Tech

A crypto wallet maker’s warning about an iMessage bug seems like a false alarm

Published

on

 

A crypto wallet maker said this week that hackers may be targeting people with an iMessage “zero-day” exploit, but all signs point to an exaggerated threat, if not an outright scam.

The official X account of Trust Wallet (formerly Twitter). he wrote that “we have credible information regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any links. High value targets are likely. Each use increases the risk of detection.”

The wallet maker advised iPhone users to turn off iMessage completely “until Apple fixes this,” even though no evidence shows “this” exists at all.

The tweet went viral and had been viewed over 3.6 million times at the time of our publication. Due to the attention the post received, Trust Wallet, which is owned by the cryptocurrency exchange Binancehours later wrote a follow-up post. The wallet’s maker doubled down on its decision to make it public, saying it “actively communicates any potential threats and risks to the community.”

When reached by email, Trust Wallet’s John Broadley declined to provide TechCrunch with evidence of the company’s claim. Eve Lam, Chief Information Security Officer at Trust Wallet, reiterated the company’s advice to users, even without providing evidence to say there is an imminent threat.

Apple spokesman Scott Radcliffe declined to comment when reached Tuesday.

As it turns out, according to Trust Wallet CEO, Eowyn Chen, the “intelligence” is an advertisement on a shadowy website called CodeBreach Lab, where someone is offering the aforementioned alleged exploit for $2 million in bitcoin cryptocurrency. The announcement titled “iMessage Exploit” states that the vulnerability is a remote code execution exploit (or RCE) that requires no interaction from the target – commonly known as a “zero-click” exploit – and works on the latest version of iOS. Some bugs are called zero-days because the vendor has no time, or zero days, to patch the vulnerability. In this case, there is no evidence of an exploit to begin with.

” alt=”” aria-hidden=”true” />

A screenshot of the dark web ad claiming to sell an alleged iMessage exploit. Image credits: TechCrunch

RCEs are some of the most powerful exploits because they allow hackers to remotely take control of targeted devices over the Internet. An exploit like an RCE coupled with zero-click functionality is incredibly valuable because such attacks can be conducted stealthily without the device owner knowing. In fact, a company that acquires and resells zero-days currently offering between $3 and $5 million for that kind of zero-day zero-click, which is also a sign of how difficult it is to find and develop this kind of exploit.

Contact us

Do you have any information on actual zero-days? Or about spyware vendors? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or e-mail. You can also contact TechCrunch via SecureDrop.

Given the circumstances of how and where this zero-day is being sold, it is very likely that this is just a scam, and that Trust Wallet has fallen for it, spreading what people in the cybersecurity industry would call FUD, or “fear, uncertainty and fear”. doubt.”

Zero days exist they have been used by government hacking units for years. But in reality you probably won’t need to turn off iMessage unless you’re a high-risk user, such as a journalist or a dissident under an oppressive government.

It’s better advice to suggest people light up Lockout modea special mode that disables some features and functionality of Apple devices with the aim of reducing the avenues hackers can use to attack iPhones and Macs.

According to Apple, there is no evidence that anyone has successfully hacked into anyone’s Apple device while using locked mode. Several cybersecurity experts like it Rune Sandvik and the researchers working at Citizen Lab, which has investigated dozens of iPhone hacking cases, recommend using Lock Mode.

For its part, CodeBreach Lab appears to be an unprecedented new website. When we checked, a Google search returned only seven results, one of which was a post on a popular hacking forum asking if anyone had heard of CodeBreach Lab before.

On its misspelled homepage, CodeBreach Lab claims to offer several types of exploits beyond iMessage, but provides no further evidence.

The owners describe CodeBreach Lab as “the nexus of cyber disruption.” But it would probably be more appropriate to call it the nexus between bravado and naivety.

TechCrunch was unable to reach CodeBreach Lab for comment because there is no way to contact the alleged company. When we attempted to purchase the alleged exploit, why not, the website asked for the buyer’s name, email address, and then to send $2 million in bitcoin to a specific wallet address on the public blockchain . When we checked, no one has done so so far.

In other words, if someone wants this supposed zero-day, they have to send $2 million to a wallet that, at this point, there is no way of knowing who it belongs to, nor – yet – any way to contact.

And there’s a very good chance that things will stay that way.

UPDATE, April 17, 8:35 a.m. ET: This story has been updated with comments from Trust Wallet.

Fuente

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version