Skip to main content

New iPhone Attack Seems Very Familiar: Watch Out For MMS

By July 27, 2016May 25th, 2021Blog, Cybersecurity

NewXIphoneXAttackXSeemsXVeryXFamiliarLast July, Android users got a nasty surprise. The surprise came in the form of a new type of attack directed against smartphones. Dubbed “Stagefright,” it allowed a hacker to assume total control over the target device, simply by sending a properly encoded multimedia message to it.

The bug that allowed this type of attack was deemed to be critical, and Google was quick to provide a patch, but as with most new attack vectors, the fear is that there may be other weaknesses in the Android OS that would allow hackers to launch similar attacks.

Apple users breathed a sigh of relief, but as of now, that sense of relief seems to have been premature. A virtually identical bug has now been used on Apple devices, allowing hackers to take control (but not total control) over certain Apple products by sending specially coded multimedia messages. Apple has already assigned the bug a case number: CVE-2016-4631, although no patch has been issued to correct the problem.

The issue centers around Image IO, which is an API that handles all image data, and is found across a broad spectrum of Apple’s OSs, including Mac OS X, tvOS, and watchOS. Any of these devices are vulnerable until the patch is issued.

All a hacker would need to do is to create an exploit for the bug, craft an appropriate multimedia message and send it via MMS (multimedia message) or TIFF (Tagged Image File Format), and gain access to the target’s device.

Where the new Apple exploit differs from Stagefright though, is that the Apple exploit doesn’t give the hacker quite the same level of control as it did over targeted Android devices. In order to gain total control like Stagefright allowed, it would require an additional iOS jailbreak or root exploit. This is because iOS enjoys sandbox protection, which prevents hackers from exploiting one part of the OS and winding up in control of the whole thing.

Even so, this has been dubbed as a critical exploit, and Apple is currently working on a patch to eliminate it. Understand that there is no viable defense against this sort of attack, so the only thing you can do, really, is to install Apple’s patch when it is released.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.