Contrary to the article, blocking ALL media besides plain text from random senders who aren't in your contacts is exactly what most people would want and should be the default. I don't see any downsides to that approach.
Perhaps this idea could be extended to treating content differently for all messages from unverified identities. Getting people to verify identities in an end to end encryption system is a huge problem. This could provide a conceptual hook that would mean that unverified contacts were untrustworthy contacts. This would be a state, rather than something that you get nagged about from time to time.
Otherwise an attacker will usually be able to figure out a way to fake a message from someone already in your contact list.
Of course iMessage doesn't do identity verification which is why it does not have effective end to end encryption in the first place. So they would have to solve that, perhaps larger problem, first.
A small way to reduce attack surface - have iMessage just setup for your iCloud email address instead of phone number. Phone numbers are becoming increasingly useless.
> In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely.
There's a checkbox in Settings > Messages that does exactly this? It seems strange they published this.
> Phone numbers are becoming increasingly useless.
Not really, there's a ton of government services that require you to have a phone number (depending on where you live). I don't see any real suggestion for an alternative to having a phone number. If nothing else, to receiving notification. You can't really rely on iMessage, WhatsApp, Signal and similar services, you need one system that you're sure will cover 98% for all people. 3. parties can't even integrate into many of these services.
You could use email, but I don't really see how that's any better and many seniors will use SMS, but not email to any great extend.
SMS is still the only unified messaging service you can be sure that all your friends and family will have.
Nope, when I'm on the go, I certainly have a way better communication using phone calls than whatever VOIP du jour.
Phone numbers, like emails, are very robust and reliable, interoperable, not centralized to one entity, and the quality of service vs cost ratio is excellent.
Not to mention text messages:
- they work no matter if the person is using whatsapp, telegram, signal or the new hype stuff
- no GAFAM is collecting my text history to sell me ads
- they require no internet connection
There are 3 things that we must absolutely cherish and preserve in this race for tech: cash, emails and phone numbers.
They are a beacon of stability in this sea of ever moving innovation greed.
And I say that while I'm thinking about setting up an IFPS website, compiling python 3.10 beta to test it and buy a secondary e-ink screen for my laptop. I'm not technophobic.
"... Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely."
You can do this already. If you "manage" your iphone with Apple Configurator you have fine-grained control over every little thing it does. You can disable imessage (and many other things like the app store, etc.)
Can you war-dial attack with these? Seems like it would be super easy for a script kiddie to just start at 111-111-1111, send message, increment by 1, repeat. Maybe narrow it down to valid area codes and what not, but seems like a super low budget thing to do.
I got corrected last time this topic came up. I originally thought Messages was part of the OS and not a pre-installed userspace app. However, if it's in userspace, why is it such a vulnerable vector for compromising the phone? Is there some privilege-escalation component to this that I haven't read about?
iMessage is one of few apps that have broad permissions to execute code in response to notifications.
For other apps like Telegram; the server can send a predefined notification message.
For iMessage, when you get something even from someone outside your contacts, its daemon invokes specific code to handle the message, and its attachments.
Whilst this doesn't help if someone opens the app, it
does at least change this from a zero click attack, to a one click attack.
(This is also another example of Apple not following its own app store rules. It has privileged access to frameworks.)
Objective-c has bounds checks and lengths built into NSData, NSArray, and NSString… so many of the buffer overflow techniques likely won’t work against it. However, images and video seem to hit C++ code and from all of the past CVEs it seems this is a giant attack surface over and over again.
I’m surprised this code isn’t being rewritten in something like Rust, but perhaps there are more things going on at play, like the plist serialization attacks that end up coding for esoteric classes that contained various bugs.
You are talking about the same company that shoved their proprietary WiFi protocol full of holes straight into the kernel. Judging from the kind of messages it emits, the latter is a true masterpiece by the way.
Does this mean that iMessage evaluates messages as code for some reason? Why on earth would that be the case? It's a foundational security principle to not do that.
And even if they did then why is that so hard to fix?
Why aren’t lightweight hypervisors used more outside the public cloud? It seems that would go a long way in protecting the rest of the device from poorly written c code parsing user input.
Getting an application that's running in a hypervisor to seamlessly, for example, accept deep-link clicks is more complicated for the same reason that they're more secure. That extra boundary is another wall, another interface. And of course that means more complexity for app developers, and more compute cost/battery utilization.
Similarly to Android there have been attacks that involve exploiting bugs in the code that parses incoming messages, and then via the exploit you can get remote code execution
For example (IIRC this was a real bug), if you exploit a bug in the text layout code, you could attack a device by getting a notification to appear on the lock screen - and SMS messages usually trigger a notification
Depends on the hack but the majority seem to be from parsers for various formats, from images, to unicode and text data etc...
A message has to be able to display so many different types of content. A flaw in any one of those could be exploited. Combine a bunch of flaws together and you suddenly can do quite a bit.
[+] [-] johnthuss|4 years ago|reply
[+] [-] bb123|4 years ago|reply
* I ask a seller on FB marketplace to send me some pictures of an item
* I need to send pictures of some documents to my solicitor
* A new friend I've just met in a bar tries to send me her contact card
* My mechanic tries to send me a PDF of the invoice for his work
Sure, there are ways around all of these, but it makes iMessage (or any messaging service) a lot less useful.
[+] [-] upofadown|4 years ago|reply
Otherwise an attacker will usually be able to figure out a way to fake a message from someone already in your contact list.
Of course iMessage doesn't do identity verification which is why it does not have effective end to end encryption in the first place. So they would have to solve that, perhaps larger problem, first.
[+] [-] webinvest|4 years ago|reply
[+] [-] kylehotchkiss|4 years ago|reply
> In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely.
There's a checkbox in Settings > Messages that does exactly this? It seems strange they published this.
[+] [-] mrweasel|4 years ago|reply
Not really, there's a ton of government services that require you to have a phone number (depending on where you live). I don't see any real suggestion for an alternative to having a phone number. If nothing else, to receiving notification. You can't really rely on iMessage, WhatsApp, Signal and similar services, you need one system that you're sure will cover 98% for all people. 3. parties can't even integrate into many of these services.
You could use email, but I don't really see how that's any better and many seniors will use SMS, but not email to any great extend.
SMS is still the only unified messaging service you can be sure that all your friends and family will have.
[+] [-] BiteCode_dev|4 years ago|reply
Phone numbers, like emails, are very robust and reliable, interoperable, not centralized to one entity, and the quality of service vs cost ratio is excellent.
Not to mention text messages:
- they work no matter if the person is using whatsapp, telegram, signal or the new hype stuff
- no GAFAM is collecting my text history to sell me ads
- they require no internet connection
There are 3 things that we must absolutely cherish and preserve in this race for tech: cash, emails and phone numbers.
They are a beacon of stability in this sea of ever moving innovation greed.
And I say that while I'm thinking about setting up an IFPS website, compiling python 3.10 beta to test it and buy a secondary e-ink screen for my laptop. I'm not technophobic.
[+] [-] easton|4 years ago|reply
[+] [-] SV_BubbleTime|4 years ago|reply
Fantastic way to not have people send you messages anymore.
Phone numbers are technically becoming useless. They are practically still the by far dominant choice when someone goes to send you a new message.
We’ve had decades of texting phone numbers to reinforce this.
[+] [-] CyberRage|4 years ago|reply
Instant-Messaging = Worthy target for exploits.
Just like web-browsers get exploited after years of patching.
[+] [-] rsync|4 years ago|reply
You can do this already. If you "manage" your iphone with Apple Configurator you have fine-grained control over every little thing it does. You can disable imessage (and many other things like the app store, etc.)
[+] [-] kevingadd|4 years ago|reply
[+] [-] fuj|4 years ago|reply
[deleted]
[+] [-] sneak|4 years ago|reply
[+] [-] SalimoS|4 years ago|reply
So it will stay the same for people in your contact list but a new touch to load for message from unknown person
[+] [-] est31|4 years ago|reply
[+] [-] eyeball|4 years ago|reply
I seem to be under attack lately.
3-4 times a day random links sent from gmail addresses or unknown phone numbers to imsg with sketchy looking links in them.
[+] [-] dylan604|4 years ago|reply
[+] [-] cyckl|4 years ago|reply
[+] [-] WelcomeShorty|4 years ago|reply
[+] [-] fencepost|4 years ago|reply
[+] [-] kossTKR|4 years ago|reply
That's completely insane, isn't it? Have Apple just given up, or am i missing the scope of this vulnerability?
Also how can Apple not have better security with such an incredible amount of money in the bank?
[+] [-] dannyw|4 years ago|reply
[+] [-] eloisius|4 years ago|reply
[+] [-] dannyw|4 years ago|reply
For other apps like Telegram; the server can send a predefined notification message.
For iMessage, when you get something even from someone outside your contacts, its daemon invokes specific code to handle the message, and its attachments.
Whilst this doesn't help if someone opens the app, it does at least change this from a zero click attack, to a one click attack.
(This is also another example of Apple not following its own app store rules. It has privileged access to frameworks.)
[+] [-] saagarjha|4 years ago|reply
[+] [-] raspasov|4 years ago|reply
[+] [-] azinman2|4 years ago|reply
I’m surprised this code isn’t being rewritten in something like Rust, but perhaps there are more things going on at play, like the plist serialization attacks that end up coding for esoteric classes that contained various bugs.
[+] [-] tyingq|4 years ago|reply
[+] [-] FounderBurr|4 years ago|reply
[+] [-] gjsman-1000|4 years ago|reply
[+] [-] brobinson|4 years ago|reply
Job posting links are dead now, but there was a reddit thread about it: https://old.reddit.com/r/rust/comments/fkngza/apple_hiring_r...
[+] [-] raspasov|4 years ago|reply
From what I can tell, the combination of unsafe-by-default languages like C/C++/Obj-C and the way the human brain works is Not-A-Good-Combination© . Too many opportunities for error.
[+] [-] stefan_|4 years ago|reply
[+] [-] CyberRage|4 years ago|reply
At the end of the day, it is still an app with app level permissions, sandbox etc.
Kernel\Kernel modules are far more likely to be written as they allow for vastly more access than an app.
[+] [-] iamnotwhoiam|4 years ago|reply
And even if they did then why is that so hard to fix?
[+] [-] ec109685|4 years ago|reply
[+] [-] thehappypm|4 years ago|reply
Getting an application that's running in a hypervisor to seamlessly, for example, accept deep-link clicks is more complicated for the same reason that they're more secure. That extra boundary is another wall, another interface. And of course that means more complexity for app developers, and more compute cost/battery utilization.
[+] [-] saagarjha|4 years ago|reply
[+] [-] yokoprime|4 years ago|reply
[+] [-] bumbledraven|4 years ago|reply
[+] [-] iamnotwhoiam|4 years ago|reply
[+] [-] sonthonax|4 years ago|reply
Does iMessage accept arbitrary code that it can execute?
[+] [-] andreasley|4 years ago|reply
[1] https://googleprojectzero.blogspot.com/2020/04/fuzzing-image...
[+] [-] kevingadd|4 years ago|reply
For example (IIRC this was a real bug), if you exploit a bug in the text layout code, you could attack a device by getting a notification to appear on the lock screen - and SMS messages usually trigger a notification
[+] [-] dagmx|4 years ago|reply
A message has to be able to display so many different types of content. A flaw in any one of those could be exploited. Combine a bunch of flaws together and you suddenly can do quite a bit.
[+] [-] rasz|4 years ago|reply
[+] [-] webinvest|4 years ago|reply
[+] [-] YLYvYkHeB2NRNT|4 years ago|reply
[deleted]