Hacking Apple devices with just a Message exploiting the CVE-2016-4631

Pierluigi Paganini July 20, 2016

This critical flaw CVE-2016-4631 resides in the ImageIO and could be exploited by a remote attacker to steal sensitive information from Apple devices.

Apple fans, I have a bad news for you, just one specially-crafted message can expose your personal information, including your authentication credentials stored in the memory of your Apple device.

This means that your Wi-Fi passwords, login credentials, and email logins, could be easily compromised in the attack.
The CVE-2016-4631 flaw reminds us the dreaded Stagefright vulnerabilities that were affecting the Android OS, also in that case the attacker was able to spy on victims by using a specially-crafted text message.

This critical vulnerability (CVE-2016-4631) resides in the ImageIO, the API used to handle image data in almost every Apple operating system, including Mac OS X, watchOS, and tvOS.The CVE-2016-4631 vulnerability in the ImageIO was reported by the Cisco Talos senior security researcher Tyler Bohan.

The attack scenario is simple as efficient, the attacker just needs to send the malicious exploit code to the victim’s device via a multimedia message (MMS) or iMessage inside a Tagged Image File Format (TIFF).

When the victims will receive the malicious message, the exploit will be executed.

The exploit code could also be delivered through Safari, in this attack scenario the victim have to visit a website containing the malicious code that will be handled by the browser and executed.

In both attack scenarios, no explicit user interaction would be required because applications automatically handle the images when they are received by the targeted device.

Apple botnet

The bad news is that such kind of attack is very difficult to detect for the victim.

Bohan told Forbes that the issue in “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.” “The receiver of an MMS cannot prevent exploitation and MMS is a store and deliver mechanism, so I can send the exploit today and you will receive it whenever your phone is online,” he explained.

We have to make a further distinction on the attack that works differently on iOS and Mac OS X due to the presence of the sandbox protection.

iOS is protected from exploit codes by the sandbox mechanism, so an attacker needs a further iOS jailbreak or root exploit to take complete control of the mobile device.

On Mac OS X the attack is easier because the OS doesn’t use a sandbox protection.

According to the last Apple’s advisory, the critical flaw was already fixed in the last iOS version 9.3.3.

Now that you know the flaw allows hacking Apple devices, don’t waste time, patch your device to avoid ugly surprises.

Crooks will not take a long to find a way to exploit the CVE-2016-4631 vulnerability in the wild.

“Exploitation wise, Talos estimates there is about a two-week effort to get from the information we disclosed publicly to a fully working exploit with a decent amount of reliability,” Bohan added.

[adrotate banner=”9″]

(Security Affairs – hacking Apple devices, CVE-2016-4631)

you might also like

leave a comment