Update your Apple devices now – new Stagefright-style hack discovered

How to make a contact group on iPhone
Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X have a similar problem to worry about.

According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.

Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.

How does the hack work?

For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.

Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.

Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.

“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”

According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.

Mobile

Updating to Apple’s iOS 12 will make your iPhone a whole lot smarter

iOS 12, the latest version of Apple’s iOS, is officially here. We took it for a spin to check out its new noteworthy features, and if it truly changes our smartphone habits for the better.
Mobile

Apple iPhone XS Max vs. Huawei P20 Pro: Clash of the titans

Anyone seeking a great new smartphone with plenty of money to spend has two amazing options, but which is better for you? We pit the Apple iPhone XS Max vs. Huawei P20 Pro in various categories to help you choose.
Computing

Newegg was cracked, customer data has leaked, and security is clearly scrambled

Online electronics retailer Newegg has found themselves at the heart of an online security breach as the company's payment system was breached, giving hackers of the notorious group, Magecart, potential access to confidential customer data…
Mobile

Google Maps is available on Apple CarPlay with iOS 12

After months of betas, the final version of iOS 12 is here to download. The new OS comes along with tons of new capabilities from grouped notifications to Siri Shortcuts, here are all the features you'll find in iOS 12.
Mobile

How to buy the iPhone XS, iPhone XS Max, and iPhone XR in the U.K.

The new iPhone range is here, and it consists of three models: The iPhone XS, the iPhone XS Max, and the iPhone XR. You can buy the iPhone XS and XS Max in the United Kingdom now, so here's our guide on where to buy one.
Mobile

Need a do-over? Here's how to factory reset an iPhone, from XS on down

Resetting an iPhone can alleviate all sorts of software woes, and wipe away personal data should you sell your device or give it to someone else. Here's how to factory reset an iPhone from within iOS or iTunes.
Product Review

Don't let the bigger iPhones woo you away: The XS is still a masterpiece

Apple’s next smartphone is here -- the iPhone XS. We think it’s the perfect size for an iPhone, and it manages to impress with astounding performance, and sizable camera improvements.
Mobile

Audio company Bragi is suing OnePlus over the word 'dash'

Despite taking steps to change to "Warp Charge," OnePlus is being sued by audio company Bragi over the phone manufacturer's continued use of the word "dash" in the Dash Charging used in OnePlus phones.
Mobile

The best weather apps for Android will keep you dry no matter where you go

You may not be able to change the weather, but you can at least be prepared for it. Check out our guide to the best weather apps for Android, so you'll always know what to expect when you step out the front door.
Mobile

Android 9.0 Pie is finally rolling out to the OnePlus 6

Android 9.0 Pie has been released. But is your phone getting Android 9.0 Pie, and if so, when? We've done the hard work and asked every device manufacturer to see when their devices would be getting the update.
Mobile

Keep the iPhone XS display crack-free with these screen protectors

Apple might have proclaimed the iPhone XS's glass as being its most durable ever, but that's not going to stop you from wincing if you drop your phone. Stay protected with the best iPhone XS screen protectors.
Product Review

With its epic screen, Apple's iPhone XS Max is a phone you can live inside

The iPhone XS Max is here. Should you get the massive 6.5-inch iPhone from Apple? Or should you pick the smaller iPhone XS? We’ve been putting the Max through its paces to find out in our review.
Mobile

Hateful software kills our enthusiasm for newcomer Realme’s $155 Android phone

Realme is a new smartphone brand with an interesting start to life, as it closely mirrors that of OnePlus, a brand we admire. The Realme 2 is its second phone, and we've given it a try to see if it's a winner.
Mobile

BlackBerry Key2 LE vs. BlackBerry Key2: Which productivity titan reigns supreme?

The Blackberry Key2 LE has many of the same features as its more expensive competitor, the BlackBerry Key2, yet comes in at $250 less. Which one should you choose? Here's how the BlackBerry Key2 LE and BlackBerry Key2 compare.