Home / Tech News / Apple zero-days mark a new era of mobile hacking

Apple zero-days mark a new era of mobile hacking

Apple’s head of security engineering and architecture, Ivan Krstic, told a rapt audience at the Black Hat security conference earlier this month that his notoriously secretive company was ready to open up its vulnerability reporting process to researchers.

Krstic announced that Apple was launching a bug bounty program, offering $50,000 for zero-day vulnerabilities that allow malicious code exploits in the kernel, among other rewards.

The thinking behind the bug bounty, according to Apple, is that discovering zero-day vulnerabilities — security problems that are unknown by a company but exploited by an attacker — has become more difficult as iOS security has advanced. Outside researchers could provide valuable assistance in discovering zero-days, and Apple wanted to start compensating them for their time.

On August 12, a week after Krstic’s announcement, Apple’s fears about an unknown vulnerability came true.

Ahmed Mansoor, an activist based in the United Arab Emirates, showed strange text messages he’d received to the human rights and technology organization Citizen Lab. The text messages contained a suspicious link, and analysis by Citizen Lab and the security firm Lookout determined that the link delivered a highly sophisticated packet of three zero-days that could take total control of Mansoor’s phone and spy on his calls, emails, text messages and contact lists.

The vulnerabilities show that hackers are increasingly turning their focus to mobile devices, and Apple’s increased focus on detecting zero-days shows that companies are striving to keep up. Mobile phones — particularly the iPhone — are often thought to be more secure than desktop computers and network infrastructure, so vulnerability research and hacking have been focused on those weaker devices. But the revelation of zero-days for Apple’s robust iOS security system marks a new era, in which the focus is heavily on mobile.

“To see three vulnerabilities, not just three vulnerabilities but three zero-days chained together to gain a one-click jailbreak is unprecedented,” Lookout’s vice president of security research and response Mike Murray told TechCrunch.

“A lot of people think mobile is a solved problem,” Murray added. “If I had said five years ago that committed attackers are attacking phones, you would have looked at me like I was crazy. The era of the highly-resourced attacker going after phones instead of network or desktop infrastructure has arrived.”

Our mobile phones now hold a wealth of information — and that information is drawing the attention of resourceful and sophisticated attackers.

‘An incredible level of sophistication’

Because of the three-pronged nature of the iOS exploit used to target Mansoor, Lookout researchers nicknamed it Trident. The exploit begins as a simple phishing attack, in which the hacker sends the target a link and entices him to click it. (In Mansoor’s case, the link came in a text message that offered him information about the torture of detainees.) The first zero-day was found in the iPhone’s default browser, Safari, where a memory corruption vulnerability allowed an attacker to run arbitrary code.

The texts sent to Mansoor.

The texts sent to Mansoor.

Two kernel exploits are then downloaded to the device — the second and third zero-days of the set. The only indication of compromise that Mansoor would have received, had he clicked the link, is that Safari would have quit unexpectedly.

The first kernel exploit takes advantage of an information leak, allowing the attacker to locate the kernel in the device’s memory. In an iPhone, the kernel is a core component of the secure boot process — a security feature on which Apple prides itself. “Apple has done a good job of obfuscating where the kernel lives in memory,” Lookout’s Murray said. “For a jailbreak, you have to find the kernel.”

With the kernel located, the third zero-day is executed, giving the attacker read/write privileges. At this stage in the attack, the phone is jailbroken, and an attacker can add surveillance software to the device to collect information from Apple’s own apps and third-party apps.

Murray said the attack demonstrates “an incredible level of sophistication and commitment.”

“I don’t remember seeing many attackers at that level of professionalism and sophistication,” he added.

Murray’s team notified Apple of its findings on August 15. In the 10 days since Apple was notified of the security problems, it issued patches for all three. It’s a remarkably swift turnaround time for the security industry — many researchers will allow companies 90 days to patch a vulnerability before going public with their findings.

“We were made aware of this vulnerability and immediately fixed it with iOS 9.3.5,” an Apple spokesperson said. “We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits.”

iOS users can download the patches by going to Settings > General > Software Update on their iPhones or iPads.

The NSO Group

Now that the sophisticated malware has been exposed, it’s natural to wonder who created it.

According to Citizen Lab’s analysis, the newly revealed vulnerabilities are the work of the Israel-based surveillance software developer NSO Group. The NSO Group appears to have marketed the vulnerabilities as a product called Pegasus. The company likely offers similar exploits for Android and Blackberry, and Lookout estimates that the iOS exploit has been available for purchase for roughly two years.

Source link

About admin

Check Also

Meet Projector, collaborative design software for the Instagram age

Mark Suster of Upfront Ventures bonded with Trevor O’Brien in prison. The pair, Suster was ...

Leave a Reply

Your email address will not be published. Required fields are marked *