Skip to main content
  1. Home
  2. Mobile
  3. News

Update your Apple devices now – new Stagefright-style hack discovered

Kyle Wiggers
By

How to make a contact group on iPhone
Image used with permission by copyright holder
Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X have a similar problem to worry about.

According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.

Recommended Videos

Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.

Related

How does the hack work?

For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.

Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.

Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.

“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”

According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.

Editors' Recommendations

Topics
Kyle Wiggers
Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Apple just released iOS 17.4. Here’s how it’s going to change your iPhone
The Apple iPhone 15 Pro Max and iPhone 14 Pro showing the screens.

Apple iPhone 14 Pro (left) and iPhone 15 Pro Max Andy Boxall / Digital Trends

If you have an iPhone, you'll want to check it right now for a big update. The iOS 17.4 update is officially rolling out right now and it includes some fairly significant new features.

Read more
No, the Journal app on your iPhone isn’t spying on you
Apple Journal app on an iPhone 15 Pro.

If you've spent any time on Facebook, TikTok, or any other social media site over the last couple of days, there's a chance you've seen people claiming that your iPhone is spying on you — specifically, with a feature called "Journaling Suggestions."

One post I stumbled across on Facebook made it sound rather frightening, warning me that the feature shares my FULL NAME and EXACTLY where I'm located to anyone nearby. The post told me to go and toggle the setting off immediately because it was "Very scary stuff!!"

Read more
The 6 best ways Macs work with your other Apple devices
A person holds an iPhone in front of a MacBook.

One of the best things about using more than one Apple device is the way they interact with each other. Apple has built all kinds of clever features into its famous ecosystem, and it means your devices all work together in a way that you just don’t get from any other manufacturer.

AirDrop might be the ultimate expression of this, though that's fairly well-known. Here, we’ve picked out six other great ways your Mac works with other Apple products. Most require you to have Bluetooth and Wi-Fi enabled, as well as for you to be using the same Apple ID on all your devices. Check the System Settings app on your devices to make sure the specific features are enabled, although most should be by default.

Read more