Apple Refutes Claims of Multiple iOS Zero-days
Written by Karolis Liucveikis on
While Apple was gearing up to the much-anticipated launch of its affordable smartphone, the iPhone SE, it was facing a far more different public relations battle. While the SE was receiving praise across the board a security firm published a report detailing two separate zero-day vulnerabilities recently discovered. Broadly speaking, zero-day vulnerabilities are discovered flaws in software or harder that have not been patched by the manufacturer. As they are not patched they pose a unique and heightened threat level to users. Flaws discovered could allow for remote code execution, allowing hackers to install malware from a remote location without it been detected by security software.
The report published by ZecOps detailed the flaws according to the firm. The flaws if exploited correctly allowed for remote code execution with malware being capable of being sent via email that would be able to consume significant amounts of the device’s memory. The vulnerability, in turn, allowed for the exhaustion of device resources which in turn could be done remotely. Vulnerabilities found affecting both iOS 12 and iOS 13, with the latter flaws being able to execute on a no-click scenario which opened the mail server client in the background.
Successful hacks involve the attacker being able to crash the device, on restarting the device a backdoor to the device is created. What’s more is that according to the security firm, both vulnerabilities were exploited in the wild.
The firm believes it found evidence of the flaws been used against a number of high profile potential targets which include:
- Individuals from a Fortune 500 organization in North America
- An executive from a carrier in Japan
- A VIP from Germany
- MSSPs from Saudi Arabia and Israel
- A Journalist in Europe
- An executive from a Swiss enterprise, this target is currently only suspected of being targeted according to the report.
Investigations by researchers started when suspicious events, including known indicators previously used by hackers such as code strings, were detected.
Further, emails that were sent and processed by the devices were later deleted from the mail server in what researchers believe is an attempt for the attacks to remain under the radar. The firm believes the attacks were carried out by either a nation-state actor or the exploit was purchased by a nation-state actor from a third party. The firm refrained from naming the perpetrators as it was discovered that in one incident a hacker-for-hire was seen selling exploits that leverage email addresses as the main identifier according to the report.
Apple’s Response
At the time of the report, Apple’s response was minimal, merely saying that it was investigating the claims made by ZecOps. A few days after the original statement, Apple made another statement saying that it could not come to the same conclusion as the security firm. Apple’s full statement read as follows,
“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”
A number of security researchers took to Twitter to lend support to Apple’s findings. With most saying that the evidence provided was not persuasive with many pointing out that while the emails were deleted the attacker would have also deleted the logs which seem to have remained intact. This belief is founded on the assumption that if the attackers were capable of deleting the emails they would be more than capable of deleting the logs as well. The InfoSec community does believe that there is or there is strong evidence to suggest that a bug exists that is triggered by specific emails, however, others have questioned whether an advanced exploit would cause a crash in the first place. In an interview with Ars Technica, HD Moore, vice president of research and development at Atredis Partners, stated,
“It looks like ZecOps identified a crash report, found a way to reproduce the crashes, and based on circumstantial evidence assumed this was being used for malicious purposes. It sounds like after he reported it to Apple, Apple investigated, found out these were just crash bugs, and that shuts the door on this being actually in-the-wild-exploitation of a new iOS zero-day. It could be Apple is wrong, but given their sensitivity to this stuff, they probably did a decent job of investigating it. Through the grapevine I heard that the internal security team that handled this investigation at Apple was pissed off about it, since ZecOps went straight to press before they had a chance to review.”
Similar attitudes were expressed by Rich Mogul stating,
“Looks like you have a real vuln but the evidence of exploitation looks weak… and no info in your post on post-exploitation chaining to lead to info disclosure or code execution. Any update you can share? Pretty big claim of a no-click mail 0-day being used.”
Further Tweets by Sinan Eren, Jann Horn, and Dino A. Dai Zovi raised further questions as to the seriousness of the flaw, often questioning the evidence provided in the ZecOps report. In response to criticisms received on Twitter ZecOps stood by their report, stating,
“According to ZecOps data, there were triggers in-the-wild for this vulnerability on a few organizations. We want to thank Apple for working on a patch, and we’re looking forward to updating our devices once it’s available. ZecOps will release more information and POCs once a patch is available.”
To the best of the writer’s knowledge, neither Apple nor ZecOps has published definitive evidence to prove their stances beyond a shadow of a doubt. Unfortunately, incidents like this, are commonplace in an era of tech giants defending their reputation and products, while security researchers look to protect users from threats around the globe. At times these duties appear at odds with security researchers seeming to punch holes invaluable technology while tech giants would not admit to anything that would do the brand harm.
Text-bomb Bug
The above dispute comes as reports of another bug emerges which crash an iOS device on receipt of an app notification. Reports suggest that the device, whether an iPhone or iPad running the latest version of Apple's mobile OS, iOS 13.4.1, will crash by merely receiving a notification that appears to be written in the Sindhi language with Italian flags. Bugs such as this are commonly referred to as “text-bombs” and are capable to cause widespread problems for iOS users because the crash can be triggered by a notification from any app, including Messages, WhatsApp, and also social-media apps like Twitter, which means it can affect thousands of users simultaneously.
While the original message contained Italian flags, other reports have emerged that confirm that they are not necessary to take advantage of the bug. The exploitation of the bug is currently most likely the work of a prankster. The whole scenario is reminiscent of a similar bug known as “Effective Power” which made the rounds in 2015. The main difference between the two is that “Effective Power” was spread via Apple’s Messages App and was caused by a string of Arabic characters. It is important to note that the bug does not affect iOS 13.4.5, however, that version is still in Beta, and not widely available until its official release in a few weeks’ time.
Currently, the only mitigation strategy available to users is to turn off notifications for affected apps. While not a convenient solution it will prevent the text-bomb from crashing the device. For those that do receive a notification and their device does subsequently crash do not panic. The device can be rebooted after the crash. This can be done safely and does not appear to cause any lasting damage.
While the text-bomb bug and the ZecOps flaws do not appear to be related, they do highlight the need for security researchers to hunt out flaws in even our most beloved products. Modern product development and manufacturing happen at relatively fast paces and the public demands more and more with each release. Flaws and bugs are inevitable. It is just hoped zero-day flaws are detected by the good guys so remediation can be done without incident.
▼ Show Discussion