It's a shocking revelation: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim—no clicked links, no permissions granted—to take hold on their iPhones. But as disturbing as this week's report from the University of Toronto's Citizen Lab may be, it's also increasingly familiar.
These “zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple's iMessage service to execute them. Security researchers say the company's efforts to resolve the issue haven't been working—and that there are other steps the company could take to protect its most at-risk users.
Interactionless attacks against current versions of iOS are still extremely rare, and almost exclusively used against a small population of high-profile targets around the world. In other words, the average iPhone owner is very unlikely to encounter them. But the Bahrain incident shows that Apple's efforts to defuse iMessage risks for its most vulnerable users have not fully succeeded. The question now is how far the company is willing to go to make its messaging platform less of a liability.
“It's frustrating to think that there is still this un-deletable app on iOS that can accept data and messages from anyone," says longtime macOS and iOS security researcher Patrick Wardle. "If somebody has a zero-click iMessage exploit, they can just send it from anywhere in the world at any time and hit you.”
Apple did make a major push to comprehensively address iMessage zero-clicks in iOS 14. The most prominent of those new features, BlastDoor, is a sort of quarantine ward for incoming iMessage communications that's meant to weed out potentially malicious components before they hit the full iOS environment. But the interactionless attacks keep coming. This week's Citizen Lab findings and research published in July by Amnesty International both specifically show that it's possible for a zero-click attack to defeat BlastDoor.
Apple hasn't issued a fix for this particular vulnerability and corresponding attack, dubbed “Megalodon” by Amnesty International and “ForcedEntry” by Citizen Lab. An Apple spokesperson told WIRED that it intends to harden iMessage security beyond BlastDoor, and that new defenses are coming with iOS 15, which will likely come out next month. But it's unclear what those further protections will entail, and there's meanwhile seemingly no defense against the BlastDoor-defeating hack that Amnesty International and Citizen Lab both observed.
“Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Apple's head of security engineering and architecture, Ivan Krstić, said in a statement. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers.”
iMessage's many functions and features make it difficult to defend, security researchers say. Its “attack surface” is massive. Under the hood, it takes a lot of code and jerry-rigging to get all those green and blue bubbles—plus photos, videos, links, Memojis, app integrations, and more—working smoothly. Each feature and interconnection with another part of iOS creates a fresh opportunity for attackers to find flaws that could be exploitable. Since the rise of iMessage zero-clicks a few years ago, it's become increasingly clear that comprehensively reducing the service's vulnerabilities would take some epic rearchitecting—which seems unlikely at best.
Absent a total overhaul, though, Apple still has options for dealing with sophisticated iMessage hacks. The company could offer special settings, researchers suggest, so at-risk users can choose to lock down the Messages app on their devices. That could include an option to block untrusted content like images and links altogether, and a setting to prompt the user before accepting messages from people not already in their contacts.
It's true that those options wouldn't have much appeal or make much sense for most people. You want to get the text notification that your prescription is ready for pickup even though you don't have your drug store's auto-alert number in your contacts. And you want to see photos and article links from the person you just swapped numbers with at a bar. But making those more extreme features opt-in could go a long way toward protecting the minority of users who may be valuable targets to attackers.
In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely. Apple has always been reluctant to let users remove its own apps, and in many ways Messages is one of the company's most important flagships. But iOS already lets you delete apps like FaceTime and disable other core services like Safari. (Under Settings, head to Screen Time, toggle on Content & Privacy Restrictions, and then tap Allowed Apps to do so.)
Citizen Lab itself acknowledges that there are tradeoffs to this approach. Zero-click attacks crop up in other communication apps like WhatsApp as well, so eliminating iMessage wouldn't completely solve the problem. And pushing users to rely on SMS text messages rather than Apple's end-to-end encrypted messaging would be a security downgrade overall.
Still, offering some sort of “secure mode" for iMessage could be a simple way for Apple to make a real and meaningful gesture to those who rely on iOS when the stakes are extremely high.
“If Apple could make a way to disable iMessage completely that would be lovely,” Wardle says. “Protections like BlastDoor can be added on top, but it’s kind of like buttressing a sandcastle.”
It all comes down to how far Apple is willing to go to address iMessage zero-clicks, and with which strategy.
“It's complicated—I would not call all these iMessage zero-clicks a failure,” says Will Strafach, a longtime iOS researcher and creator of the Guardian Firewall app for iOS. “This is a mainstream consumer device, not a specialized, high-assurance device. But my hope is that research like this can increase the sense of urgency internally at Apple and get their security teams the resources they need to better harden common attack vectors like iMessage.”
iOS 15 should reveal more about Apple's proposed solutions. But the limitations of the company's previous attempts, combined with the lack of a short-term fix for this most recent iMessage zero-click, indicate both the challenge of addressing the issue and the ever-greater need to do so.