Google researcher beefs up iMessage security by demonstrating clickless exploit

Google's Samuel Gross poked holes in some conventional wisdom around iOS.
(Flickr / Wiyre Media)

Software exploits that don’t require a victim to click a link to be compromised are an intriguing and growing area of research for white-hat hackers. So it is no surprise that Google’s elite team of hackers, Project Zero, has dug into this stealthy mode of attack in recent months.

On Thursday, Samuel Gross laid out how, armed with only a target’s Apple ID, he could remotely compromise an iPhone within minutes to steal passwords, text messages and emails, and activate the camera and microphone.

The attack, which exploited an iOS 12.4 vulnerability for which Apple issued a patch last August, shows how “small design decisions can have significant security consequences,” Gross wrote in a blog post.

Gross poked holes in some conventional wisdom around security features used in the iPhone operating system. A data-randomizing security feature known as ASLR meant to guard against exploits “is not as strong in practice,” he said. It could be broken, in part, through a side communications channel set up by the attacker to interact with the victim device, he said. By abusing the “receipts” feature that lets users know their iMessages have been delivered, Gross demonstrated remote code execution.


Clickless exploits are anything but hypothetical. Last October, Facebook sued software surveillance company NSO Group for allegedly developing an exploit that infected about 1,400 mobile devices that had WhatsApp installed. Users were reportedly infected if their phone was called — regardless of whether they answered the call. NSO Group denied involvement in the attack.

Gross, who presented his research at a hacking conference last month, said that he recommended new security measures to Apple based on his research.

“As much code as possible should be put behind user interaction, in particular when receiving messages from unknown senders,” he advised.

Implementing all the recommendations, some of which Apple already has, “should make similar exploits significantly harder in the future,” Gross argued.

That, of course, is the whole point of Project Zero, which aims to take as many zero-day exploits — or those unknown to vendors — as possible out of attackers’ hands.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts