One week after Ivan Krstic, Apple’s head of security engineering and architecture offered a $50,000 “bug bounty” at the Black Hat security conference in August 2016 for zero-day vulnerabilities (security weaknesses discovered and exploited by attackers, but unknown to the system owner), some unknown iOS vulnerabilities came to light – and Apple’s mobile operating system came under serious attack.
This assault on an environment previously known for its resistance to malware and other forms of cyber-attack came as a rude awakening – and points to the ongoing problem which device manufacturers and mobile operating system developers have in keeping pace with the ingenuity of hackers and cyber-criminals.
iOS Vulnerabilities – The Strange Case of Ahmed Mansoor
On August 12, 2016 Ahmed Mansoor, a human rights activist in the United Arab Emirates received an SMS text message on his iPhone 6 (running iOS 9.3.3) which contained a link purporting to lead to a website containing evidence of torture and other rights abuses.
Suspicious, Mansoor forwarded the message to the University of Toronto’s Citizen Lab, where researchers clicked on the suspect link from a test iPhone and observed an unsolicited software download from the destination site. They shared their findings with researchers at the mobile security firm Lookout.
Both teams soon came to the common conclusion that Mansoor had been targeted by a combined package of three zero-day exploits capable of taking control of his phone, and spying on his emails, text messages, calls, and contact lists – an assault which Lookout’s vice president of security research and response Mike Murray described as showing “an incredible level of sophistication and commitment.”
The Trident Payload
The assault – which Lookout researchers nicknamed “Trident” – chains three zero-day attacks together to produce a “one-click jailbreak” of an iOS device. Both unprotected iPhones and iPads are susceptible.
Phase one of the exploit is a phishing attack looking to exploit careless human behavior, where the hacker uses SMS text messaging or email to send their target a baited link, with suitable inducements to click on it. If successful in gaining a hit, the first zero-day exploits the CVE-2016-4655 vulnerability in iOS, which is a memory corruption in the Safari Webkit that allows the attacker to run arbitrary code in the iPhone’s default browser. To the victim, this would only manifest as an unexpected shutdown of the Safari browser.
Trident then downloads two kernel exploits to the infected device.
Phase two involves the CVE-2016-4656: Kernel Information Leak vulnerability, which allows the attacker to calculate the location of the iOS system kernel in the device’s memory. This is a critical flaw for iOS, in that the kernel is a core component of the operating system’s secure boot process. And it’s the kernel that has to be located in order to perform a jailbreak and bypass the native iOS security controls and usage restrictions.
Phase three of Trident kicks in once the kernel has been located and involves the CVE-2016-4657 weakness, which consists of 32 and 64-bit iOS kernel-level vulnerabilities allowing an attacker to jailbreak a device on the quiet, enjoy read/write privileges, and install their own surveillance software affecting Apple’s own brand and third-party applications.
The Lookout Security team informed Apple of its findings on August 15, 2016, under an industry protocol which typically gives a company 90 days to patch a vulnerability before the researchers make their findings public.
In fairness to Apple, their response to the news was extremely rapid: Patches for all three iOS vulnerabilities were issued within ten days. The fix takes the form of iOS 9.3.5, which all iPhone or iPad users are strongly advised to download using Settings > General > Software Update.
But the researchers working on Trident discovered a kernel mapping table in the malware which refers to iOS 7 (initially released in September 2013) – suggesting that the Trident exploit has been out in the wild for several years, now. And investigations tracing the exploit to its likely source suggest that it’s just a small part of a thriving eco-system of zero-day exploits for order.
Pegasus For Sale
Investigators working for Citizen Lab traced the origin of Trident to NSO Group Technologies Ltd., a surveillance software developer based in Israel (now owned by Francisco Partners, a US private equity firm) which has allegedly been marketing the exploit under the trade name Pegasus. Buyers are alleged to include government clients and national intelligence agencies.
Pegasus is able to subvert operating system and application layer security in voice calls, audio, and apps including GMail, WhatsApp, Facebook, Viber, WeChat, and Telegram – as well as Apple’s built-in email and messaging apps.
Lookout Security estimates that the iOS exploit has been on the market for around two years, with NSO Group earnings reports suggesting that the zero-day kit could have been used against anywhere from 10,000 to 100,000 mobile devices worldwide. Similar products for Android and Blackberry are likely available, as well.
Besides upgrading to iOS 9.3.5, users suspecting a Trident/Pegasus infection have been advised to install the Lookout 4.4.8 app to check if their devices have already been compromised.
Meanwhile, Citizen Lab has already published some information concerning the NSO Group’s command-and-control and domain structures, with the suggestion that more data will be made public as it comes to light.
Other iOS Vulnerabilities
Researchers at North Carolina State University, TU Darmstadt in Germany and the University Politehnica in Bucharest are due to publish their findings on vulnerabilities in the iOS “sandbox” feature at an upcoming security conference in Vienna. Their studies have apparently thrown up multiple weaknesses capable of allowing attackers to compromise iOS devices in various ways, using third-party apps.
These include attacks that would enable hackers to bypass the iOS privacy setting for contacts, prevent access to certain system resources, and access a user’s location search history.
A researcher working on the publication confirmed that these findings have been revealed to Apple, which is currently working to resolve the issues.
Share this Post