Flaw in iPhone, iPads may have allowed hackers to steal data for years

AlexJ

Агенство Интернет-исследований
Beginner User
Joined
Mar 21, 2014
Messages
807
Reaction score
749
Location
NYC/NJ
New flaw was published which allows people to gain remote access to iPhone and iPad and gain access to any information, this supposedly existed for years. It is not patched yet though Apple is aware of it and will most likely patch it in future update.

This is just another example why nobody should store or transfer sensitive data through smartphones or tablets, does not matter if they are Android devices or iOS devices - do not use them to store and send your nudes, any other kind of illegal nudes, login info in plain text or documents such as confidential information or things like research and development documents.
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,232
Reaction score
10,748
This is just another example why nobody should store or transfer sensitive data through smartphones or tablets, does not matter if they are Android devices or iOS devices - do not use them to store and send your nudes, any other kind of illegal nudes, login info or documents such as confidential information or things like research and development documents.
Is it? Security exploits have existed on basically every computing platform out there. What exactly is a safe platform and what makes smartphones worse?

This is more a cautionary tale to keep all of your devices updated and to stop using devices that no longer get software updates. And it's a reminder of the harm that some folks are causing by spreading scareware articles about how the latest update has some esoteric bug and telling people to avoid installing updates :(
 

AlexJ

Агенство Интернет-исследований
Beginner User
Joined
Mar 21, 2014
Messages
807
Reaction score
749
Location
NYC/NJ
what makes smartphones worse?
Well, for one the fact that they are "always connected" in a way that is different than most PCs and especially laptops, so there is a higher chance of your phone being exploited through vulnerability than, say, a PC or laptop which you only turn on when you are using it ;-) How many people turn their smartphones off even at night, considering the fact that they use very little electricity, have no moving parts which can wear out or produce noise? I don't turn my smartphone off, and I do turn off my PCs and laptops when I do not use them or let them sleep in a way where they cannot accept any incoming data when they are not being used. You can also just unplug the ethernet cable from your PC or laptop or Mac if you want to keep it offline for specific reasons, and you can technically remove the Wi-Fi card from your laptop (unless it is soldered on motherboard, but even then you can easily disconnect antennas without permanent damage), it is much less convenient to remove SIM card from your smartphone and it is IMPOSSIBLE if you have eSIM activated, same goes for Wi-Fi, and yes, you can turn on Airplane mode but who said the malware cannot turn this software setting back on if it is already running on your mobile device? ;-)

Another is the fact that there are multiple antimalware programs available on PC or even on Mac which can do a very good job at catching exploits BEFORE the OS manufacturer will patch vulnerability ;-) As far as I know, Apple does not allow proper low level access for antimalware apps on iOS, making them nearly useless even though they do exist. And regardless of the level of access I prefer to not use any redundant apps including antimalware on mobile devices because, well, the space and RAM on smartphone is not very upgradeable so it is very easy to bump into RAM limit or storage limit on a smartphone with no expandable microSD cards (I have done it), so saving up even few megabytes helps, same goes for battery life - antimalware apps may not use a lot of battery but even a tiny bit matters if you, for example, become stuck at a place where charging is not available for several hours.
Another one is that you have a HUGE variety of mail clients which you, for example, can use on PC or even on Mac and many users on PC or Mac check their email through various browsers (I do) because it is very easy to do on larger displays yet vast majority of iOS users and many Android users just use stock email client so if the vulnerability is found in stock client (the Apple Mail or the Gmail on Android) - it will affect much more users of specific mobile platform, be it either iOS or Android.


This is more a cautionary tale to keep all of your devices updated.
Yes, but if there are no updates available OR if the exploit is not yet published (and I am sure there are many more existing exploits which are being used by private companies who sell access to any smartphone's data for specific fee without letting anyone else use this exploit) - this advice is useless ;)
 

Arcome

PSL +5
Intermediate User
Lifetime Premium Member
Joined
Mar 28, 2018
Messages
257
Reaction score
398
Well, for one the fact that they are "always connected" in a way that is different than most PCs and especially laptops, so there is a higher chance of your phone being exploited through vulnerability than, say, a PC or laptop which you only turn on when you are using it ;-) How many people turn their smartphones off even at night, considering the fact that they use very little electricity, have no moving parts which can wear out or produce noise? I don't turn my smartphone off, and I do turn off my PCs and laptops when I do not use them or let them sleep in a way where they cannot accept any incoming data when they are not being used. You can also just unplug the ethernet cable from your PC or laptop or Mac if you want to keep it offline for specific reasons, and you can technically remove the Wi-Fi card from your laptop (unless it is soldered on motherboard, but even then you can easily disconnect antennas without permanent damage), it is much less convenient to remove SIM card from your smartphone and it is IMPOSSIBLE if you have eSIM activated, same goes for Wi-Fi, and yes, you can turn on Airplane mode but who said the malware cannot turn this software setting back on if it is already running on your mobile device? ;-)

Another is the fact that there are multiple antimalware programs available on PC or even on Mac which can do a very good job at catching exploits BEFORE the OS manufacturer will patch vulnerability ;-) As far as I know, Apple does not allow proper low level access for antimalware apps on iOS, making them nearly useless even though they do exist. And regardless of the level of access I prefer to not use any redundant apps including antimalware on mobile devices because, well, the space and RAM on smartphone is not very upgradeable so it is very easy to bump into RAM limit or storage limit on a smartphone with no expandable microSD cards (I have done it), so saving up even few megabytes helps, same goes for battery life - antimalware apps may not use a lot of battery but even a tiny bit matters if you, for example, become stuck at a place where charging is not available for several hours.
Another one is that you have a HUGE variety of mail clients which you, for example, can use on PC or even on Mac and many users on PC or Mac check their email through various browsers (I do) because it is very easy to do on larger displays yet vast majority of iOS users and many Android users just use stock email client so if the vulnerability is found in stock client (the Apple Mail or the Gmail on Android) - it will affect much more users of specific mobile platform, be it either iOS or Android.



Yes, but if there are no updates available OR if the exploit is not yet published (and I am sure there are many more existing exploits which are being used by private companies who sell access to any smartphone's data for specific fee without letting anyone else use this exploit) - this advice is useless ;)
Rule #1 treat every device as if it is compromised.


Posted from my iPhone using the RDF Mobile App!
 

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,232
Reaction score
10,748
Airgapping is at this point a borderline irrelevant concept. Most of the ransomware that I've analyzed are more than capable of waiting for a network connection to start communicating, and most are good enough to have a delayed time fuse to stay inactive upon initial infection anyway.

Building security into the OS from the ground up is arguably the most important thing, and mobile phones and especially iOS devices have the advantage of having one of the best Secure Boot implementations on the market, that covers every piece of firmware loaded on the device.


Every Apple chip has tons of built in security features, with new ones added every generation to proactively address security trends. For example, when the 'checkm8' ROM exploit came out, it did not work on the last two generations of the SoC. That is due to proactive security changes, years before the exploit was released.

Unfortunately there will always be ways to defeat these systems. Right now the chain of exploits required to persistently compromise one of these devices takes hours to explain to even a technically proficient person (it's usually 5 or more exploits chained together). They are also traded on the black market on the order of millions of dollars a piece, and they know if Apple catches wind of it, it will get promptly fixed.

I don't want to see this as a way to scaremonger people into choosing less secure platforms. Please think through your infosec choices. For the average person, unless you plan on permanently airgapping devices, it makes almost no difference to partially airgap them.

For attacks like this,
  1. Don't click links, view emails, or open documents from people you don't trust. For the most part "drive by" exploits like the one described here are extremely rare -- we go years between having one on iOS platforms. This isn't Internet Explorer 6 and Windows XP anymore. But any time you open something in a web browser, email client, PDF viewer, etc, you are taking a risk
  2. Don't grant apps permissions that you don't feel comfortable with. For example, when you grant access to an app to take and save photos, you are also giving them permission to view your camera roll. Many apps have been busted doing unscrupulous things with your photo library -- either uploading them or running AI on them to inventory your picture collection
  3. Don't be a target of a rogue goverment. That's sort of a joke, but seriously, nobody is burning $10-100 million of exploits to look at your penis. Unless you're Jeff Bezos? *shrug*. Either way, the vast majority of these serious zero day exploits are noticed when analyzing devices of politically persecuted and other targeted high-value individuals
  4. WHEN there's an update available with security content (which is almost all of them), apply it ASAP. There are frequently high risk exploits that responsible vendors do not disclose as part of the security update other than to say it "contains security updates". But with that said, from an update, it's pretty easy to reverse engineer the nature of the vulnerability using popular tools.

Even if you do all of these things, there will be periods of time once in a blue moon where a highly publicized exploit happens where you are vulnerable. It's not a great feeling, but it's a sobering reminder that there are almost certainly high-value exploits that government agencies and other actors are holding onto that exist in a lot of the products and software that we use daily.

And I say this as a person with significant input into and who's spent a lot of time working on security, as well as being involved in dissecting many of these attacks.

I can tell you FOR A FACT that your computer is not more secure than your phone. The modern computer has so many components that run unsigned or unverified firmware that it's a lot easier to achieve persistent malware on a computer than it is on a properly secured smartphone device. It's one of the prices that PCs and computers pay for their backwards compatibility and their role as a general purpose computing platform.
 
Last edited:

jdong

Advanced User
Premium Member
Joined
Jun 5, 2013
Messages
7,232
Reaction score
10,748
FYI now that a formal statement is out: https://9to5mac.com/2020/04/24/iphone-mail-vulnerabilities/

The fundamental buffer overflow and heap overflow exploits pointed out are in existence. However, that particular daemon is sandboxed and non-root and literally just has access to fetch mail and calendar events. To achieve the greater persistent exploit, you need to break out of that sandbox, escalate from that user to root, escalate from root to kernel (iOS unlike every desktop OS in existence, has additional privilege separation where root is less powerful than kernel), and then compromise secure boot to achieve reboot persistence.

The researchers presented only speculation that the other 5 steps are possible but there is no evidence that it has happened.

Furthermore,the researchers speculate that the heap exploit is being used to get the mail fetching daemon to be able to delete your mail. This would be extremely difficult to pull off. In addition to address layout randomization and heap randomization and compiler/toolchain hardening (which are common security features), the heap cannot be used to introduce code on iOS (executable page mappings must go through the kernel and the kernel requires said executable pages to be in a hash whitelist of signed code). This only leaves ROP and JOP based techniques, and if you have an A11 or newer Apple chip, every pointer and return address is signed with a randomly generated key that is programmed by the ROM and bootloader and then architecturally inaccessible to an attacker with full code access. So, it is virtually impossible to execute a control flow attack using those techniques.

So all in all, the impact that is not argued is that if your mail provider allows receiving an email of this size, it can result in the mail daemon crashing and refusing to fetch further mail. Most public mail providers do not permit this. Most mail applications fail to open such a message as well, crashing because they hit the maximum memory limit attempting to render it.

Of the security features I described above, the latter half are not just unique to Apple iOS, but they are silicon features that are simply not available in any Intel or even non-Apple ARM chip currently in production. Though ARM has defined in their spec how ROP and JOP protection works, these features are still unsupported by Linux and FreeBSD's entire stack, Windows for ARM, and gcc.

All in all, this is not a reason to avoid such devices or to make an incorrect assumption that a walled garden embedded device is worse than your computer for security. It's absolutely not. There are two possibilities here:
  1. A security researcher group is scaremongering by creating an imaginary scenario to highlight the worst case outcome of this bug.
  2. An extremely sophisticated (probably government backed) attacker has put together such an attack and covered their tracks so well that we can only find highly circumstantial evidence that something like this is possible.
Either way, this is likely a reminder that no matter how advanced you make security features, there is a possible way to defeat them. Security will always be a cat and mouse game. Maybe instead you should ask why the rest of the industry is quite literally decades behind the state-of-the-art in layered proactive security?


P.S. Antivirus software is a whole separate debate, but factually speaking, this is neither the type of attack that a virus scanner could catch nor is it the kind that a network IPS could reasonably defend against.
 

Discord Server

Latest threads

Forum statistics

Threads
85,381
Messages
1,297,875
Members
21,530
Latest member
jgazette
Top