Google on Thursday published detailed information on five iOS exploit chains, one of which has been used to remotely hack iPhones for at least two years.
The exploits were found in early 2019 on a series of compromised websites used in watering hole attacks against all of their visitors. According to Google, the websites are estimated to receive thousands of visitors per week.
The attacks did not appear to focus on specific targets. Instead, anyone accessing the hacked websites from an iOS device was attacked, in an attempt to install a monitoring implant.
The five exploit chains collected, Google Project Zero security researcher Ian Beer explains, target iOS platform iterations ranging from iOS 10 through to the latest version of iOS 12.
“This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years,” Beer notes.
The security researchers investigating these attacks discovered a total of fourteen vulnerabilities that the five exploit chains targeted in an attempt to compromise devices. Of these, seven were in the iPhone’s web browser and five in the kernel, while the last two were separate sandbox escapes.
Two of the vulnerabilities (part of a privilege escalation chain) were zero-days at the time of discovery. Tracked as CVE-2019-7287 and CVE-2019-7286 and impacting IOKit and the Foundation component, the security flaws were reported to Apple in early February and were addressed with an out-of-band security update on February 7.
Six months after the patches were released, Google’s researchers say they are finally ready to reveal “insights into the real-world workings of a campaign exploiting iPhones en masse.” They detailed both the exploits and the malware implant used in these attacks.
The exploit chains
The first of the exploit chains includes techniques suggesting it was written around the same time iOS 10 was released, which suggests that the group “had a capability against a fully patched iPhone for at least two years,” Beer notes.
The exploit chain targets one kernel vulnerability that was directly reachable from the Safari sandbox, Google reveals. Impacting iOS 10.0.1 to 10.1.1, the exploit is believed to have been active since September 2016.
The second chain targets a vulnerability that was discovered independently of this campaign. Impacting iOS 10.3 through 10.3.3, the security bug was addressed in iOS 11.2, released in December 2017.
The third exploit chain targets iOS 11 to 11.4.1, spanning almost 10 months, and was the first chain observed to include a separate sandbox escape exploit, a severe security regression in libxpc, addressed in July 2019.
Targeting iOS 12 to 12.1, the fourth exploit chain included the two vulnerabilities (privilege escalation and code execution) that were unpatched at the time of discovery. The sandbox escape vulnerability in this chain involves XPC as well.
The fifth exploit chain, Beer reveals, was independently discovered by Brandon Azad from Project Zero and @S0rryMybad from 360 security in late 2018, and was patched on January 22, 2019. Even so, the attackers switched to it instead of chain 4, which included two zero-days, likely because it was more stable and included only one flaw instead of a collection of them.
The attackers targeted a code that Apple introduced with iOS 8 in 2014, and which included a syscall that apparently never worked. Attempts to call the syscall with the expected arguments would have resulted in a crash, but the attackers managed to find a way to exploit the issue reliably.
As part of the attacks, WebKit exploits were used to gain an initial foothold onto the iOS device and make the necessary preparations for privilege escalation. The exploits, Google says, achieve “shellcode execution inside the sandboxed renderer process (WebContent) on iOS.”
According to Beer, it is unclear how the attackers came in the possession of these exploits, whether they were 0-days or 1-days at the time of attacks. The researcher also notes that information on some flaws could have been extracted from a public source code repository before the fix has been shipped to users.
The implant used in this campaign was mainly focused on stealing files from the victims’ devices and on sending to the attackers live location data. The code was designed to request commands from the command and control (C&C) server every 60 seconds.
Analysis revealed that the implant could access all the database files used by popular end-to-end encryption apps like WhatsApp, Telegram and iMessage, thus allowing attackers to snoop into the victims’ communications. Google Hangouts and Gmail conversations aren’t safe either.
“Various implant commands enable the attackers to steal the container directories of third-party apps. The implant contains a hardcoded list of apps which will always have their container directories uploaded when the implant starts up,” Google notes.
The malware can also steal the user’s contacts list and their photos, and can upload the user’s location in real time, up to once per minute, as long as the device is online.
“The implant uploads the device’s keychain, which contains a huge number of credentials and certificates used on and by the device,” Beer explains.
Tokens used by services such as Google’s iOS Single-Sign-On are also in the keychain, and the attacker can leverage them to maintain access to the user’s Google account even after the implant is no longer active.
This implant, Google’s researchers have discovered, has access to almost all of the personal information available on the device and can exfiltrate all of it to the attacker’s server. The malware lacks persistence and can’t survive device reboots, but the amount of stolen data likely allows attackers to maintain persistent access to various accounts and services.
“I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time,” Beer concludes.