Application Security , Cybercrime , Cyberwarfare / Nation-State Attacks
Apple iPhones Hacked by Websites Exploiting Zero-Day FlawsWatering-Hole Attack Analysis From Google Follows Apple's February Patches
See related story with an update on the latest developments.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Since at least 2016, hacked websites have targeted zero-day flaws in the latest versions of Apple iOS to surreptitiously hack iPhones, new research from Google shows.
The attack campaign has been revealed by Google's Project Zero team, which searches for zero-day flaws. It says the attack campaign was used to infect iOS devices with an implant - aka malware - that could steal private data, including photos and messages in Telegram, iMessages and Gmail, as well as send GPS data to a command-and-control server for tracking users in real time, provided they're online.
"Earlier this year Google's Threat Analysis Group discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day," Ian Beer of the Project Zero team says in a blog post published Thursday.
"There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," he says. "We estimate that these sites receive thousands of visitors per week."
Apple did not immediately respond to a request for comment.
Google reported two serious flaws - CVE-2019-7287 & CVE-2019-7286 - to Apple on Feb. 1, setting a seven-day deadline before releasing them publicly, since they were apparently still zero-day vulnerabilities as well as being used in active, in-the-wild attacks.
Apple patched the flaws via iOS 12.1.4, released on Feb. 7, together with a security alert.
Five Exploit Chains
Hacking modern operating systems - including iOS - typically requires chaining together exploits for multiple flaws. In the case of mobile operating systems, for example, attackers may require working exploits that allow them to initially access a device - typically via a WebKit-based browser - and then to escape sandboxes and jailbreak the device to install a malicious piece of code.
All told, Google says that it counted five exploit chains that made use of 14 vulnerabilities: "seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes."
The identified exploits could have been used to hack devices running iOS 10, which was released on Sept. 13, 2016, and nearly every newer version of iOS, through to the latest version of iOS 12.
"This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years," Beer says.
Attackers were able to infect iOS devices with malware without having to jailbreak the device by bypassing mandatory code signing, which restricts which apps a device can run. Instead, according to an exploit teardown written by Beer, the attackers were able to sneak a hash for their code into the iOS "root of trust," which then allowed their code to run.
"Since the attackers only wish to execute their implant binary and not disable code-signing system wide, it suffices to simply add the hash of their implant's code-signing blob to the kernel dynamic trust cache, which they do using the kernel task port," Beer says.
Implant Could Raid iOS Keychain
An analysis of the implant by Google Project Zero found that the malware could exfiltrate data from infected devices, including from apps such as Telegram, WhatsApp, Gmail, iMessage and others. Up to once per minute, the command-and-control server could also receive the GPS coordinates for any infected user who was online.
The implant could also steal passwords stored in the password manager built into iOS, called keychain. But it doesn't just include passwords for apps, sites and services.
"The keychain also contains the long-lived tokens used by services such as Google's iOS single-sign-on to enable Google apps to access the user's account," Beer says. "These will be uploaded to the attackers and can then be used to maintain access to the user's Google account, even once the implant is no longer running."
Identified Flaws Fixed
By February, all of the flaws that comprised exploit chains being used by the websites had been discovered and reported to Apple. That included a vulnerability used by 360 Security's @S0rryMybad to win $200,000 at the TianFu Cup PWN competition on Nov. 17, 2018.
Separately, Brandon Azad of Google Project Zero had discovered the flaw and reported it to Apple on Dec. 6, 2018, leading to Apple releasing its iOS 12.1.4 update on Jan. 22 that credited both @S0rryMyBad and Azad with having discovered and reported the vulnerability, designated CVE-2019-6225.
Subsequently, the bug bagged a Pwnie award at Black Hat 2019 for being the best privilege escalation flaw.
Experts Laud Researchers
Security experts have lauded Google's work, given the damage this campaign could have caused.
"Google sandbox nailed iPhone watering hole attacks - tear down and implants, this is significant man hours to develop & execute by attack - solid research, [Google Project Zero]," says Matthew Hickey (@hackerfantastic), co-founder of security firm Hacker House.
Experts such as Matthew Green, a professor of cryptography at Johns Hopkins University, say they would like to see more details, including precisely which sites were running these attacks, to help individuals know if they might have fallen victim.
"Project Zero has earned every drop of praise they get with this post," Green says via Twitter. "But the P0 post doesn’t say what the websites serving these exploits were, and what populations they were targeting. Anyone know?"
Walled Garden and Monoculture Risks
The attack campaign also highlights some upsides and downsides of Apple's approach to security. Apple tightly controls iOS development, as well as the Apple Store, and restricts devices to only allow them to install apps that it has first vetted before allowing them onto the App Store, except for some enterprise exceptions.
The Android operating system, for example, is an open source project that numerous device manufacturers continue to customize. While Google uses a "vanilla" version of Android on its Pixel devices, almost every other OEM that uses Android first customizes it, as well as uses develops its own hardware. The operating system may also be further customized by telecommunications companies before they sell or rent the smartphones to their customers.
Thus while some flaws discovered in Android devices might affect the entire ecosystem, many are specific only to certain versions of Android deployed on certain devices offered by specific telecommunications companies. then roll out on hardware that themselves have also developed.
That stands in contrast to Apple devices, where one successful exploit chain may work against all current and recent iOS devices.
"iPhones are a monoculture, once you pop one, you’ve popped them all," says the operational security expert known as the Grugq on Twitter.
South Africa information security expert Haroon Meer, founder of applied security research company Thinkst, says the iOS watering-hole attacks suggest that the code that powers Apple's mobile operating system should come under greater scrutiny.
"iOS devices being owned en-masse (while being undetected) makes it clear that inspectability is an important part of security," Meer tweets.
You know, I think I might have been right with this thread— haroon meer (@haroonmeer) August 30, 2019
iOS devices being owned en-masse (while being undetected) makes it clear that inspectability is an important part of security
Also: https://t.co/ubpslQmPOF https://t.co/oY2psDBsB2
Google's Beer, meanwhile, says the flaws reveal apparent problems with development and quality assurance practices at Apple, which mirror "overlooked" problems that are common across the industry, including "cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users." Over time, bad code can mount, giving attackers more potential ways to hack their way into the operating system.
Google sandbox nailed iPhone watering hole attacks - tear down and implants, this is significant man hours to develop & execute by attack - solid research, https://t.co/0nEk3xQUDD— Hacker Fantastic (@hackerfantastic) August 30, 2019
In the case of Apple, Beer says that Google's discovery of websites that have used these five separate exploit chains suggests that there may still be other sites - and attackers - at work, hitting vulnerabilities in iOS that so far only those attackers know about.
"For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen," he says.