Still, offering some sort of “secure mode" for iMessage could be a simple way for Apple to make a real and meaningful gesture to those who rely on iOS when the stakes are extremely high. And pushing users to rely on SMS text messages rather than Apple's end-to-end encrypted messaging would be a security downgrade overall. Zero-click attacks crop up in other communication apps like WhatsApp as well, so eliminating iMessage wouldn't completely solve the problem. (Under Settings, head to Screen Time, toggle on Content & Privacy Restrictions, and then tap Allowed Apps to do so.)Ĭitizen Lab itself acknowledges that there are tradeoffs to this approach. But iOS already lets you delete apps like FaceTime and disable other core services like Safari. Apple has always been reluctant to let users remove its own apps, and in many ways Messages is one of the company's most important flagships. In fact, Citizen Lab researchers and others suggest that Apple should simply provide an option to disable iMessage entirely. But making those more extreme features opt-in could go a long way toward protecting the minority of users who may be valuable targets to attackers. And you want to see photos and article links from the person you just swapped numbers with at a bar. You want to get the text notification that your prescription is ready for pickup even though you don't have your drug store's auto-alert number in your contacts. It's true that those options wouldn't have much appeal or make much sense for most people. That could include an option to block untrusted content like images and links altogether, and a setting to prompt the user before accepting messages from people not already in their contacts. The company could offer special settings, researchers suggest, so at-risk users can choose to lock down the Messages app on their devices. The question now is how far the company is willing to go to make its messaging platform less of a liability.Ībsent a total overhaul, though, Apple still has options for dealing with sophisticated iMessage hacks. But the Bahrain incident shows that Apple's efforts to defuse iMessage risks for its most vulnerable users have not fully succeeded.
In other words, the average iPhone owner is very unlikely to encounter them. Interactionless attacks against current versions of iOS are still extremely rare, and almost exclusively used against a small population of high-profile targets around the world. Security researchers say the company's efforts to resolve the issue haven't been working-and that there are other steps the company could take to protect its most at-risk users. These “ zero-click” attacks can happen on any platform, but a string of high-profile hacks show that attackers have homed in on weaknesses in Apple's iMessage service to execute them. But as disturbing as this week's report from the University of Toronto's Citizen Lab may be, it's also increasingly familiar. It's a shocking revelation: The Bahraini government allegedly purchased and deployed sophisticated malware against human rights activists, including spyware that required no interaction from the victim-no clicked links, no permissions granted-to take hold on their iPhones.