Google Says Hackers Have Put 'Monitoring Implants' in iPhones For Years (theguardian.com) 68
An unprecedented iPhone hacking operation, which attacked "thousands of users a week" until it was disrupted in January, has been revealed by researchers at Google's external security team. From a report: The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones.
Once hacked, the user's deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."
Once hacked, the user's deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."
Some else did a full (Score:1)
Re "The one silver lining is that the implant was not persistent"
They got the voice print they needed. Thats not a "silver lining".
Shitty iOS design? (Score:1)
Re:Shitty iOS design? (Score:5, Informative)
> How the fuck is it possible to recieve malware on such scale by just visiting a website?
Chained exploits, usually. A small compromise in X, Y, & Z gets you the whole deal.
People tend to dismiss local privilege escalation exploits, because the one exploit isn't "that bad" without a remote exploit, but then as soon as there's a remote exploit, they chain together - sometimes nine or ten other exploits - and get local root.
It's usually a result of bad memory management which is endemic in C/C++ programming. Rust isn't a magic bullet, but watch for somebody to enter the market with a Rust-based smartphone OS and start to gain traction.
It might be possible to do a secure smartphone with C/C++ using only the top 1% of programmers, but the other 99% seem to want jobs too. Empirically, the status quo makes it impossible to build a secure OS.
Zerodium will pay you $2M to shut up about your exploit stack so they can sell it to spooks, so there are plenty of people spending their days looking for these exploits.
The take home message: your phone is vulnerable, even if you have all the patches installed. Don't trust it for secure computing. Engage in evasive measures frequently when you have to violate that rule to make money, and don't use biometrics for authentication ever.
Re:Shitty iOS design? (Score:2)
What is a "Rust-based smartphone OS" and are you suggesting that only Rust considers memory management?
How much "C/C++" is required for a "smartphone OS" to be C/C++-based?
If applications run in virtual machines and use memory-safe development techniques, how much does it matter that unrelated code is written in "C/C++"?
Isn't it important that the code being attacked actually have vulnerabilities? Would that not be the browser in this case? Do you think that making a Rust-based OS spontaneously fixes browser vulnerabilities?
It would appear that you know enough to drop some buzzwords and post some terrifying conclusions but not enough to actually make much sense.
Re:Shitty iOS design? (Score:0)
"use memory-safe development techniques"
Only a small number of developers are capable of creating hardened memory-safe applications. But even the top 1% of programmers can not create 100% memory-safe applications.
"how much does it matter that unrelated code is written in "C/C++" It matters because the number of developers with this particular skillset is shrinking. The majority of programmers work with Java, .NET, and all the various client side scripting packages. The majority are not building the various engines and interpreters that they reference when building their applications.
Re:Shitty iOS design? (Score:2)
> How the fuck is it possible to recieve malware on such scale by just visiting a website?
Chained exploits, usually.
Yeah but we are not talking running apps, we're talking about websites, containing pics, html, css and javascript. Would be interesting to know more about the exact method of hacking.
Re:Shitty iOS design? (Score:2)
Same as jailbreakme. The starting vector is a browser sandbox escape. Usually it's not "infected website" as such (too loud). Targeted attacks tend to be far more subtle, such as a link shortener posted by somewhat popular, innocent (but compromised) user on twitter. This is greatly aided by things like link autoshortening on twitter - thus no suspicion raised when adversary injects their own url on same shortener.
When other twitter users click such a thing, the link points to attacker controlled redirect which selectively 302s to correct target for everyone - except the target user (time of day, user agent, ISP). Using subtle attacks like this is crucial to keeping the weaponized 0day alive for some time.
Re: Shitty iOS design? (Score:2)
Re: Shitty iOS design? (Score:2)
It's really funny how exploits against JavaScript engines (in web browsers) bring out the people saying "this wouldn't happen if only they used a memory-managed language..." as though JS gives access to raw pointers or something. What makes some people think their managed runtime of choice is going to be less vulnerable to memory corruption exploits than all the other managed language runtimes out there? Java (applets) and Flash were also both supposed to be managed-code runtimes that made it safe to run untrusted code, and we all know where that went...
Yes, if the runtime is itself written in a memory-managed language then exploitation gets harder - you now need to find an additional vulnerability at the same time - but as GP (correctly) points out, it's quite common for multiple exploits to be chained together. That's not to say it's not a good idea anyhow, but it's not a panacea, and it has serious costs. Not just the usual concerns about performance and code size - although those matter, especially for mobile devices - but the simple fact that rewriting an entire OS, or even just half of an OS (the kernel and core user-mode functionality, or the user interface, application stack, and in-box applications), in *any* language is a major undertaking. Android and iOS (and for that matter, Maemo and Windows Phone and most other smartphone or PDA operating systems) were built on existing kernels and re-use a ton of existing code. Even the platforms that use purpose-built kernels have been revising those kernels for years, rather than throwing them out and building a new one (and everything on top of it) from scratch.
At the end of the day, the code needs to run on the CPU, and the CPU doesn't understand high-level languages or managed memory. It understands loads and stores, branches and jumps (and maybe calls and returns, in a sufficiently CISC architecture), registers and offsets, page tables and system calls. No matter how safe the language you write the code in, the compiler / JIT / interpreter is going to have to translate that safe language into the fundamentally unsafe language that the CPU speaks, and that translation can have bugs.
Untrusted apps, run them in C?! (Score:2)
You are comparing apples to oranges. Are you saying that it would be a good idea to run untrusted apps in C?!!
If the browser itself was written in Java then there would be far less exploits. And it might run 10% slower, who cares.
The idiot thing is to run untrusted apps at all. One every single web site. You cannot see content without running their code.
And HTML itself is an over engineered mess.
It is not surprising that there are security flaws. What is surprising is that there are not many more of them.
What is need is Secure HTML. A small subset that one could have some confidence in being safe.
Re:Untrusted apps, run them in C?! (Score:1)
There are almost zero exploits in HTML itself. Most of them are a combination of JavaScript and CSS features that only incidentally leverage HTML. Without the JavaScript and CSS there would be almost no attack surface whatsoever on HTML. You would only need to remove from HTML a couple style-related tags and properties that are mostly deprecated now anyway.
Re:Shitty iOS design? (Score:2)
Don't trust it for secure computing.
Yeah, but with phones the issue isn't secure computing, but secure living. According to the article, with this hack in place the hacker had access to: all your location data, all your private communications, address books, photos, etc. Phones aren't for computing; they're for living. If you carry your phone around with you, as most people do, your complete location history is available to the hacker. Just imagine what people could learn about you that way.
Re:Shitty iOS design? (Score:2)
It's usually a result of bad memory management which is endemic in C/C++ programming.
It might be possible to do a secure smartphone with C/C++ using only the top 1% of programmers, but the other 99% seem to want jobs too.
As soon as you write "C/C++" as a single word then you've already lost the argument.
C and C++ are totally separate languages.
In C++ this can throw an exception:
std::vectormyArray(100);
myArray[101] = 0;
(and this is the default behavior in most modern C++ development systems, eg. Microsoft Visual Studio)
Re:Shitty iOS design? (Score:2)
Oh, looks like slashdot eats angle brackets, should be:
std::vector<int>myArray(100);
myArray[101] = 0;
Re: Shitty iOS design? (Score:2)
Re:Shitty iOS design? (Score:1)
2. Set the internet task for someone.
3. Global results.
If the NSA and GCHQ could do cyber for years why cant other people/nations/groups/faiths/brands find equally smart people?
PRISM worked and nobody noticed/reported much.
Re: Shitty iOS design? (Score:2)
Unbelivable (Score:1)
Re:Unbelivable (Score:3)
I agree. A website was able to download someone's "Gmail database"? That seems improbable.
Also important from the article:
Google said it had reported the security issues to Apple on 1 February. Apple then released an operating system update which fixed the flaws on 7 February.
Re:Unbelivable (Score:2)
After reading the original source linked from here, I retract my previous statement. Improbable, but possible, and fascinating.
Re:Unbelivable (Score:1)
here [slashdot.org]
Re:Unbelivable (Score:3)
Security is an art not a science. You protect against everything you can think of, and hope somebody thinks through the new features and updates added afterwards. The attackers then check behind you to see if you thought of everything...
Re:Unbelivable (Score:2)
TFA says that it was able to get the user's keychain, which contains all their saved passwords and is likely enough to log in to Gmail in many cases. Or maybe they just got it through the browser, or stole the Mail app's database and the journalist put "Gmail" for some reason.
While it's nice they fixed it, it was out there for years before they did. Who knows how many victims there were. Maybe all those celebrities who got hacked?
Re:Unbelivable (Score:3)
Who knows how many victims there were.
I do - everyone that has a smart-phone. All of them, mine too, are used half way for you, and half way for $others. Our information is bought and sold everyday, and without this portion of society, the money market would fold so much that the economy would probably collapse. Not to mention how many people would be out of a job.
I find it odd that every time I read about another hack "...by simply going to a website..." they never tell us which website(s). When an app(s) is/are found to have been riddled with back-doors, they never tell us which app(s).
Ridiculously Complex HTML & JavaScript (Score:2)
That is what is unbelievable.
That anyone could think that it was possible to implement a secure browser with so many points of attack.
Nobody really understands all of HTML/JavaScript etc.
Re:Unbelivable (Score:2)
I agree. A website was able to download someone's "Gmail database"? That seems improbable.
Improbable how? Do you not understand how these things work? Once you can grab the service access tokens you can go and pull down all the content just the same as an authenticated user can.
What's "improbable" about it?
Re:Unbelivable (Score:2)
Re: Unbelivable (Score:1)
Form a circle, fingers in the ears. Begin chanting....
Re:Unbelivable (Score:1)
The US and UK have a global monopoly on networked computers?
If they could stay hidden? Not noticed? Not detected? No considered? No looked for? Not reported?
What websites? (Score:5, Interesting)
Re:What websites? (Score:2)
Re:What websites? (Score:1)
I was wonder which sites too, seems like that would be good info to know.
Apple secretive (Score:1)
You would have thought mentioning it to the Apple users who had their privacy ripped from them.
What websites? (Score:1)
Lol victim blaming for Apples browser and is insecurity. No wonder Apple don't sell as many phones as they used to, if their customers get called perverts.
Re:What websites? (Score:2)
Apparently this release has been blasted for omitting this and some other critical info as well...
The sites were specifically targeting Uyghur Muslims in the Xinjiang region of China. (i.e. State sponsored hacking against Chinese minorities).
The specific iPhone exploits have apparently been patched (iOS 12.1.4).
These sites also targeted and exploited Windows and Android devices (funny how Google neglected to mention this).
A lot more info here: https://www.volexity.com/blog/... [volexity.com]
I'd like me some Apple (Score:2)
Original Source (Score:3)
Re:Original Source (Score:2)
I enjoyed these videos [liveoverflow.com] to learn about getting arbitrary read/write access to memory through javascript using the addrof and fakeobj primitives.
Conflict of interest? (Score:2)
Given that Google creates Android and is also creating these reports, there does seem to be a possible conflict of interest? How often do these Google security reports document issues on Android devices?
Re:Conflict of interest? (Score:5, Interesting)
Apple wants a reputation of keeping this from happening entirely. They want to withhold the tools and knowledge from the general public that are necessary to check for and to fix these issues (and potentially exploit them as well).
Frankly, as an iPhone user, I am grateful that Google is creating these reports.
Re:Conflict of interest? (Score:1)
And if they do, are they giving only 7 days response time as quoted in the project Zero blog post for this..
Re:Conflict of interest? (Score:3)
It says Apple fixed it in 7 days, not that Google only gave Apple 7 days to fix it.
I hate Apple with a passion, but the fact Apple fixed it so rapidly on being notified is actually a good point in it's favor, despite the fact the bug shouldn't have existed in the first place.
Re:Conflict of interest? (Score:1)
With security and privacy becoming increasingly valuable to consumers, I'm sure we'll see vulnerability reports used strategically by competitors in the future. A data breach or knowledge of a zero-day exploit can easily be used to steer people away from a product/service. Wouldn't even be surprised if companies start "buying" their competitors' unreleased bug/exploits from researchers to use for marketing purposes.
Re:Conflict of interest? (Score:2)
With security and privacy becoming increasingly valuable to consumers,
From your lips to God's ears.
Obligatory windmill tilting (Score:2)
Remember the old saying "Don't put all your eggs in one basket?"
s/eggs/credentials/; s/basket/place/;
Good from Google for once (Score:1)
I am not a big fan of Google but it is nice for them to be putting efforts into Project Zero. This is the kind of thing that would be nice for government entities to be researching and addressing. Instead of only looking for ways to spy on everyone, at least look for the commonly used exploits and hacks targeting people, and address those. But no. Unless it is them, of course..
Where are the websites - (Score:0)
Re:Where are the websites - (Score:2)
About 6 months after disclosure to the company that makes said device?
Pretty standard public notice cycle TBH
Caveat Lector (Score:2)
This is pretty much a statement of the nature of "our competitor's product sucks". Without convincing evidence that both their claim is correct and that their own product does not have the problem, this statement is completely worthless.
Re:Caveat Lector (Score:0)
Re:Caveat Lector (Score:2)
The 'convincing evidence' you require is right there in the article, as quoted in this comment: https://apple.slashdot.org/com... [slashdot.org] - that Apple released a patch *less than a week* after being notified by Google.
Do you think that Apple would have done that if Google had identified a minor or theoretical issue?
Re:Caveat Lector (Score:2)
The 'convincing evidence' you require is right there - that Apple released a patch *less than a week* after being notified by Google.
Do you think that Apple would have done that if Google had identified a minor or theoretical issue?
Not convincing in the least. Apple could have prioritized this exactly because they expected a grande marketing claim by Google. And look, Google is making one.
Re:Caveat Lector (Score:0)
I do understand your desire for evidence of these claims (apparently you have to read the article for that, though - and This Is Slashdot so, well...) but I don't understand why you think the worth of the statement is dependent on the lack of such an exploit in other products.
Like, if I say an apple is red, but I sell oranges, then apples aren't red? I don't get that logic. It just sounds like typical Apple fetishism and apologism.
So it was persistent (Score:3)
How many people restart their phones? Since I don't have one of these "smart" phones, do updates require a restart? What other conditions would force the phone to restart?
What about wiping your browser history and cache? Oh wait, people don't do that either.
Re:So it was persistent (Score:2)
Many users don't even close open applications. Browsers with open tabs will remain open and consuming data until their user gets their monthly bill, and if they are on a strict data plan they might not even do anything about the browser then.
Re:So it was persistent (Score:2)
As noted, updates require a restart. As a daily user of a smartphone, I also find that something will start acting wonky at least once a week (without rhyme or reason, sometimes even on consecutive days), and I will force quit all apps and reboot the phone.
Even when I had a dumb phone, the carriers sometimes requested a restart due to updated carrier settings, etc.
Re:So it was persistent (Score:1)
Would a restart be part of a "repair" "fix" guide?
Smart phone not as "quick", as responsive? Try a restart as the easy advice, then bring the smartphone in to an expert for more support?
An interesting way to have the implant not be found if the user was about to seek advice by looking for a deeper problem?
Start looking for an issue and the implant is gone.
iPhones.... (Score:1)
It's like a prison cell you are locked in. You have no freedom, but thugs from the street still walk in and beat you up.
"But we are TRUSTWORTHY(R)(TM)(Pat. Pending)! We are your king and thus smarter and better than you!"
The Issue Has Already Been Fixed (Score:2)
Not reported to users (Score:1)
Which users have had this exploit. Don't you want to know if it was you who had their privacy included, and not just by Apple contractors this time.
Re: The Issue Has Already Been Fixed (Score:1)
And since the most recent version of iOS 12 is 12.4, Iâ(TM)d say almost no one with reasonably running Apple mobile Devices would be affected.
Competition (Score:2)
Google doesn't like the competition. That's their data!
Competition (Score:1)
Kind of an ironic post after Apple got caught again with its lie for privacy after letting third parties listen to Apple users have sex and make drug deals.
Implant? (Score:2)
You keep using that word, I don't think it means what you think it means.
Safari a problem (Score:1)
Really is nobody thinking that having safari do the core rendering is not a problem on iOS. I love android because I can use Firefox.
Apple being a monopolistic is a problem not just for developers and content providers, but it's users too.
Re: Safari a problem (Score:2)
Apple doesnâ(TM)t insist upon Safari; it insists upon WebKit. And the reason is simple: Apple doesnâ(TM)t want to vet every single minor release of a dozen (or even a few) Web Stacks.
Does WebKit have Exploits? Of course! But it would be all the worse with multiple libraries to keep track of.
Donâ(TM)t like it? Then feel free to choose that other Platform; you know, the one with thousands of known exploits and nefarious apps, rather than the one that has 95% of the application envelope, but has only had a small handful of known vulnerabilities and nefarious apps over essentially the same period of time...
Google is just jealous ... (Score:2)
... that someone else is collecting all that valuable data and they're not.
BlackBerry (Score:1)