There are gaping security holes in Apple’s operating systems that can be exploited through its default messaging, web browsing, or email software. For instance, hackers could grab your passwords just by sending you an infected iMessage—and all they’d need is your phone number.
The security gaps were discovered by Tyler Bohan, a researcher with Cisco Talos, a unit of Cisco that works on security. Forbes was the first to report on the findings. The hacks strike at the heart of Apple’s mobile and desktop operating systems, exploiting the way they deal with importing and exporting images.
Here’s how the attack works: A hacker creates malware that’s formatted as a TIFF file, which is just another image format like JPG or GIF. The hacker then sends it to a target using iMessage. This is especially effective because the messaging app automatically renders images on its default settings.
Once the infected file is received, malicious code can be executed on the target device, giving an attacker access to the device’s memory and stored passwords. The victim wouldn’t even have had a chance to prevent it. The same attack can be delivered by email, or by making the user visit a website that contains the infected image, using Apple’s Safari browser.
It gets worse. Bohan found that the security hole is present in all versions of iOS and OS X except for the very latest ones, which were published on July 18. Bohan had shared his discoveries with Apple ahead of time, and the latest versions of its OS address the vulnerabilities. That means the safe version of iOS is 9.3.3 and for OS X it’s El Capitan 10.11.6.
There’s another quick fix, as security research firm Sophos points out: Turn off iMessage on your iPhone, and also disable MMS messaging. This means you’ll be limited to receiving text messages only. Image files won’t be received.
The scale of the vulnerability is staggering. According to Apple, about 14% of iOS devices run iOS 8 or earlier. There are over 690 million active iOS devices, according to one estimate, which means at least 97 million devices running Apple’s mobile operating system are vulnerable to the hack. That’s not even accounting for the mobile devices that aren’t running the absolutely newest version of iOS 9, or Macs that aren’t up to date. Apple has said it has over 1 billion active devices worldwide, but doesn’t break down that figure in detail.
This Apple security problem has been likened to a flaw in Android, Google’s mobile operating system, called Stagefright that was discovered last year. That security hole also relied on texting infected images, and some 950 million Android devices were exposed. It was discovered by a researcher at Zimperium zLabs in April 2015 who shared his findings with Google, which then issued an update fixing the problems.