Skip to main content
  1. Home
  2. Mobile
  3. News

Update your Apple devices now – new Stagefright-style hack discovered

By

How to make a contact group on iPhone
Image used with permission by copyright holder
Remember Stagefright, that vulnerability in Google’s Android operating system that had security experts up in arms? Turns out Apple devices running older versions of iOS, WatchOS, tvOS, and OS X have a similar problem to worry about.

According to researcher Tyler Bohan at cybersecurity firm Cisco Talos, older versions of iOS and OS X contain an exploit that could theoretically allow a media file like a photo or video to defeat built-in software security measures and take over your device. The malformed media file could arrive as an email, iMessage, webpage, or other apps.

Recommended Videos

Luckily, protecting your Apple devices is relatively straightforward. As long as your iPhone, Apple TV, Apple Watch, and Mac are running the newest software, you’ve got nothing to worry about. Apple patched the exploits in the latest version of iOS 9.3.3, and says it’s working on a fix for OS X. Also rectified in the latest iOS version is a bug that permitted anyone on the same network as a FaceTime chat user to “intercept” the audio of ongoing conversations. Needless to say, it’s a critical patch, so download it now. It’s available for all iPhones from the iPhone 4S to the iPhone 6S/Plus.

How does the hack work?

For those who are curious, here’s a technical explanation of the hack. The problem lies in how older versions of Apple’s device software handle media. A malformed multimedia file, like a photo sent via email or text, could trigger one of several bugs in the software’s playback engine that subsequently cause it to “lose control of how it handles its memory space.” This happens when your device processes the image to create a thumbnail for you to view. From that point, unfortunately, the sky’s the limit. A hacker could take over your device and access your private information.

Typically, iOS prevents malicious code from operating outside of prescribed boundaries, but an attacker could potentially gain elevated privileges by applying secondary exploits. And Mac OS X, unlike iOS, imposes no such limitations, so an ill-meaning programmer could install unwanted apps on an infected computer, send personal information contained within it to a remote server, or commandeer it for a for a denial-of-service attack.

Perhaps most alarmingly, the malicious payloads can trigger clandestinely, without a user’s knowledge. Any app that displays images, like a messaging app, iMessage, an email client, or even a web browser, could put a device at risk of infection.

“An attack could deliver a payload … using a wide range of potential attack vectors,” Talos said. Applications that use Apple’s built-in rendering engine to display images could exploit the bugs “without user interaction,” Talos explained. Text messengers are particularly vulnerable, according to Bohan. “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism,” he told Forbes. “I can send the exploit today and you will receive it whenever your phone is online.”

According to Talos, the vulnerabilities lie in Apple’s Apple Core Graphics API, Scene Kit, and Image I/O — the components responsible for parsing and handling media files. As Talos explains, certain image file formats, like TIFF, can overwhelm the Image I/O API ways that allow “remote code execution.” Others, like OpenEXR and BMP, can exploit related bugs in the Core Graphics API, Image I/O, and Scene Kit to write malicious code within the image to the device’s internal memory. And still, others can misdirect Scene Kit to malicious files by parading them as legitimate.

“Image files are an excellent vector for attacks since they can be easily distributed over web or email traffic without raising the suspicion of the recipient,” said Talos. “These vulnerabilities are all the more dangerous because Apple Core Graphics API, Scene Kit and Image I/O are used widely by software on the Apple OS X platform.”

This is a very serious hack, mainly because if your device was affected, you wouldn’t even be able to tell. We recommend that you download the latest iOS software immediately to protect yourself. Go to Settings > General > Software update and install the iOS 9.3.3 update when it appears on the page.

Editors' Recommendations

Topics
Kyle Wiggers
Kyle Wiggers
Former Digital Trends Contributor
Kyle Wiggers is a writer, Web designer, and podcaster with an acute interest in all things tech. When not reviewing gadgets…
Apple’s new iPads look amazing, but there’s one big problem
Renders of the 11-inch and 13-inch models of the iPad Pro 2024.

After a year-long drought, Apple finally released some new iPads during its Let Loose event on May 7. Though it was just the iPad Air and iPad Pro models that were updated, we did get a 13-inch option for the iPad Air along with the standard 11-inch size, as well as iPad Pros with new OLED displays.

The iPad Airs now come equipped with an M2 chip inside, while the iPad Pros mark the debut of the new M4 chip. Exciting stuff, right? Unfortunately, as enticing as the hardware is, there is still one thing holding the iPad back -- and it's all Apple's fault.
Exciting new hardware, boring old software
iPad Air 2024 Apple

Read more
A big iPhone update is right around the corner
An iPhone 15 Pro Max sitting upright, showing one of its home screens.

With announcements for 2024 models of the iPad Air and iPad Pro, today's been a busy day of Apple news. But the iPad isn't the only Apple product in the news today. Following the big announcements from its event earlier this morning, Apple also shared some important news regarding the next iPhone update.

As of Tuesday, May 7, Apple has begun rolling out RC builds for iOS 17.5. RC stands for "Release Candidate," and it's the last beta version of a software update that Apple releases before its final public rollout. In other news, the official iOS 17.5 update should be right around the corner.

Read more
An Apple insider just revealed how iOS 18’s AI features will work
An iPhone 15 Pro Max laying face-down outside, showing the Natural Titanium color.

As Apple’s Worldwide Developers Conference (WWDC) inches closer, the chatter around the company’s AI work has taken a feverish turn. In a year when smartphone and computing brands have focused solely on AI niceties, Apple has been uncharacteristically silent around the AI hype — eliciting concern about the brand missing the train.

However, a new report has given us a closer look at how Apple's AI dreams may come to fruition with its iOS 18 update later this year.
New details on Apple's AI plans

Read more