Remote Exploit: Apple iPhone Not Secure Has You Thought



For 12 years IOS was the most secure consumer great mobile operating system but in the state of mass surveillance, everything's changed. for the period of more than two years, gaping holes in core components of IOS security allowed the attackers to remotely hack every version of IOS from at least 2016 until recently.


Google's white hat hackers at project zero reported attackers were able to remotely take over fully patched and updated iPhones and IPads without any user interaction. They weaponized in a total of 14 0-day vulnerabilities in Apple's mobile operating system into 5 sophisticated exploit chains.


Their targets were chosen indiscriminately in what seems to be part of a large mass surveillance campaign by reportedly a state-sponsored adversary. Infected users will immediately have all of their data from their device uploaded to remote servers and update send every 60 seconds. The data collected would include Location, device model keychain name, serial number, phone number, contacts, messages, attachments, list of installed Apps, recordings, Photos, Files, Call history, passwords and container directories of every app on the Device.


The implant had a hard-coded list of app from which it always uploaded plaintext data to the attacker control servers.

Among the selected apps were Gmail, Facebook, Skype, Telegram, Whatsapp and others and the scariest part is that attackers were able to bypass end to end encryption in popular messaging apps like WhatsApp, iMessage and Telegram. Because the exploit gave the attackers full privileges on IOS they cloud access and read chat messages in real-time before they were encrypted by their apps.


Although a simple reboot would kill the exploit unless a user did immediately after infection troves of personal and sensitive data would by then be in the hands of adversaries. What odd is that all the collected data would be transmitted over HTTP connection with no encryption to hide the activity, means anyone analyzing the network traffic of the victims will see the data in plain text.



Some Researchers  Speculate that the attackers were either inexperienced in their craft or they just didn't see care if they get caught nonetheless, they succeeded in engaging in the hacking campaign undetected for over 2 years. All of the exploits chained were 0-day in 0-click which means the attackers found holes in the IOS SOURCE deliver not patched by developers and users would not have to interact with the malware in any way. Simply visiting an infected website would automatically install implant on their device.

Zero-day(0-day); An unpatched software vulnerability unknown to the developer

Zero-Click(0-click); Malware infection requiring no user interaction to be successful; Interactionless


Project Zero reported in August that the attackers a small selection of websites with thousands of visitors per week. Google which had access to both the infected website and the IP addresses of the servers controlled by the attackers did not disclose neither those websites nor those IP addresses.

This information cloud help attribute the attackers and it would inform affected website owners as warning their visitors on the other side Apple did not inform the infected IOS users and they stayed silent about the exploits until project-zero published it's reported but google privately informed apple about this in February 1st this year more than six months before going public about it.


Goolge gave apple 7 days to patch and fixed the vulnerabilities immediately.


Apple did so with the release of IOS 12.1.4 on February 7th but this is far from the end of the story. More and More investigations and stories were coming to the surface questioning the traditional premise that IOS security is unmatched and can only be broken through by expensive and highly targeted campaigns. 


These exploits chains alongside many other instances of embarrassing holes in the IOS security suggest however that Apple's Closed-Source lock-down eco-system is a centre of mass surveillance at a much lower cost than previously thought.  


On Sept 19, 2019, amplitude in official statements where they took offence at Google for its Project-Zero report. Apple claims the attacks were only narrowly targeted at the weaker community and blamed google for fear-mongering all IOS users and all evidence shows the attacks lasted only for two months.


Apple claims no responsibility for failing to guide against wide-scale vulnerabilities and no response to Google's main criticism that vulnerabilities wouldn't have been missed if apple developers followed standard code reviewing processes. What's missing from the statement is any mention of china where the majority of weighers reside, There's no sympathy with wiggers who face decades-long persecution, mass surveillance and human rights abused by the Chinese governments.


There were no apologies to the victims, no guidance, what to do with the infected devices and no explanation of how Apple plans to mitigate against these attacks in the future.


How Does Apple Hold Up Against  These Accusations

Let dissect this story first "How Narrow Really was These IOS Exploits"


Forbes and TechCrunch independently reported the attacks seems to have been targeting website site serving weaker content and what may seem narrow to a trillion-dollar behemoth is a never-ending nightmare of ethnic persecution of the Uighur Minority living in the Xing Jian Region in north-west China.


There are 10 million weighers living in China largest state, Majority of theme Sunni Muslims. The Chinese government put over 1 million weighers into detention camps and subjected the rest of the population to massive hacking campaigns and the IOS exploit might as well be part of. With thousands of IOS users getting infected each week over the span of several months or years. The evidence indicates we need to count the victims in hundreds of thousands even though weighers might constitute a small number of IOS users for Apple.

This was nowhere near Narro targeted operation but rather a mass surveillance campaign focused on a geographical location and ethnicity but weigher isn't the only once in danger of being hackers.

Any use of an exploit in the wild poses a risk if they fall into the wrong hands.

US military commanders publicly acknowledged that they're adversaries and targets can reverse-engineer the tools used against themselves of someone else.


How China APT Got US Hacking Tool


A Chinese hacking group once acquired that had been weaponized by the NSA and used for surveillance. The Chinese were able to see the Exploit in use by analyzing network traffic of one the NSA targets and re-engineer them for their purposes. The is the nature of cyber Operations the more exploits government agency weaponized the less secure the whole cyber environment is for everybody.


Ironically the mere existence of the National Security Agency is a security Vulnerability, the IOS exploits have been in the wild for too long at least 2 years and that's long enough for many malicious actors to spot exploits especially since they were used indiscriminately in over unencrypted connection.

Many more state-sponsored adversaries have likely used these exploits around the world knowing this information  Apple should have launched a deep investigation into these tools and begin waring users who cloud have been affected instead 's Argument is that websites were affected only two months and not 2years without showing any evidence for it.


Even if it was true we know that exploits have been in someway used from at least 2016 and the attackers were supporting their exploit chains since at least IOS 10.0.1 until 12.1.4 arguing that this was nothing more than just a limited campaign puts millions of IOS users At a great risk.


Apple Remained Silent on the Main Critique That Their Developing Processes were Inefficient in Safeguarding IOS Security and Google had a lot to Say About this.


The Exploits chains were written contemporaneously with our supported IOS versions, this the attackers were able to move on to a new exploit chain before vulnerabilities in previous once patched.

Google's Analysis shows that at least two vulnerabilities used in the exploits chains were unpatched at a time of discovery in January 2019. Out of 14 vulnerabilities discovered 7 were for safari web browser,5 were for the IOS kernel and two separate sandbox escapes. While the first two exploit change only lasted through IOS 10 Google argues at least three of the 5 exploits chains cloud have been avoided.


The third exploit chains stemmed from a bug Project-zero says cloud has been discovered by a simple unit test or a code review. Ironically the vulnerability was found in APPLE IPC mechanism which they marketed as a security boundary that poses little to no harm if exploited. As it turns out exploiting XPC bugs allows attackers to target any process which uses it and XPC is riddle with those bugs.


The Fouth exploits chains

The Fouth exploits chains also weaponised XPC sandbox escape and a kernel bug which reports argues to just have easy to find and exploit. These two vulnerabilities were still unpatched at the time of discovery in 2019. The final vulnerability in the exploit chain 5 was introduced because back in 2014 Apple implemented vouchers new and unfinished feature that google says never even worked. 


Any attempts to use these features would cause a kernel panic and the phone would immediately crash. This means that the feature was never called during testing, code review, development or production. This bug was publicly known since November 17, 2018, when a hacker named "Sorrymybad" used it to win $200,000 bug bounty competition another researcher "Brandon Azad" independently discovered and reported this issue to Apple on December 6the 2018.


 It still took apple over 2 months to finally patched it on January 22nd 2019 but wasn't until IOS 12.1.4 release on February 7th when it finally reached users.


Part  2: Remote Exploit: Apple iPhone Not Secure Has You Thought - How devastating Apple Exploit was 




0 Comments

Post a Comment

Post a Comment (0)

Previous Post Next Post