American iPhones Maybe Targeted In Spyware Attacks

Forbes

2 days ago

Were iPhones really attacked?
A new report from the team at iVerify warns that a 'previously unknown' vulnerability in iOS maybe enabled a highly targeted attack on iPhones in the U.S. as well as Europe. This flaw was not in the core messaging architecture itself, but in its nickname feature.
'Any increase in the size of a codebase is going to introduce attack opportunities,' iVerify told me. And that's the case here. When a user updates their profile, 'nickname, photo, or wallpaper,' this triggers "a 'Nickname Update' on a recipient's device."
Trivial though it might seem, that nickname update process is a data transmission from one device to another, it's implicitly trusted data and it's within the secure enclave. 'This vulnerability was present in iOS versions up to 18.1.1 and fixed in iOS 18.3.1.'
While there's no doubting the flaw and the fix, there is no concrete proof it was exploited in the wild. 'We analyzed crash data from nearly 50,000 devices," iVerify says, "and found that the imagent crashes related to Nickname Updates are exceedingly rare, comprising less than 0.001% of all crash logs collected.'
But those rare instances appeared only on 'devices belonging to individuals likely to be targeted by sophisticated threat actors.' Sometimes, Occam's Razor really does apply. Those high-risk individuals were affiliated with 'political campaigns, media organizations, tech companies, and governments in the EU and U.S.'
Delete All Texts On Your Phone That Look Like This
These are exactly the type of individuals Apple says should use its Lockdown Mode, which restricts a raft of iPhone features and is intended to shutdown attacks that might otherwise get through. It's unclear whether that would have mitigated this risk — and irrelevant now as it's patched. But it certainly makes an iPhone more secure.
'iOS remains a robust and secure operating system,' iVerify told me. 'iMessage is likely targeted not because it's insecure but instead because it's popular." That said, it's toeing a tricky line between feature-rich messenger and secure comms tool.
Signal is better, iVerify says, if you want to really secure your comms with a COTS platform. That said, as we've seen before, iMessage is on all iPhones and is almost never disabled, and so if there is a working zero-click attack, it will likely get through.
On that note, 'Signal is open source,' iVerify says, "which does have security advantages in the sense that it's transparent and therefore easier for researchers to examine. And it's a simple code base, which does reduce the potential attack surface.'
Google Confirms Most Gmail Users Must Upgrade Accounts
iVerify reports that forensic examination of one affected device "provided evidence suggesting exploitation: several directories related to SMS attachments and message metadata were modified and then emptied just 20 seconds after the imagent crash occurred. This pattern of deleting potential evidence mirrors techniques observed in confirmed spyware attacks where attackers 'clean up' after themselves."
But again, this is speculation ands there's no confirmation or attribution, as Apple will be keen to emphasize. While there's 'no smoking gun,' iVerify says, 'definitively proving exploitation exists, when taken together, this body of evidence gives us moderate confidence these crashes indicate targeted exploitation attempts.'
I have reached out to Apple for any comments on this report. iMessage has been exploited before and whether or not that's what has happened here, it will remain a target — as will WhatsApp and all other apps and platforms that run on most devices. Exploiting such a vulnerability is the easiest way to compromise an endpoint, as is especially relevant at the moment when it comes to encrypted data.
For most users though, your biggest iMessage risks remains texts with malicious lures and crafty links that trick you into clicking. These highly targeted attacks — real or not — should not be a concern. Unpaid tolls and undelivered packages, though…