Security researchers detail a 4 year ongoing exploit of iPhone and all Apple Devices

[WillyW]

Summary

Kaspersky Labs detailed an attack chain that affected Apple devices mostly iPhones that was on-going for four years before it was shut down by patches, but jailbroken iOS devices remain vulnerable. The alleged originator of this is the NSA as per the Russian Gov't without supporting evidence. One of the vulnerabilities, CVE-2023-41990, was a vulnerability in Apple’s implementation of the TrueType font which had existed since the 90s. The detail of how the attack chain achieves infection is presented in the video and is quite complicated and sophisticated, but in brief it takes advantage of several previously undocumented features/vulnerabilities and attempts to hide itself from detection by sophisticated means and is quite long and complicated. Once infected the malware extracts users data including pictures but in order to reduce bandwidth it makes use of the Apple Silicon's own machine learning features to perform image recognition on photos. The initial attack vector is undetectable by the user, and requires only the phone number of the victim.

 

Quotes

Quote

 “This is no ordinary vulnerability,” Larin said in a press release that coincided with a presentation he made at the 37th Chaos Communication Congress in Hamburg, Germany. “Due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming, requiring a comprehensive understanding of both hardware and software architectures. What this discovery teaches us once again is that even advanced hardware-based protections can be rendered ineffective in the face of a sophisticated attacker, particularly when there are hardware features allowing to bypass these protections.”

 

My thoughts

This is a report from Kaspersky which is a Russian security research agency with alleged Russia gov't connections, but regardless well documented. With all the advertising from Apple about how secure and privacy focused their devices are you have to wonder if they know they have a culture problem. The four vulnerabilities have previously been reported and patched (CVE-2023-32434, CVE-2023-32435, CVE-2023-38606, CVE-2023-41990) but what is new here is a detailed account of what they did and who they were targeting. The article mentions "Besides affecting iPhones, these critical zero-days and the secret hardware function resided in Macs, iPods, iPads, Apple TVs, and Apple Watches." What this brings home is a number of things, first when you are in a closed ecosystem you make yourself more vulnerable to hacks that work on all devices, and that you really should not be using devices that are no longer supported. It is likely that if this was the NSA they have other ways in, and have already moved on, but now that the vulnerabilities and the attack method is detailed that it becomes that much more easy for others to exploit these vulnerabilities. Also, the fact that users do not notice hacks occurring does not mean that they are secure from them or that they haven't already been compromised, as mentioned in the Q&A portion of the video below there is no way for the user to know they are or have been infected without taking deliberate steps to determine i.e. check logs or take backup an analyze with a tool. At my work we train users monthly on threats and despite all this we still have users clicking on things they shouldn't and despite our training we still have people trying to hide when they have.

 

Sources

https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

 

[manikyath]

1 minute ago, WillyW said:

This is a report from Kaspersky which is a Russian based security research agency with alleged Russia gov't connections,

i mean.. sounds like a pretty solid source for unveiling a security flaw in a US based manufacturer with alledged US gov't connections?

 

they probably have some motivations to make this vulnerability seem like some major government ploy, but i honestly dont care about how the security hole got there, i just care about it getting fixed.

[RejZoR]

5 hours ago, manikyath said:

i mean.. sounds like a pretty solid source for unveiling a security flaw in a US based manufacturer with alledged US gov't connections?

 

they probably have some motivations to make this vulnerability seem like some major government ploy, but i honestly dont care about how the security hole got there, i just care about it getting fixed.

Kaspersky had a lot of flak and even ban from US agencies for discovering NSA contractors with hacking tools that were spotted by their Kaspersky's KSN network (protective cloud system in Kaspersky Antivirus, most antiviruses these days have similar systems built in to collect unknown/suspcious binaries, send them to their labs and analyze them). Also saying Kaspersky has connections with Russian government is a bit weird. Of course they do, they are a security company, they work with Russian police and FSB the same way Norton or McAfee researchers work with American police and FBI/CIA. Or Avast's researchers with Czech police and security services. Or AVIRA with German police and their agencies. They work with national agencies on large scale attacks/hacks. Always have, always will. Also Eugene Kaspersky, the founder of Kaspersky is highly respected in security circles.

[Beskamir]

That's a genuinely impressive backdoor! Difficult to find yet grants unlimited access to those who know about it.

[Sauron]

On 12/29/2023 at 1:27 AM, manikyath said:

i mean.. sounds like a pretty solid source for unveiling a security flaw in a US based manufacturer with alledged US gov't connections?

The russian government isn't really a solid source for anything and, if anything, the russian government claiming something is often indicative of the opposite being true.

 

With that said, kaspersky is not the russian government, even though they may have ties to it, and as far as I know they have a fairly solid reputation in the field.

 

And this shows when you look at which claims come from where:

Quote

A separate alert from the FSB, Russia's Federal Security Service, alleged Apple cooperated with the NSA in the campaign. An Apple representative has denied the claim. Kaspersky researchers, meanwhile, have said they have no evidence corroborating the claim of involvement by either the NSA or Apple.

It was the FSB that claimed the NSA was involved, likely with absolutely no evidence. Kaspersky has not made these claims. @WillyW I would suggest updating your post to reflect that NSA involvement is not "likely" but merely "alleged with no evidence by adversary agencies".

 

-

 

Looking at the article the thing that pops out to me is the initial attack vector:

Quote

• Attackers send a malicious iMessage attachment, which is processed by the application without showing any signs to the user
• This attachment exploits vulnerability CVE-2023-41990 in the undocumented, Apple-only TrueType font instruction ADJUST for a remote code execution. This instruction existed since the early 90’s and the patch removed it.

the truetype vulnerability is whatever (although I suppose that's what you get for adding your own proprietary and undocumented instructions to a common format), but the fact that imessage processes attachments automatically seems absolutely insane to me. It's pretty much begging for a no click exploit like this.

[wanderingfool2]

3 hours ago, Sauron said:

It was the FSB that claimed the NSA was involved, likely with absolutely no evidence. Kaspersky has not made these claims. @WillyW I would suggest updating your post to reflect that NSA involvement is not "likely" but merely "alleged with no evidence by adversary agencies".

While not necessarily the NSA, the way the exploit was crafted really suggests it would be some nationstate.

 

Given the nature of the attacks as well, and the people whose phones were infected, personally, it would seem that there are only 2 likely candidates for this...with the NSA being the top of the list

 

The thing is, there won't ever really be "evidence" unless there is some form of leak by the US...even Stuxnet while pretty much everyone knows it's the US; it wasn't until Snowden that it was really confirmed.  (There was of course leftover evidence in the file when it was being decompiled but generally not really evidence).

 

That's the general issue with these kinds of things, you know it's likely a nation state but the question becomes which one.

 

Although the concern about the NSA working with Apple is something that whether or not it was true does I think also deserves a discussion; as EternalBlue felt very much like MS either had their arm twisted or more likely paid to not originally patch it (until it was actively used).  We are I think reaching an age where there's almost going to become multiple standards due to issues like Chinese companies not being allowed access to Android (because of export bans), or similar kinds of technology that other nation states share because they either fear weaponization or similar with it.

[Sauron]

1 hour ago, wanderingfool2 said:

The thing is, there won't ever really be "evidence" unless there is some form of leak by the US...even Stuxnet while pretty much everyone knows it's the US; it wasn't until Snowden that it was really confirmed.  (There was of course leftover evidence in the file when it was being decompiled but generally not really evidence).

There could be ways of getting at least a hint as to who is behind it. It's possible further investigation will also offer clues... who had access to detailed descriptions of this undocumented hardware? Where did the attack messages originate? As far as I can tell we don't really know exactly who was affected, we just know people at Kaspersky where - and they would be among the few who were specifically looking for something like this.

1 hour ago, wanderingfool2 said:

Although the concern about the NSA working with Apple is something that whether or not it was true does I think also deserves a discussion

Apple is certainly not above scrutiny, but again since there is no evidence either way I wouldn't point the finger just yet. You can generally assume that if the US government really wants access to your phone, they can have it... with or without Apple's cooperation.