A collection of fourteen vulnerabilities affecting almost every iOS versions from iOS 10 to iOS 12 enabled a number of hacked websites to gain control of their visitors devices and steal a wealth of private data aver at least two years, Google Threat Analysis Group (TAG) engineer Ian Beer wrote. These vulnerabilities are not new. What is new is the discovery of their active exploit in the wild for at least two years.
UPDATE (9/9/2019): After this article went online, Apple released an officlal statement concerning the exploits affecting its devices in the wild, According to Apple, the idea that those were broadly targeted exploits "en masse" is misleading, since no more that a dozen websites were hacked. Furthermore, those websites all focused on content related to the Uighur community, so Apple also rejected the idea that the community of iPhone users might have been subject to the attack at large. Another statement from Google's in-depth analysis Apple took issue with concerns the alleged duration of those attacks. While confirming to have patched all involved vulnerabilities promptly, as InfoQ correctly highlighted in its first reporting, Apple shrinks the duration of the attacks from a period of two years, as Google implied, down to "roughly two months". On a related note, it also became known that Android and Microsoft Windows users were also targeted through the same websites used to attack iPhone users. This also hints at a broad effort that went well beyond hacking iPhone users only.
Seven of the vulnerabilities affected the iOS browser, five were kernel vulnerabilities, and two were sandbox escapes. Collectively they were used to create five exploit chains each leading from initially hacking into a device, typically exploiting a browser vulnerability, to getting access to private data by escalating the attack to higher privilege levels. According to Beer, most of those vulnerabilities were caused by poor QA or blatant errors that should have never made it into shippable software. For example, one kernel vulnerability was associated to a heap overflow in a C++ method in the embedded GPU driver. The method parsed user-provided data without doing the required bound-checking.
Another kernel vulnerability was caused by a code refactoring the replaced a <
bound check with !=
, whereby the value being checked against was read directly from an IPC message. A similar case of unfiltered usage of user-provided data was the culprit of a different kernel vulnerability in a IOKit public method that performed a memmove
with a user-provided length argument. Another really hard-to-justify vulnerability was linked to some "unfinished" code that Apple added in 2014 to implement a "vouchers" feature and that would have caused a kernel panic if called with expected arguments in any kind of test or attempt of use. According to Beer, many of those bugs should have been detected by unit testing, code review, or fuzzing.
Beer, in his analysis of the exploits, went so far as to set up his own command and control server to investigate what kind of data attackers had access to after gaining unsandboxed code execution privilege as root. Specifically, he found out all major apps, including Whatsapp, Telegram, iMessage, Gmail, Contacts, and many others, all leaked unencrypted data, and attackers had access to almost all personal information available on the device. Beer notes that although Google identified a number of hacked websites that had been exploiting those vulnerability chains, that does not mean that they were the only ones doing it.
Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.
Possibly the most important takeaway from this story is that no system can be considered safe, not even one as highly-regarded in this respect as the iPhone, and users should be aware of that.
Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted.
To make things worse, being targeted is not just a matter of being individually targeted, says Beer. Instead, attacks are often carried through against mass targets, where the simple fact of belonging to a target group, either on a geographic or ethnic base, is enough to provoke it.
Ian Beer's series of articles provides extensive details, in which he digs ito the detail of all vulnerabilities and how they could be chained together to make the exploits possible.