In a series of extensive blog posts yesterday, members of Google’s Project Zero team, which examines cybersecurity vulnerabilities, outlined a series of exploits that it had discovered on Apple’s iOS operating system over the last couple of years, ranging from iOS 10 to 12. The team discovered that, simply by visiting certain websites, users could make their devices vulnerable to hackers and let those hackers access sensitive information. Google disclosed its findings to Apple this past February and the exploits have since been patched, so if you don’t already have the latest version of iOS, it’s probably worth installing.
The robust security of iOS is frequently touted as one of its selling points. Unlike Android, Google’s operating system, iOS only runs on a very limited number of hardware configurations and only allows applications to be installed that are approved through Apple’s App Store. These properties combine to make it more difficult for hackers to take advantage of. That’s what makes the disclosure all the more concerning. According to those who discovered the vulnerabilities, “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.”
“Working with TAG [Threat Analysis Group], we discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes,” Project Zero member and iOS security expert Ian Beer writes. “Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery.” The “kernel” is the base operating system of iOS, and “sandbox escapes” refer to “sandboxing,” the practice of isolating one part of a computer system from another.
The capabilities of the “implant” that researchers discovered are extensive. Perhaps most concerning is the implant’s ability to access unencrypted messages from platforms like WhatsApp and Apple’s own iMessage service (the messages are encrypted when sent between devices, but unencrypted on the device so that they can be, you know, read). The implant could then upload those unencrypted contents to the hacker’s server.
But wait, there’s more! The implant can access and upload the Contacts database of iOS, the photos on the device, unique identifiers like the IDs for the SIM card and the serial number, and “can also upload the user’s location in real time, up to once per minute, if the device is online.”
It somehow gets worse? The implant also gives hackers access to the iOS device keychain, the database that stores a user’s login credentials for a number of things, from websites to Wi-Fi networks. Certain types of credentials accessed by the implant — long-lived tokens — let hackers maintain access to a user’s account even after the malware has been wiped from the device.
The slight bit of good news is that anyone who visited a malicious website that deployed the implant can prevent it from running by rebooting their device (and further prevent it by upgrading their version of iOS to the latest available). One detail that stands out, however, is that Google’s team found the implant running in plain sight. On desktop operating systems and on Android, users can access a list of processes running on the device in programs like Task Manager (Windows) and Activity Monitor (macOS). However, iOS has no such function.
The implant runs “in the background as root. There is no visual indicator on the device that the implant is running,” Beer writes. “There’s no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system.” In short, Apple’s attempt to hide the nitty-gritty of computer maintenance and cybersecurity from users made it next to impossible for anyone other than Apple to discover the exploits. Luckily, someone did.