A crypto wallet maker claimed this week that hackers could target people with a zero-day exploit on iMessage – but all signs point to an exaggerated threat, if not an outright scam.
Official account X (formerly Twitter) of Trust Wallet wrote that “we have credible information regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. It can infiltrate your iPhone without clicking any links. High value targets are likely. Each use increases the risk of detection.
The wallet maker recommended iPhone users to turn off iMessage completely “until Apple fixes this issue,” even though no evidence shows “this” exists.
The tweet went viral and has been viewed over 3.6 million times at the time of our publication. Due to the attention the post received, Trust Wallet a few hours later wrote a follow-up article. The wallet maker doubled down on going public with its decision, saying it is “actively communicating all potential threats and risks to the community.”
Trust Wallet, which is owned by crypto exchange Binance, did not respond to TechCrunch’s request for comment. Apple spokesman Scott Radcliffe declined to comment when contacted Tuesday.
As it turns out, according to Trust Wallet CEO, Éowyn Chen, the “Intel” is an advertisement on a dark web site called CodeBreach Lab, where someone is offering said alleged exploit for $2 million in Bitcoin cryptocurrency. The announcement titled “iMessage Exploit” claims that the vulnerability is a remote code execution (or RCE) exploit that requires no interaction from the target – commonly known as a “zero click” exploit – and works on latest version of iOS. Some bugs are called zero days because the vendor does not have time, or zero days, to patch the vulnerability. In this case, there is no evidence of an exploit.
A screenshot of the Dark Web advertisement claiming to sell an alleged iMessage exploit. Image credits: TechCrunch
RCEs are among the most powerful exploits because they allow hackers to take remote control of their target devices over the Internet. An exploit such as an RCE coupled with zero-click capability is incredibly valuable because these attacks can be carried out invisibly without the knowledge of the device owner. In fact, one company that acquires and resells Zero Days is currently offering $3-5 million for this type of click-free Zero Day, which also shows how difficult it is to find and develop these types of exploits .
Contact us
Do you have any information on actual zero-days? Or spyware providers? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or by email. You can also contact TechCrunch via SecureDrop.
Considering the circumstances in which and where this zero-day is being sold, it is very likely that it is just a scam and that Trust Wallet has fallen for it, spreading what people in the industry of cybersecurity would call FUD, or “fear of uncertainty and uncertainty.” doubt.”
Zero days exist and have been used by government hacking units for years. But in reality, you probably don’t need to turn off iMessage unless you’re a high-risk user, like a journalist or a dissident under an oppressive government, for example.
It’s best to suggest people enable Lockdown Mode, a special mode that disables certain features and functionality of Apple devices in an effort to reduce the ways hackers can use to attack iPhones and Macs.
According to Apple, there is no evidence that anyone has successfully hacked someone’s Apple device using Lockdown Mode. Several cybersecurity experts like Runa Sandvik and the researchers who work at Citizen Lab, who have investigated dozens of iPhone hacking cases, recommend using lock mode.
For its part, CodeBreach Lab appears to be a new website with no history. When we checked, a Google search returned only seven results, including a post on a well-known hacking forum asking if anyone had ever heard of CodeBreach Lab.
On its home page – complete with typos – CodeBreach Lab claims to offer several types of exploits other than for iMessage, but provides no further evidence.
The owners describe CodeBreach Lab as “the nexus of cyber disruption.” But it would probably be more appropriate to call it the link between bragging and naivety.
TechCrunch was unable to contact CodeBreach Lab for comment as there is no way to contact the alleged company. When we attempted to purchase the alleged exploit – why not – the website asked for the buyer’s name and email address, then to send $2 million in bitcoin to a specific wallet address on the public blockchain. When we checked, no one had done so yet.
In other words, if someone wants to get this so-called zero day, they have to send $2 million to a wallet that, at this point, there is no way of knowing who it belongs to, nor – yet once – no way to contact.
And there is a very good chance that it will stay that way.
techcrunch
