Imagine that an iPhone could be turned into a surveillance tool capable of sending hackers a record of its owner’s entire digital life, including their location in real time, all their emails, chats, contacts, photos and saved passwords.
A showstopper of a compromise, and yet according to Google Project Zero researcher Ian Beer this is exactly what’s been happening to thousands of iPhone users, for more than two years.
It’s a revelation that had some commentators cracking open the hyperbole emergency glass, so let’s cover the important facts of the story before jumping to any alarming conclusions.
The story starts with a discovery by Google’s Threat Analysis Group (TAG):
… [we] discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.
The first hint that something was up came on 7 February when Apple released an urgent out-of-band update that took iOS to version 12.1.4.
At the time, the main flaw patched by this appeared to be the FaceTime app call snooping bug (CVE-2019-6223). However, further down the same advisory two other flaws (CVE-2019-7287 and CVE-2019-7286) that attackers could use to gain elevated and/or kernel privileges were briefly described.
Kernel panic
In a blog this week Beer has offered the more alarming backstory to their discovery and its potential threat.
Several months of analysis later and it seems these flaws were part of a haul of fourteen vulnerabilities abused by the group behind the attacks discovered by Google.
Affecting iOS 10.x, 11.x, and 12.x, seven related to the Safari browser, five the iOS kernel, plus two sandbox escapes. Most of these had been patched over time but the two reported to Apple above were zero days, hence the company’s rush to get 12.1.4 out only days after Google told them about the issue.
Google isolated five unique exploit chains – campaigns run over time using different combinations of flaws – one of which dated back to late 2016.
The exploit chains were used against visitors to a small group of websites hacked as part of a ‘watering hole’ campaign (where sites frequented by target individuals are hacked to serve exploits).
Writes Beer:
There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.
Although this group of campaigns has been disrupted, Beer thinks there are “almost certainly others that are yet to be seen.”
What this means
Victims’ iPhones would have had malware installed in the form of a powerful monitoring implant capable of stealing chat messages (including WhatsApp, Telegram and iMessage), photos, tracking users’ locations in real time, and even accessing the Keychain password store.
If you set out to design a compromise of a mobile device, it’d be hard to imagine a more complete one than this, excepting that this campaign was eventually detected.
Two caveats to hold on to for encouragement – for attackers to take control of iPhones they still had to tempt victims to specific websites. The malware installed on the phones via the exploit chains stopped working when users rebooted their iPhones, in which case the attackers would have to start infection over again.
Beer’s write-up hints that the attack may be the work of a nation state group trying to gather intel on specific groups of people for political reasons. We can’t verify if that’s true but if it is, it wouldn’t be the first.
Even if the average iPhone user wasn’t the target of the campaigns described by Google, that’s little comfort. We don’t know what other campaigns the group behind them may have been running or who else knew about these exploits.
However, one major strength of Apple’s platform is that the process of deploying updates is very smooth – a big difference from Android where updates aren’t available for some handsets and can take months to become available for others.
iOS has been secure against the exploit chains used in these attacks since version 12.1.4. To check what version you’re using, go to Settings > General > Software Update. This will tell you what version of iOS you’re using and if a newer version is available.
Anonymous
Non-IT person here, love the way you guys break in down to clarify whether or not a panic is needed. Quick couple of questions…
1. Is a reboot like a hard reset? Or wiping the phone and starting over at factory reset?
2. Is there a way to tell if we have been compromised?
3. If we were compromised and have since updated the phone to the most current iOS, is our data safe now at least?
Thanks so much for the calm, collected response to this information!
Paul Ducklin
1. A reboot basically means the age-old IT advice of ‘turning it off and on again’. (Hold down the power button until [slide to power off] appears and drag the slider across. Once the phone is off, press the power button again and let the phone restart.)
2. No. Not easily, anyway.
3. Yes, as far as I can tell. An iOS update always includes a reboot. After the 12.1.4 update arrived, none of the zero-days noted here would have worked any more. So even if you were infected (very unlikely), the reboot would flush the ‘implant’ code out of memory and, as Google notes, reinfection would require you going back to a booby-trapped website at some future time, but would fail anyway because the exploits woud no longer work.
Anonymous
I’m sure it was a small sites like facebook, twitter, and dating sites. Sites no average user would visit on a daily basis. Nothing to worry about.
Paul Ducklin
Google’s reports suggest that the booby trapped sites may have had “thousands of visitors a week”, so you can be sure it was definitely *not* a site like Facebook or Twitter.