On 29 August 2019, Google’s Project Zero security research team released the details of a major series of attacks against iOS using sophisticated, zero-day exploits on a scale unprecedented in the iOS world. (Wired has a less technical summary of the Project Zero report, which is aimed at security professionals.) This is the most significant iOS security incident we are aware of since the launch of the iPhone. And while it’s extremely unlikely that any TidBITS readers had their devices compromised, the news remains a concerning development.
In early 2019, Google Project Zero researchers discovered a series of exploits hosted on hacked Web sites. While most of the attacks worked only on older versions of iOS, one of them could compromise devices running the latest version of iOS and all its security patches. In the security world, that’s called a “zero-day” attack, and yes, that’s where Google’s security research team got its name.
Google reported the vulnerabilities to Apple in February 2019, and Apple patched them 6 days later with the release of iOS 12.1.4. At the time, iOS 12.1.4 seemed more important for its fix of a FaceTime bug that let a caller listen in on another FaceTime user while the device was ringing (see “Apple Re-Enables Group FaceTime with iOS 12.1.4 and macOS 10.14.3 Supplemental Update,” 7 February 2019). But if you look at the security notes for iOS 12.1.4, you’ll notice fixes for problems in Foundation and IOKit that acknowledge an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. (Beer and Groß wrote the Project Zero report as well.)
How Did the Attack Work?
Infection was easy: if a user visited one of the hacked Web sites using an iOS device, that device would be infected with implanted malware without having to interact with the user in any way. That malware could monitor the infected device’s GPS location data in real time, up to once per minute. It could also steal files on the device, which allowed it to:
- Read plain text just like the device’s owner sees in instant messaging apps whose communications are otherwise end-to-end encrypted (Messages, WhatsApp, Telegram, and Google Hangouts)
- Access the user’s email in apps like Gmail
- Download a complete copy of the user’s contacts database
- Extract copies of all the user’s photos
- Read login tokens that would allow accounts to be compromised in other ways
- Report the device ID back to command-and-control servers, and receive commands to read data from newly specified apps
The attack was not persistent, so restarting an infected device cleared the malware. However, most people don’t restart their iPhones often, so this probably didn’t help many of the victims.
As noted, these attacks didn’t target individuals but were aimed at anyone visiting certain Web sites. That’s what the security world calls a “watering hole” attack, since the attacker just waits for its prey to come to drink, much as a crocodile waits for a thirsty animal to get a little too close.
Although Google’s description did not identify the Web sites in question, it suggested that the attack type “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” Within a few days, sources familiar with the matter told TechCrunch’s Zach Whittaker that the Web sites hacks were part of a state-backed attack—almost certainly the Chinese government—designed to target the Uyghur community in China’s Xinjiang state. This isn’t a stretch; Coda has documented numerous other ways that China surveils the Uyghurs of Xinjiang.
If it seems odd to you that the Chinese government would target only Uyghurs using iOS, you’re not alone. Anonymous sources have now told Thomas Brewster of Forbes that Android and Windows were also targeted. It’s unclear if Google’s researchers even realized that the sites were targeting other operating systems, and one source told Forbes that Project Zero had only seen iOS exploits being served from the hacked sites. No details about those attacks have been revealed yet, but the iOS attacks are more relevant to Apple users.
Am I at Risk?
Unless you’re part of or involved with the Uyghur community in Xinjiang, almost certainly not. First off, because Google reported all the exploits to Apple quickly, and Apple responded by patching them all in iOS within days, you’re protected from these particular attacks as long as you’re running an updated version of iOS. The implant malware could also be removed merely by restarting the iPhone.
Second, there’s no indication that these attacks were distributed beyond Uyghur-focused Web sites. Had these attacks been used to target users—particularly higher value government or corporate users—they would likely have been discovered much more quickly. These particular attacks weren’t subtle in how they transmitted data back to their command-and-control servers, not even encrypting it with HTTPS. Such unusual upload patterns would likely be detected by savvy network administrators.
Third, iOS remains the safest consumer computing platform available, especially on current devices that feature additional hardware defenses. There will always be exploits, but it’s worth noting that iOS exploits are the most expensive available from “digital arms dealers” on the underground market for security vulnerabilities. Thus, they’re most likely to be used by deep-pocketed governments (or their private contractors) for political and military purposes.
None of this should be interpreted as meaning that we’re safe from as-yet-undiscovered attacks. Of course, that’s always true.
What Should I Do?
We have to assume that attacks like this are still happening and will continue into the future. So what should everyday users do?
Unfortunately, apart from staying up to date with security fixes, there’s nothing we as users can do to protect ourselves from these and similar sorts of attacks. Stories like this show why sticking with an old version of an operating system can result in unanticipated problems. Using recent devices will also help, since Apple continually improves hardware defenses.
However, if you’re in a sensitive situation due to a government or corporate job, or due to your political activity, you should get security advice from professionals, not from articles you read on the Internet.
What Should Apple Do?
For the most part, Apple should continue to do what it has been doing for years. The company puts significant effort and resources into hardening its devices and operating systems, and the more secure Apple hardware and software products are, the less likely that Apple users will be vulnerable to attacks from hostile governments or organized crime. It’s unfortunate that increased security sometimes makes it harder to perform tasks that were once simple, but when Apple, a company known for emphasizing ease of use, makes those tradeoffs, there’s a good reason.
One improvement that Apple could make would be to develop an Administrator app that a security or other technology professional could install to gain insight into what their phone is doing by reading logs, showing running processes, reporting on open network connections, and so on—think of it as the iOS love child of the Mac’s Activity Monitor, Console, and Network Utility. Some researchers are calling for Apple to open iOS to certain categories of security tools, but that risks the bad guys exploiting such raw capabilities as they have on basically every other platform. Apple already has such monitoring running as internal processes—iOS is still Unix, after all—so creating a trusted, on-device-only tool could both help security professionals identify unusual activity indicative of a compromised device and help regular system administrators with common support tasks. It wouldn’t meet every research need, but it could be a valuable middle ground to provide professionals with better visibility into their devices.
In addition, Apple should keep paying bug bounties to researchers. Apple is currently expanding that program, and it offers some of the highest dollar payouts in the industry. That’s essential, given that Apple—like Google and Microsoft—is competing against the underground market for security vulnerabilities.
Apple should also continue to hold the line on strong encryption and device defenses. Creating backdoors for law enforcement of any nation, including the United States, will almost certainly lead to the company being forced to open access to other governments, or to leaks and compromises that will lead to the oppression of entire populations.
In the end, we hope we’ve conveyed the significance of what Google’s Project Zero revealed: a widespread attack targeting an entire population that both evolved and remained undetected for several years. It’s essential that we understand the level to which our phones can be used against us, which means that there will always be those who will try to convert them into tools for monitoring and control. Simultaneously, we hope you understand that most—perhaps all—TidBITS readers have nothing to worry about, either from these particular attacks or from similar watering hole attacks in the future. And note that this is yet another instance of the increasing tension between governments and the tech giants. How that story will continue to play out remains to be seen.