Look, No Hands! -- The Remote, Interaction-less Attack Surface of the iPhone

Conference:  BlackHat USA 2019



Fully remote iPhone bugs exist and the attack surface is especially dangerous
  • Found about ten fully remote iPhone bugs
  • Attack surface includes SMS, MMS, BBM, email, and iMessage
  • Bugs found in email and iMessage
  • Design problems with iMessage serialization make it especially prone to attacks
  • Securing a class in the face of NSKeyedArchiver is an intractable problem
  • Small changes to low-risk components can have unexpected consequences
  • Demo of bug that allows for remote files to be fetched
  • Demo of exploit using an unfixed bug
  • I Am Agent can be used as a crash Oracle to break ASLR
The speaker demonstrated how a bug allowed for remote files to be fetched and how an exploit used I Am Agent as a crash Oracle to break ASLR. The attack surface is especially dangerous because it doesn't require proximity to a user or network intercepts, making it accessible to anyone from anywhere to attack anyone.


There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices. This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.