Last week the InfoSec community was informed about 14 vulnerabilities found in Apple’s iOS. Further, it was stated that these vulnerabilities were actively seen being exploited in the wild since September 2016. Over seven months of research was published by Google’s Project Zero working in conjunction with Google’s Threat Analysis Group (TAG) detailing in great detail how the vulnerabilities where exploited. The attackers used the vulnerabilities in at least five exploit chains with Project Zero publishing their research on each of the five chains. The reports can be read here beginning with the first exploit chain. It goes without saying that the information in the reports is technical and won’t be covered in much depth in this article but for those technically minded the reading will be interesting.
From the several reports published by Project Zero, there are more than a few key takeaways. Briefly, the most important of them will be covered below. One of the first striking facts about the discovered vulnerabilities, other than the amount of them and that they had been exploited in the wild for nearly two years, was that the attackers didn’t target specific iOS users. Rather the attacks were conducted indiscriminately. The operation was discovered by TAG when they discovered the compromised websites earlier this year. Upon further investigation, five distinct exploit chains were discovered with the compromised websites receiving thousands of visits a week each. Worryingly, the exploit chains allow for the targeting of devices running everything from iOS 10 through to iOS 12.
Upon initial investigation, it was soon discovered that one of the exploit chains leveraged a zero-day exploit which was unpatched at the time of discovery. CVE-2019-7287 and CVE-2019-7286 were reported to Apple with a 7-day deadline on February 1, 2019, which resulted in the out-of-band release of iOS 12.1.4 on February 1, 2019, with Apple also releasing details on the flaw the same day as the update was released. With some of the exploit chains, unsuspecting users were infected from just visiting one of the compromised websites. This means that users did not have to download a malicious attachment or click on a malicious link.
This infection vector while not new is incredibly dangerous. Given that the websites saw thousands of visitors a week, thousands of iOS users were infected by merely visiting the compromised website. If the device visiting the website passes certain tests, namely if the device runs one of the iOS versions targeted by the exploitation chain, the infection process begins. Once the device is infected the malware installed is capable of accessing location data as well as information stored in apps such as iMessage and WhatsApp. It can gain access to information that is normally encrypted like WhatsApp because the malware can access data normally locked behind the keychain. The information accessed can be stolen and sent to a command and control server. Information stolen can further include passwords, Wi-Fi passwords, photos, and other potentially sensitive data.
According to an analysis done by Malwarebytes, which was also verified by researchers in both TAG and Project Zero, the malware implanted on the device is removed upon restarting the device. This small mercy of the attackers been unable to maintain boot persistence drastically reduces the amount of time the malicious implant remains active on a device. That does not mean that the exploit chains are not dangerous. Once infected it does not take long to exfiltrate sensitive data. Added to this if the victim has not installed the latest iOS patch they will be infected again upon visiting one of the compromised websites. It is advised that iOS users insure the latest patch has been installed to mitigate further exploitation of the vulnerabilities.
iOS and Security
When it comes to Apple products and cybersecurity numerous myths pervade the market. At PC Risk we have covered many emergences of Mac malware and vulnerabilities affecting iOS devices, as well as including guides for the removal of mac targeted malware. A quick search will reveal that iOS users are not as inherently safe as they are led to believe. True, they are targeted less as most malware authors’ focus on Android malware for mobiles and Windows for desktops due to their greater share of the market but they are still targeted, as seen above. It is hoped that this latest bombshell helps destroy some of these myths. This is what is hoped but in reality, may not be the case.
At the time of writing there had been no official response from Apple regarding the flaws discovered by Google’s two teams. All news relating to Apple seems to be focused on the release of the iPhone 11 and iOS 13 rather than the scope of the attack users were experiencing for the last two years. Some within the InfoSec community are asking whether users can trust Apple and their products. The arguments may seem a knee jerk reaction but it’s hard to argue with some of them. Even though the vulnerabilities were patched Apple’s silence is almost deafening given the amount of data and the nature of the data that could be accessed by attackers. Also as to the scope of the attacks and those impacted by the attacks the details are hazy, again, because of Apple’s silence on the matter. The general public has no idea as to whether they are a victim or not. Should they be stopping bank cards and changing passwords? In light of the distinct lack of response from Apple maybe they should, just to be safe.