11 Answers to the Latest Apple iOS Exploits

On August 29th 2019, the British security researcher Ian Beer (@i41nbeer) from Project Zero at Google published multiple blog posts about a series of iOS exploits. According to their findings, those exploits have been used to completely take over iOS devices. This article provides focused answers to eleven questions about this series of events.

What is the overall impact of this attack?

If

  • you used an iOS device (iPhone, iPad, …) in the last two years and
  • visited a certain hacked site (more on that later)

your device could have potentially been overtaken by the attacker.

Overtaken means?

Complete access to all your data, including

  • All messages (even encrypted ones, even from WhatsApp and iMessage – of course also unencrypted texts)
  • Contacts
  • Passwords (iOS Keychain)
  • Emails
  • Third-Party Application Data (Facebook, Telegram, Skype, …)
  • Locations (via GPS)

What was the attackers’ goal?

This is still open to speculation. The researchers suggest that the attackers may have wanted to target members of a certain community over a long period of time.

iOS exploits are very costly (e.g., Zerodium would pay anyone up to $ 2,000,000 for a zero click remote jailbreak for iOS [3]). Since it seems that the attacker had no financial motives, one might be tempted to suggest a political agenda behind the attacks.

Which iOS versions were affected?

iOS 10 through to iOS 12.1.4 (which was released in February 2019) [1].

Version Affected?
10.0.x yes
10.1.x yes
10.2.x unclear (according to [1], no exploit chain existed for this version)
10.3.x yes
11.0.x yes
11.1.x yes
11.2.x yes
11.3.x yes
11.4.x yes
12.0.x yes
12.1.1 – 12.1.3 yes
12.1.4 no
12.2 no
12.3.x no
12.4 no
12.4.1 no

When did the attack start?

Probably in September 2016 [2] with the launch of iOS 10.

Are iOS devices still endangered?

With today’s knowledge, iOS devices running at least iOS 12.1.4 are no longer affected by this exploit.

It is unclear whether infected devices remain affected after an update, but the researchers suggest that the infection does not survive a reboot [1].

Why are different exploit chains used?

After the initial attack’s launch, some vulnerabilities were patched by Apple. The attackers then reacted to those patches by finding new exploits.

A total of five chains were identified, using a total of fourteen vulnerabilities [1].

Why are encrypted messages also affected?

Many apps offer end-to-end encryption (e.g. Whatsapp and Telegram).

While this encryption is completely secure and not the target of this exploit, it does not help in this case. Once an attacker has root access on a device, they can simply grab the decrypted version of the messages from the application’s local SQLite database.

Could the attacker track my location?

Yes. The installed software was configured to automatically report your current GPS location up to once per minute [1].

No evidence currently indicates that past GPS locations could be fetched unless they had been stored by a third party application.

How could the attackers control infected devices?

The researchers published [1] a list of supported commands which were executed by the infected devices.

systemmail upload email from the default Mail.app
device upload device identifiers (IMEI, phone number, serial number etc)
locate upload location from CoreLocation
contact upload contacts database
callhistory upload phone call history
message upload iMessage/SMSes
notes upload notes made in Notes.app
applist upload a list of installed non-Apple apps
keychain upload passwords and certificates stored in the keychain
recordings upload voice memos made using the built-in voice memos app
msgattach upload SMS and iMessage attachments
priorapps upload app-container directories from hardcoded list of third-party apps if installed (appPriorLists)
photo upload photos from the camera roll
allapp upload container directories of all apps
app upload container directories of particular apps by bundle ID

They also reconstructed a list of third-party apps. The data of each app on this list is always uploaded to the attacker:

com.yahoo.Aerogram Yahoo Mail
com.microsoft.Office.Outlook Microsoft Outlook
com.netease.mailmaster NetEase Mail Master
com.rebelvox.voxer-lite Voxer Talkie-Walkie
com.viber Viber
com.google.Gmail Gmail
ph.telegra.Telegraph Telegram
com.tencent.qqmail QQMail
com.atebits.Tweetie2 Tweetie2
net.whatsapp.WhatsApp WhatsApp
com.skype.skype Skype
com.facebook.Facebook Facebook
com.tencent.xin Tencent QQ

It should be noticed that this list includes applications that are very popular in the Asian market (Tencent QQ, QQMail).

Is there any way to check if I was affected?

It turns out, there is. The attackers made a mistake and did not use HTTPS to encrypt their network traffic. Therefore, if you happen to have access to your network traffic logs, you can scan for the string /list/suc?name= in your past GET requests. Positive matches may hint that a communication to the attackers’ servers occurred.

References

  1. https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
  2. https://www.heise.de/mac-and-i/meldung/Google-Project-Zero-iPhone-Nutzer-ueber-Jahre-mit-boesartigen-Implants-infiziert-4510434.html
  3. https://zerodium.com/program.html