Critical MMS Vulnerability in Apple and Android Devices Allows Remote Execution via Hotspot

A critical vulnerability has been reported in Apple and Android devices that allows attackers to send MMS messages from a target user's phone without leaving any trace. The attack is executed by connecting to the target device's hotspot, enabling remote execution capabilities. The vulnerability was reported to both Apple and Google approximately four months ago, complete with video proof, yet both companies have decided not to address the issue. The reporter plans to disclose the vulnerability publicly in a month if no action is taken.

Technically, this vulnerability involves the MMS protocol and the way devices handle hotspot connections. The ability to send messages remotely without leaving traces poses significant risks, including potential misuse for spreading misinformation, phishing attacks, or sending malicious content. The attack vector requires proximity to the target device, as it involves connecting to the device's hotspot.

The decision by Apple and Google not to fix this vulnerability raises questions about their risk assessment processes. From a cybersecurity perspective, this vulnerability is critical due to its potential for remote execution, which can lead to complete device compromise.

The planned public disclosure of the vulnerability highlights the delicate balance between responsible disclosure and the need for timely patches. Expert insights suggest that companies should prioritize vulnerabilities that allow remote execution, given their potential for severe impact. Organizations and individuals should be aware of this potential risk and consider mitigations, such as disabling hotspot functionality when not in use or monitoring for unusual MMS activity.

In conclusion, this vulnerability underscores the importance of robust vulnerability management processes and the need for timely patches. It also highlights the ongoing challenges in balancing disclosure timelines with the need for security fixes.