Apple

Apple iOS ‘Zero Interaction’ iPhone Vulnerabilities Discovered And Demoed By Google Security Researchers From Project Zero

Apple iOS, the default operating system for all the iPhones, contained six critical “Zero Interaction” vulnerabilities. Google’s elite ‘Project Zero’ team, which hunts for severe bugs and software flaws, discovered the same. Interestingly, Google’s security research team has also successfully replicated the actions that can be executed using the security flaws in the wild. These bugs can potentially allow any remote attacker to take administrative control of the Apple iPhone without the user having to do anything other than receive and open a message.

Apple iPhone operating system versions prior to iOS 12.4 were found to be susceptible to six “interactionless” security bugs, discovered Google. Two members of the Google Project Zero have published details and even successfully demonstrated Proof-of-Concept for five of the six vulnerabilities. The security flaws can be considered quite severe simply because they require the least amount of actions executed by the potential victim to compromise the iPhone’s security. The security vulnerability impacts the iOS operating system and can be exploited via the iMessage client.

Google Follows ‘Responsible Practices’ And Informs Apple About The Severe Security Flaws In iPhone iOS:

Google will reveal details about the security vulnerabilities in the Apple iPhone iOS at the Black Hat security conference in Las Vegas next week. However, the search giant maintained its responsible practice of alerting respective companies about security loopholes or backdoors, and first reported the issues to Apple to allow it to issue patches before the team revealed the details publicly.

Taking notice of the severe security bugs, Apple reportedly rushed to patch the bugs. However, it may not have completely succeeded. Details about one of the “interactionless” vulnerabilities have been kept private because Apple did not completely resolve the bug. The information about the same was offered by Natalie Silvanovich, one of the two Google Project Zero researchers who found and reported the bugs.

The researcher also noted that four of the six security bugs could lead to the execution of malicious code on a remote iOS device. What is even more concerning is the fact that these bugs needed no user interaction. The attackers merely have to send a specifically coded malformed message to a victim’s phone. The malicious code could then easily execute itself after the user opened the message to view the received item. The other two exploits could allow an attacker to leak data from a device’s memory and read files off a remote device. Surprisingly, even these bugs didn’t need user interaction.

Apple Could Successfully Patch Only Five Of The Six ‘Zero Interaction’ Security Vulnerabilities In iPhone iOS?

All six security flaws were supposed to have been successfully patched last week, on July 22, with Apple’s iOS 12.4 release. However, that doesn’t seem to be the case. The security researcher has noted that Apple only managed to fix five of the six security “Zero Interaction” vulnerabilities in the iPhone iOS. Still, details of the five bugs that were patched are available online. Google has offered the same through its bug reporting system.

The three bugs that allowed remote executing and granted administrative control of the victim’s iPhone are CVE-2019-8647CVE-2019-8660, and CVE-2019-8662. The linked bug reports contain not only technical details about each bug but also proof-of-concept code that can be used to craft exploits. As Apple hasn’t been able to successfully patch the fourth bug from this category, details of the same have been kept confidential. Google has tagged this security vulnerability as CVE-2019-8641.

Google has tagged the fifth and sixth bugs as CVE-2019-8624 and CVE-2019-8646. These security flaws could potentially allow an attacker to tap into the victim’s private information. These are particularly concerning because they can leak data from a device’s memory and read files off a remote device without needing any interaction from the victim.

With iOS 12.4, Apple may have successfully blocked any attempts to remotely control iPhones through the vulnerable iMessage platform. However, the existence and open availability of proof-of-concept code mean hackers or malicious coders could still exploit iPhones that haven’t been updated to the iOS 12.4. In other words, while it is always recommended to install security updates as soon as they become available, in this case it is critical to install the latest iOS update that Apple has released without any delay. Many hackers attempt to exploit vulnerabilities even after they have been patched or fixed. This is because they are well aware that there’s a high percentage of device owners who don’t update promptly or simply delay updating their devices.

Severe Security Flaws In iPhone iOS Are Quite Lucrative And Financially Rewarding On The Dark Web:

The six ”Zero Interaction” security vulnerabilities were discovered by Silvanovich and fellow Google Project Zero security researcher Samuel Groß. Silvanovich will be delivering a presentation about remote and “Interactionless” iPhone vulnerabilities at the Black Hat security conference scheduled to take place in Las Vegas next week.

Zero-interaction’ or ‘frictionless’ vulnerabilities are particularly dangerous and a cause of deep concern among security experts. A small snippet about the talk that Silvanovich will deliver at the conference highlights the concerns about such security flaws within iPhone iOS. “There have been rumors of remote vulnerabilities requiring no user interaction being used to attack the iPhone, but limited information is available about the technical aspects of these attacks on modern devices. This presentation explores the remote, interaction-less attack surface of iOS. It discusses the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.”

The presentation is set to be one of the most popular at the convention primarily because no-user-interaction iOS bugs are very rare. Most iOS and macOS exploits rely on successfully tricking the victim into running an app or revealing their Apple ID credentials. A zero-interaction bug only requires opening a tainted message to launch the exploit. This significantly increases the chances of infection or security compromise. Most smartphone users have limited screen real estate and end up opening messages to check its contents. A cleverly crafted and well-worded message often exponentially increases the perceived authenticity, further pushing the chances of success.

Silvanovich mentioned such malicious messages could be sent via SMS, MMS, iMessage, Mail or even Visual Voicemail. They only needed to end up in the victim’s phone and be opened. “Such vulnerabilities are the holy grail of an attacker, allowing them to hack into victims’ devices undetected.” Incidentally, until today, such minimal or “Zero Interaction” security vulnerabilities were only found to be have been used by exploit vendors and makers of legal intercept tools and surveillance software. This simply means such highly sophisticated bugs that cause the least amount of suspicion are mainly discovered and traded by software vendors who operate on the Dark Web. Only state-sponsored and focused hacking groups typically have access to them. This is because vendors who get hold of such flaws sell them for huge sums of money.

According to a price chart published by Zerodium, such vulnerabilities sold on the Dark Web or the software black market could cost over $1 million each. This means Silvanovich may have published details of security exploits that illegal software vendors may have charged anywhere between $5 million and $10 million. Crowdfense, another platform that works with security information, claims the price could have easily been much higher. The platform basis its assumptions on the fact that these flaws were part of “no-click attack chain”. Moreover, the vulnerabilities worked on recent versions of iOS exploits. Combined with the fact that there were six of them, an exploit vendor could have easily made more than $20 million for the lot.


Leave a Reply

Your email address will not be published.

Close