The Programmer’s Misstep: MATLAB Also Falls Victim!
1. The Novice Theater
Novice: (looking at the iPad screen, shocked) Wow, Brother Da Dong, look! This movie is so cool!
Da Dong: (sipping tea, glancing over) Oh, watching “The Matrix” again?
Novice: Yes! It just showed Neo being implanted with a program, that feeling of “being invaded without doing anything” is just so on point!
Da Dong: Hahaha, you’re really into the movie. But in reality, things like this are much scarier than what’s portrayed in films.
Novice: How so? In movies, there are agents and hackers; how could ordinary people like us be targeted?
Da Dong: Don’t underestimate hackers’ “skills”. What happens in movies is fiction, but just a few days ago, Apple had a major incident that is exactly like what you described as “being invaded without doing anything”.
Novice: No way? Apple is so secure, how could that happen? Don’t scare me.
Da Dong: It’s true. And this time it’s not a movie; it’s a super dangerous zero-day vulnerability in the real world.
Novice: Zero-day? Does that mean it was discovered on the first day?
Da Dong: Exactly. Apple didn’t even know about it, but hackers had already exploited it to launch attacks.
Novice: Really? My iPad is on the latest system; could it still be affected?
Da Dong: Theoretically, as long as your device is on a version prior to iOS 16.6.1, it’s at risk. This is no joke.
Novice: Oh my! What’s going on? I need to check my system version!
Da Dong: Don’t rush; let me explain it to you properly. This involves a lot of security knowledge, which you’ve always been curious about, right?
Novice: Yes, yes! Brother Da Dong, hurry up; this is even more exciting than a movie!
2. About the Incident
Da Dong: Alright. Let’s talk about the vulnerabilities this time. There are two: one is the Image I/O vulnerability, and the other is the Wallet vulnerability.
Novice: Two? That sounds so professional. Can you explain it in simpler terms?
Da Dong: No problem. Don’t you often use iMessage to send and receive pictures?
Novice: Yes, I use it every day. Emojis, scenic pictures, I send all kinds.
Da Dong: Well, the problem lies here. Hackers can exploit the first vulnerability to send you a malicious image via iMessage.
Novice: And then? If I open the image, does my phone get controlled?
Da Dong: That’s the scariest part of this vulnerability. You don’t even need to open the image!
Novice: Huh? What do you mean by not opening it?
Da Dong: Exactly. As long as you receive that iMessage, the malicious code will execute automatically. This process is called a zero-click attack.
Novice: Zero-click… isn’t that what you said about “doing nothing”? That’s terrifying! What will happen to my phone?
Da Dong: Once the attack is successful, hackers can execute any code they want on your phone. For example, they can install spyware.
Novice: Spyware? Doesn’t that put my chat records, photos, and bank passwords at risk?
Da Dong: Not just that. Hackers can remotely monitor your camera and microphone, and even copy all the data from your phone.
Novice: Oh my! What about the second vulnerability, the one called Wallet?
Da Dong: The second vulnerability is related to your Apple Pay and Apple Wallet.
Novice: Oh no, my bank card and transit card are in there!
Da Dong: Yes, hackers can exploit this vulnerability to perform malicious operations within Apple Wallet. Although the specific details haven’t been fully disclosed, it’s easy to imagine that this could affect your payment security.
Novice: This is like opening my digital wallet for others to see!
Da Dong: Therefore, the combination of these two vulnerabilities poses a comprehensive threat to users. From privacy data to financial security, nothing is spared.
Novice: How did Apple discover this? How many people have been attacked?
Da Dong: This incident was discovered by a group called Citizen Lab. They found traces of hacker attacks on the device of a member of a non-governmental organization.
Novice: Luckily they found it; otherwise, we wouldn’t know how many people were attacked.
Da Dong: Right. After Citizen Lab discovered the attack, they immediately notified Apple. Apple confirmed the existence of the vulnerability and released an emergency update.
Novice: So as long as I update the system, I’ll be fine, right?
Da Dong: Yes, as long as you update your system to iOS 16.6.1 or a higher version, the vulnerability will be fixed. So make sure to update promptly.
3. The Conclusion
Da Dong: Novice, you just asked me if this kind of thing is rare in reality. In fact, in the world of digital security, similar zero-click attacks have happened many times.
Novice: Really? I feel like I haven’t heard much about it.
Da Dong: That’s because these attacks are often targeted at specific groups, such as journalists, dissidents, and government officials.
Novice: Oh, I see. So the news we ordinary people encounter is relatively less.
Da Dong: Exactly. But this time, Apple’s vulnerability has a very wide impact. Behind this is a very important trend in the digital security era.
Novice: Trend? What trend?
Da Dong: Attacks are becoming more precise and more covert. Moreover, attackers are starting to use AI technology to find and exploit vulnerabilities.
Novice: AI hackers? That sounds so sci-fi.
Da Dong: Not at all sci-fi. AI can scan the internet on a large scale, looking for weak points in software, and even automate the generation of attack code.
Novice: So how can ordinary people defend themselves?
Da Dong: Let’s talk about a few similar historical events, and you’ll know how to defend yourself.
Novice: Okay, go ahead!
Da Dong:The first event is the “Pegasus” spyware. It also exploited zero-click vulnerabilities to invade phones by sending malicious messages through WhatsApp, iMessage, etc.
Novice: Pegasus? Sounds like a horse from a mythological story.
Da Dong: It was developed by the Israeli company NSO, specifically sold to various governments. When it was exposed, it caused a huge uproar.
Da Dong:The second event occurred in 2016, when hackers exploited a vulnerability in iMessage to invade the iPhone of a human rights activist from the UAE.
Novice: Another one involving iMessage? Is Apple’s service particularly easy to exploit?
Da Dong: As part of a closed ecosystem, iMessage is indeed a key target for hackers because it handles a lot of data and is end-to-end encrypted.
Novice: So once hackers break in, it’s like they have the golden key.
Da Dong: Exactly. The third event involved Google’s Project Zero team, which specializes in finding zero-day vulnerabilities in software. In 2021, they exposed multiple zero-day vulnerabilities in both Android and iOS devices.
Novice: It’s like the “Sherlock Holmes” of the security world.
Da Dong: You could say that. The fourth event was the “Sandworm” hacker group, which used malware to infiltrate Ukraine’s power grid in 2017, causing widespread blackouts.
Novice: Blackouts? Isn’t that just like a scene from a movie?
Da Dong: Yes. These events show us that cyberattacks threaten not only individuals but also critical infrastructure.
Novice: Are there more? Tell me a few more.
Da Dong:The fifth event was the Log4j vulnerability. It erupted in 2021 and had an unimaginable wide-ranging impact, putting many websites and servers at risk.
Novice: Like an infectious disease.
Da Dong: Exactly. The sixth event was the SolarWinds supply chain attack, where hackers infiltrated SolarWinds software and then implanted malicious code into the networks of thousands of companies and government departments worldwide through software updates.
Novice: That’s like pulling the rug out from under them!
Da Dong:The seventh event was the WannaCry ransomware, which erupted in 2017 and exploited a vulnerability in Windows, leading to attacks on hospitals, businesses, and government departments in over a hundred countries.
Novice: I’ve heard of that! Many computer screens turned red.
Da Dong: Exactly. All these events share a common point: they exploit zero-day vulnerabilities to attack and have a wide-ranging impact.
Novice: So how do we prevent this? Besides updating the system promptly.
Da Dong: There are many preventive measures. Let me summarize a few for you.
Novice: Okay! I’ll take notes.
Da Dong:First, update software promptly. This is the most important point. Once software vendors discover vulnerabilities, they will release patches.
Novice: It’s like giving our phones a vaccine.
Da Dong: Exactly. Second, do not click on unknown links casually. Even if it’s sent by a friend, be cautious.
Novice: Okay, I usually pay attention to this.
Da Dong:Third, use strong passwords and multi-factor authentication (MFA). This way, even if your password is stolen, hackers cannot log into your account.
Novice: Passwords should be complex, and we should use fingerprint or facial recognition.
Da Dong: Exactly. Fourth, regularly back up important data. In case of a ransomware attack, at least you have backups.
Novice: Yes, this is very important. Otherwise, all the data will be lost.
Da Dong:Fifth, use reliable security software. For example, antivirus software, firewalls, etc.
Novice: Okay, I’ll remember all these. I feel like this knowledge is even more exciting than watching a movie.
Da Dong: Movies are fictional, but security issues are very real. In the age of AI and digital technology, understanding these is essential for protecting yourself.
4. The Novice’s Inner Thoughts
Novice: Sigh, after talking with Brother Da Dong today, I feel like I’ve been splashed with cold water. I used to think that cybersecurity was far from me, just a game for hacker elites. But after hearing all this, I realize that every app I use and every message I send could become an entry point for attacks. That zero-click vulnerability really sends chills down my spine. I thought that as long as I didn’t click on links or download software randomly, my phone would be safe. But it turns out that just receiving an iMessage could mean I’m at risk of being invaded. This silent threat is even scarier than the overt attacks in movies. In this era, not understanding security is like being unarmed in a jungle, where you could be targeted by beasts at any moment.