash in on them. According to ZDNet, Silvanovich has a scheduled talk about remote, interactionless iPhone vulnerabilities at next week’s Black Hat cybersecurity conference next week, with a synopsis for the talk saying it “discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components.”


The five bugs that have been resolved are listed as CVE-2019-8624, CVE-2019-8646, CVE-2019-8647, CVE-2019-8660, and CVE-2019-8662.


Correction: A previous version of this article misstated the version number of the iOS update as 2.4. The last update to iOS 2 was version 2.2.1 in 2009. The latest update to iOS is obviously version 12.4, and the author encourages you to mock him in the comments below.