Security News > 2020 > April > “Zero-click” mobile phone attacks – and how to avoid them

“Zero-click” mobile phone attacks – and how to avoid them
2020-04-30 18:08

Any developer currently using image importers or other image handling libraries should read this document to see how to use the Image I/O framework instead. In other words, instead of laboriously adding support for dozens of different image formats to your app by writing code for each new filetype one-by-one, you can just use ImageIO functions and let the operating system take care of figuring out what image type it is, whether it's supported, and how to read it in.

You don't need to worry, or even care, whether it's JPEG, GIF, PNG, BMP, TIFF or even a file format you've never heard off such as KTX. So the drawcard here for a security researcher is the juxtaposition of the word fuzzing, which means going all-out to find weirdly-corrupted files that reveal bugs in the underlying code, and the word ImageIO, which refers to the core code that gets triggered pretty much any time any iPhone app encounters an image file.

In his article, Google's Stefan Groß describes how he enumerated a list of image file formats that ImageIO supports, and then how he set about "Fuzzing" the code in the ImageIO libraries.

One tricky problem with image handling bugs, especially on mobile devices, is that there are numerous apps in which you expect to see images automatically, without having to click anything first.

In so-called zero-click image attacks, it's not your eyes that have to deal with a nasty image in order to protect your eyes from it, but the code that handles images, which on iPhones almost certainly means ImageIO. So even messages that you yourself would delete without opening because you can see they're going to be risky and could crash your phone or worse.


News URL

https://nakedsecurity.sophos.com/2020/04/30/zero-click-mobile-phone-attacks-and-how-to-avoid-them/