Skip to main content
  1. Home
  2. Phones
  3. Apple
  4. Computing
  5. Mobile
  6. Photography
  7. Web
  8. News

Update your Apple devices now – new Stagefright-style hack discovered

Add as a preferred source on Google

Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X have a similar problem to worry about.

According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.

Recommended Videos

Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.

How does the hack work?

For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.

Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.

Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.

“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”

According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.

Kyle Wiggers
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Google just beat its own Prime Day Pixel 10 Pro deal, and the Pixel 11 may explain why
The 128GB Obsidian model has dropped to $699 as stock starts thinning ahead of Google’s next phone launch
Rear shell of Google Pixel 10 Pro.

Google has cut the 128GB Pixel 10 Pro in Obsidian to $699, knocking $300 off its usual price and beating its Prime Day offer by another $50.

There’s an unusually specific catch. The deepest discount only applies to one color and one storage option, while other unlocked Pixel 10 Pro and Pro XL models remain $250 off.

Read more
Acer’s new Android phone lets you take better selfies with a rear display
A tiny rear display steals the spotlight, but there's more to Acer's latest phone than meets the eye.
Acer Sospiro A15

After a brief hiatus, Acer has broken that silence, and it did so without any fanfare. Acer Mobile LATAM has quietly listed the Acer Sospiro A15, a phone with a dual-display design, Android 16, and a 64MP rear camera. Here’s everything you need to know about the phone. 

The second screen on the back is doing the heavy lifting

Read more
Forget folding twice. Samsung’s next big-screen phone may simply slide open
Samsung’s next wild Galaxy could stretch into a tablet before TriFold 2 lands
Samsung Galaxy TriFold folding, TriFold Phone

Samsung’s first Galaxy Z TriFold turned a regular-looking phone into a 10-inch tablet using two hinges. Now, its next big-screen experiment may achieve a similar transformation by simply stretching sideways. A new leak claims Samsung's rumored Galaxy Z TriFold 2 has slipped past its original release schedule because of unspecified cost-related problems.

But the same source has revealed that a long-rumored slidable Galaxy phone might make an introduction ahead of the delayed trifold sequel.

Read more