Apple iPhone users may be at risk of a zero-day, zero-click vulnerability that hackers can exploit to get remote access. Reported by Trust Wallet, a decentralized crypto wallet owned by Binance, it is an iMessage security flaw that can be exploited without any user interaction. There aren’t any reports of an exploit though, casting doubts over the authenticity of the claimed threat. It could be a fake exploit.
Crypto wallet maker warns iPhone users about an iMessage exploit
Trust Wallet reported this vulnerability via X, aka Twitter. “We have credible intel regarding a high-risk zero-day exploit targeting iMessage on the Dark Web. This can infiltrate your iPhone without clicking any link,” the firm said. It added that people with high net worth are at a higher risk because hackers would target them to make more profit with fewer exploits. More exploits increase the detection risk for them.
The crypto wallet maker urged iPhone users to disable iMessage until Apple patches the vulnerability from its side. To do that, one can navigate to Settings > Messages > toggle iMessage off. Considering the risk the flaw poses, it is no surprise that many users have already disabled iMessage. However, it may be an exaggerated threat. We are not saying that the flaw does not exist, but Trust Wallet may have overblown it.
In a follow-up post, the firm revealed that the “intel” it was talking about was nothing but an ad for an alleged iMessage exploit on a dark web site called CodeBreach Lab. An unknown individual or group offered to sell the exploited for $2 million in Bitcoin cryptocurrency. They claim it to be a remote code execution (RCE) exploit that does not require user interaction. It works on iOS 17 and gives full control over the compromised iPhone.
Trust Wallet CEO Eowyn Chen also shared a screenshot of the listing. However, TechCrunch believes it isn’t a genuine exploit. Zero-day, zero-click exploits are extremely hard to develop. These types of exploits reportedly sell for as high as $5 million. It is probably a fake exploit trying to scam people. “Trust Wallet fell for it, spreading what people in the cybersecurity industry would call FUD, or fear uncertainty and doubt,” the publication states.
You may not need to disable iMessage
TechCrunch continued its investigation and found more signs pointing toward a fake exploit. Firstly, CodeBreach Lab does not have any track record. Its website has a typo-ridden homepage and lacks evidence supporting its claims. The firm also doesn’t have any contact information. When TechCrunch attempted to buy the exploit, it asked for the buyer’s name and email address and then asked to send $2 million in Bitcoin to a specific wallet address.
The address was on the public blockchain and nobody had sent $2 million to it, confirming that no one has purchased the alleged exploit. This is extremely rare considering how valuable zero-day, zero-click exploits are. Long story short, it appears to be a fake ad for a non-existent iMessage exploit. The fact that there is no evidence of anyone using this exploit further hints at it being a scam.
So, do you need to disable iMessage? TechCrunch doesn’t think you need to. That is “unless you are a high-risk user, such as a journalist or dissident under an oppressive government.” There is no way to tell that this is 100% fake, but Apple’s Lockdown Mode should be enough to safeguard your iPhone. It disables certain features and functionalities to reduce the avenues hackers can use to compromise iPhones. No one has successfully hacked an Apple device on Lockdown Mode.