[Traubenfuchs]

tl;dr - malicious state and private threat actors can at any time completely take over your iphone (root access) with an invisible iMessage without you having a practical chance to detect it besides scanning your iphone backup

[michaelmcdonald]

Should add that this can only occur if you haven't updated your phone in over a year.

[mrandish]

They said it can infect iOS 15.7. I just looked and it appears 15.7.1 was released 10/27/22. And the malware apparently quietly blocks OS updates and can survive full hardware resets.

If you were fully updated to the latest iOS last October and got infected, it would keep you infected. They also said they found the malware has been deployed in the wild since at least 2019 and this is the first discovery o. f it. And it appears to be a fully remote, stealth infection against all iPhones.

I'm no expert on security (or iOS) but it sounds pretty much like worst case to me.

[nazgulsenpai]

Or if you were infected over a year ago by malware that blocks and doesn't notify you of updates.

[flixing]

God knows what other government spywayre us already available and in use and that can do more than this.

Only the top of the iceberg is being visible to public if not less.

[bboygravity]

It still blows my mind that this is not a known fact by most people for as long as phones have existed? Or maybe it is?

[diydsp]

how is this generally possible? In my simplified understanding, a text message is a hunk of data, but I know it's more complex than that.... it must be able to connect to all kinds of services and trigger all kinds of code running, right? Can't it be sanity checked sufficiently?

[saiya-jin]

Even if it would be a simple text message (which its not for iphone), it triggers a text parser at minimum. That parser can have carious bugs in it, ie if parser checks phone contacts to highlight phone number in text as a known contact, identifies some weblink etc.

To sum it up to have it as fancy as possible to users it checks various things and needs permissions for that. Enough 0days in the chain and you can do whatever you need.

This is the problem of closed systems, you have to trust manufacturer 100%, there is no independent audit possible. And if you ever did any serious code before, you know by heart that any code has bugs, in the code, in platform/VM it runs, apis etc.

[mrandish]

Apparently, it uses iMessage's proprietary messaging format, not standard text messages. I don't use iOS but my understanding is users can't replace iMessage with another messaging app.

[Traubenfuchs]

> my understanding is users can't replace iMessage with another messaging app.

To be precise there is one "Messaging" app, that automagically uses iMessage (blue bubbles) instead of SMS (green bubbles) whenever possible. One can turn off iMessage in the settings, which will probably lead to your iPhone rejecting iMessages, making other iPhones only send SMS to you and also make your iPhone only send SMS. Whether that toggle prevents receiving and processing of malicious, invisible iMessages is an entirely different question.