A total of 14 iPhone vulnerabilities – including two that were zero-days when discovered — have been targeted by five exploit chains in a watering hole attack that has lasted years.
The watering holes deliver a spyware implant that can steal private data like iMessages, photos and GPS location in real time, according to Ian Beer with Google’s Project Zero team.
“There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” he wrote in a blog post on Friday. “We estimate that these sites receive thousands of visitors per week.”
Beer said there were seven bugs for the iPhone’s web browser, five for the kernel and two separate sandbox escapes used in the attack. Google was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.
“Initial analysis indicated that at least one of the privilege escalation chains was still 0-day and unpatched at the time of discovery [in January] (CVE-2019-7287 & CVE-2019-7286),” he wrote.
He added that the scope of the versions targeted “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.”
Google disclosed the issues to Apple in January, which resulted in the out-of-band release of iOS 12.1.4 in Feb 2019; the vulnerabilities were publicly disclosed at that point.
Implant Details
The malware payload used in the attack is a custom job, built for monitoring. It requests commands from a command and control server (C2) every 60 seconds, and is primarily focused on stealing files and uploading live location data. Beer’s analysis showed that it can be used to get around some of the protections that dissidents for example use to protect their privacy (and in many cases physical safety).
According to Beer, the attackers used the exploit chains to gain unsandboxed code execution as root on iPhones. From there, the attackers called “posix_spawn,” passing the path to their implant binary which they dropped in /tmp, which starts the implant running in the background as root.
“The implant runs completely in userspace, albeit unsandboxed and as root with entitlements chosen by the attacker to ensure they can still access all the private data they are interested in,” the researcher detailed. “Using jtool, we can view the entitlements the implant has…the attackers have complete control over these as they used the kernel exploit to add the hash of the implant binary’s code signature to the kernel trust cache.”
In his testing, Beer was able to use the malware to steal database files on an infected phone used by encrypted messaging apps like Whatsapp, Telegram and iMessage – meaning he could lift the unencrypted, plain-text of the messages sent and received.
That same technique could be used across the device.
“The implant can upload private files used by all apps on the device; [such as] the plaintext contents of emails sent via Gmail, which are uploaded to the attacker’s server,” Beer said.
The implant also takes copies of the user’s complete contacts database, including full names and numbers stored in the iPhone contacts, copies photos, and can upload the user’s location in real time, up to once per minute, if the device is online.
Then there’s the keychain, which the iPhone uses to store credentials and certificates, such as the SSIDs and passwords for all saved Wi-Fi access points.
“The keychain also contains the long-lived tokens used by services such as Google’s iOS Single-Sign-On to enable Google apps to access the user’s account,” Beer said. “These will be uploaded to the attackers and can then be used to maintain access to the user’s Google account, even once the implant is no longer running.”
The IP address of the server to upload content to is hardcoded in the implant binary.
“This function uses that address to make an HTTP POST request, passing the contents of the files provided in the files argument as a multipart/form-data payload (with the hardcoded boundary string “9ff7172192b7″ delimiting the fields in the body data),” Beer explained.
Also concerning is the fact that nothing is encrypted – everything is sent to the C2 via HTTP (not HTTPS), opening up the potential for the data to leak to others.
“If you’re connected to an unencrypted Wi-Fi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command-and-control server,” Beer said. “This means that not only is the endpoint of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.”
The malware is not persistent and is cleared if the iPhone is rebooted. However, “given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device,” Beer said.
For users, they wouldn’t know they’ve been infected, allowing the binary to keep tabs on them for as long as the user goes without rebooting.
“There is no visual indicator on the device that the implant is running. There’s no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system,” according to the researcher.
He said that the watering holes (no details on them were given) are clearly targeting certain cohorts of people. Though he didn’t explicitly say if they were political or demographic groups, Beer intimated the former.
“I hope to guide the general discussion around exploitation away from a focus on the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1’th potential future dissident,” he said. “I shan’t get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.”
He also said that the watering holes, zero-days and exploits that Google discovered are likely the tip of the iceberg: “For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”
Interested in more on the internet of things (IoT)? Don’t miss our on-demand Threatpost webinar, IoT: Implementing Security in a 5G World. Join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to listen to the recorded webinar.
