Can grant full access via a message.
Trust Wallet has 70 million users, and believes it knows that iMessage is exposed to a vulnerability. They recommend that users with valuables and important information turn off the service.
KameraStein Jarle Olsen / Tek.no
Save
The short version Tick off
- Crypto tool Trust Wallet, owned by Binance, warns of a potential vulnerability with Apple’s iMessage.
- They claim an attacker can send a message and run any app or code they want on the phone.
- Trust Wallet encourages people to turn off iMessage until Apple fixes the bug, but it’s unclear how real the threat is.
- CodeBreach Lab is demanding $2 million for the information in cryptocurrency.
- Tech Crunch and Trust Wallet assess the threat as most relevant for so-called high-value targets. Safe mode or disabling iMessage can ward off any danger.
Mer +
The crypto tool Trust Wallet is owned by massive Binance Cross offByttBinance One of the world‘s largest crypto exchanges where you can buy, sell and trade cryptocurrency. 150 million registered users in August 2023., and now warns that Apple’s iMessage may be insecure. They claim a vulnerability allows anyone to send a message to the phone and run any app or code they want.
Trust Wallet’s advice is to turn off iMessage until Apple updates the solution. It reports Tech Crunch.
At the same time, it is very unclear how real the threat is, since the starting point is an advertisement for a new player who is trying to sell access to the vulnerability.
No documentation has been shown to substantiate the threat, nor has it been confirmed by Apple.
Critical if real
The vulnerability should be able to give third-party actors access to run apps and code on your phone without your intervention. A so-called “Remote Code Execution” (RCE).
This type of attack is among the most dangerous out there, as it can give full access to both your stored data and the hardware.
The vulnerability is, if it is real, a so-called “zero day”. The term is used for vulnerabilities that are so recent and little known that there are no updates against them or easy ways to combat them.
By their nature, such vulnerabilities are also quite short-lived, since the effort to plug the holes they exploit begins the moment someone actually uses them and it is discovered.
Asking $2 million
The sellers of the vulnerability are calling themselves CodeBreach Lab, and are demanding $2 million in cryptocurrency for the insight needed to attack Apple’s messaging system.
The price is not unheard of. The company Crowdfense has commercialized the hunt for vulnerabilities for government actors, paying up to $9 million for previously undocumented “zero day” vulnerabilities.
For vulnerabilities that affect iOS and iMessage in particular, they set the price at around 3.5 million.
One can therefore ask whether it would not have been just as easy for CodeBreach Lab to sell directly to an actor such as Crowdfense, who is in demand for the very “product” they have. If it is real.
Consider enabling “safe mode”
Where both Tech Crunch and Trust Wallet agree is that this is probably most important for so-called high value targets. In other words, you who have to store a lot of value on your phone, be it access to money, information or “access”.
Part of the reason is precisely that zero day vulnerabilities last so short, and that the job of closing them starts as soon as they are put into use. Thus, criminals are unlikely to start with the regular iPhone user if they have first paid dearly for the opportunity.
Since there is great uncertainty about how serious the threat actually is, Tech Crunch recommends that instead of turning off iMessage, you activate so-called “Security Mode” on your phone. Then all locks are turned on, and the phone is extra hardened against attacks.
After the original post received over 3 million readers, Trust Wallet has updated with additional tweets and continues to say that the threat is real and serious.