Update your Apple devices now – new Stagefright-style hack discovered

How to make a contact group on iPhone
Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X have a similar problem to worry about.

According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.

Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.

How does the hack work?

For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.

Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.

Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.

“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”

According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.


Xiaomi Mi 9 will be one of the first phones with monster Snapdragon 855 chip

Xiaomi's next major smartphone release will be the Mi 9, and the company hasn't held back in giving us a good look at the phone, revealing the design, the camera, and a stunning color.

These are the must-have games that every Xbox One owner needs

More than four years into its life span, Microsoft's latest console is finally coming into its own. From Cuphead to Halo 5, the best Xbox One games offer something for players of every type.

Enjoy Windows on a Chromebook with these great tips and tricks

If you want to push the functionality of your new Chromebook to another level, and Linux isn't really your deal, you can try installing Windows on a Chromebook. Here's how to do so in case you're looking to nab some Windows-only software.

Take to the virtual skies with these free flight simulators

You don't have to spend the entirety of your paycheck to become a virtual ace, at least when it comes to flight simulation. Our list of the best free flight simulators will let you unleash your inner Maverick.

New rumors suggest the iPhone 2019 will continue to use Lightning over USB-C

While it's not been long since the last iPhones launched, rumors for the next iPhone are already surfacing. Apple's 2019 flagship could include a variety of upgrades ranging from a new design to enhanced features.

Galaxy Watch Active isn't official yet, but you can see it in Samsung's own app

Samsung may be about to resurrect its Sport line of smartwatches under a new name: The Galaxy Watch Sport Active. Leaks and rumors are building our picture of the device at the moment.

Focals succeed where Google Glass fumbled (but do we really need smartglasses?)

It’s been seven years since Google took the wraps off Google Glass. Now, we’re finally getting a modern-day equivalent we want to wear. North’s Focals combine subtle style with an intuitive interface to craft smartglasses you’ll…

Stop buying old tablets, says Samsung, buy the new Galaxy Tab S5e instead

Samsung has launched the Galaxy Tab S5e -- the E is for Essential -- a reasonably priced tablet that includes many of the features we like from the Tab A 10.5, and the Tab S4. Here's what you need to know.

Bag yourself a bargain with the best budget tablets under $200

The battle for your budget tablet affections is really ramping up. Which tablet, costing less than $200, should be commanding your attention? We take a look at some different options for the budget-conscious.

What is Wi-Fi 6? Here's a look at the next evolution of the wireless standard

We're exploring the new naming convention for wireless standards, how it affects the devices you buy, and what the upcoming Wi-Fi generation is changing for the better.
Home Theater

Samsung accidentally leaks its new Galaxy Buds ahead of launch

It's been all but certain that Samsung would launch a successor to its Gear IconX wireless earbuds soon, but a newly leaked photo and recent FCC certification document seems to indicate that the debut is very close.
Home Theater

Hi-res streaming audio service Qobuz arrives in U.S., threatens Tidal’s monopoly

For several years, Tidal enjoyed a monopoly on hi-res music streaming in the U.S. Now, French company Qobuz is here to offer some competition with a variety of monthly plans starting at $10 a month.

These 13 gadgets walk a fine line between ingenious and insane

The annual avalanche of devices and gadgets is astounding, but how many will succeed? A few are destined to spark new trends, while the majority fade deservedly into obscurity. We look at some gadgets on the border of brilliant and bonkers.

OnePlus 6T vs. Honor View 20: We compare the cameras in these ‘flagship killers’

For less than $600, you can buy either the OnePlus 6T or the Honor View 20, two extremely capable smartphones with plenty of exciting features. But which one has the best camera? We found out on a recent trip to France.