Photo by Markus Spiske temporausch.com from Pexels
Significant iOS Vulnerabilities Used Against Uyghur Muslims in China
On 29 August 2019, Google’s Project Zero security research team released the details of a major series of attacks against iOS using sophisticated, zero-day exploits on a scale unprecedented in the iOS world. (Wired has a less technical summary of the Project Zero report, which is aimed at security professionals.) This is the most significant iOS security incident we are aware of since the launch of the iPhone. And while it’s extremely unlikely that any TidBITS readers had their devices compromised, the news remains a concerning development.
In early 2019, Google Project Zero researchers discovered a series of exploits hosted on hacked Web sites. While most of the attacks worked only on older versions of iOS, one of them could compromise devices running the latest version of iOS and all its security patches. In the security world, that’s called a “zero-day” attack, and yes, that’s where Google’s security research team got its name.
Google reported the vulnerabilities to Apple in February 2019, and Apple patched them 6 days later with the release of iOS 12.1.4. At the time, iOS 12.1.4 seemed more important for its fix of a FaceTime bug that let a caller listen in on another FaceTime user while the device was ringing (see “Apple Re-Enables Group FaceTime with iOS 12.1.4 and macOS 10.14.3 Supplemental Update,” 7 February 2019). But if you look at the security notes for iOS 12.1.4, you’ll notice fixes for problems in Foundation and IOKit that acknowledge an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero. (Beer and Groß wrote the Project Zero report as well.)
How Did the Attack Work?
Infection was easy: if a user visited one of the hacked Web sites using an iOS device, that device would be infected with implanted malware without having to interact with the user in any way. That malware could monitor the infected device’s GPS location data in real time, up to once per minute. It could also steal files on the device, which allowed it to:
- Read plain text just like the device’s owner sees in instant messaging apps whose communications are otherwise end-to-end encrypted (Messages, WhatsApp, Telegram, and Google Hangouts)
- Access the user’s email in apps like Gmail
- Download a complete copy of the user’s contacts database
- Extract copies of all the user’s photos
- Read login tokens that would allow accounts to be compromised in other ways
- Report the device ID back to command-and-control servers, and receive commands to read data from newly specified apps
The attack was not persistent, so restarting an infected device cleared the malware. However, most people don’t restart their iPhones often, so this probably didn’t help many of the victims.
As noted, these attacks didn’t target individuals but were aimed at anyone visiting certain Web sites. That’s what the security world calls a “watering hole” attack, since the attacker just waits for its prey to come to drink, much as a crocodile waits for a thirsty animal to get a little too close.
Although Google’s description did not identify the Web sites in question, it suggested that the attack type “indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.” Within a few days, sources familiar with the matter told TechCrunch’s Zach Whittaker that the Web sites hacks were part of a state-backed attack—almost certainly the Chinese government—designed to target the Uyghur community in China’s Xinjiang state. This isn’t a stretch; Coda has documented numerous other ways that China surveils the Uyghurs of Xinjiang.
If it seems odd to you that the Chinese government would target only Uyghurs using iOS, you’re not alone. Anonymous sources have now told Thomas Brewster of Forbes that Android and Windows were also targeted. It’s unclear if Google’s researchers even realized that the sites were targeting other operating systems, and one source told Forbes that Project Zero had only seen iOS exploits being served from the hacked sites. No details about those attacks have been revealed yet, but the iOS attacks are more relevant to Apple users.
Am I at Risk?
Unless you’re part of or involved with the Uyghur community in Xinjiang, almost certainly not. First off, because Google reported all the exploits to Apple quickly, and Apple responded by patching them all in iOS within days, you’re protected from these particular attacks as long as you’re running an updated version of iOS. The implant malware could also be removed merely by restarting the iPhone.
Second, there’s no indication that these attacks were distributed beyond Uyghur-focused Web sites. Had these attacks been used to target users—particularly higher value government or corporate users—they would likely have been discovered much more quickly. These particular attacks weren’t subtle in how they transmitted data back to their command-and-control servers, not even encrypting it with HTTPS. Such unusual upload patterns would likely be detected by savvy network administrators.
Third, iOS remains the safest consumer computing platform available, especially on current devices that feature additional hardware defenses. There will always be exploits, but it’s worth noting that iOS exploits are the most expensive available from “digital arms dealers” on the underground market for security vulnerabilities. Thus, they’re most likely to be used by deep-pocketed governments (or their private contractors) for political and military purposes.
None of this should be interpreted as meaning that we’re safe from as-yet-undiscovered attacks. Of course, that’s always true.
What Should I Do?
We have to assume that attacks like this are still happening and will continue into the future. So what should everyday users do?
Unfortunately, apart from staying up to date with security fixes, there’s nothing we as users can do to protect ourselves from these and similar sorts of attacks. Stories like this show why sticking with an old version of an operating system can result in unanticipated problems. Using recent devices will also help, since Apple continually improves hardware defenses.
However, if you’re in a sensitive situation due to a government or corporate job, or due to your political activity, you should get security advice from professionals, not from articles you read on the Internet.
What Should Apple Do?
For the most part, Apple should continue to do what it has been doing for years. The company puts significant effort and resources into hardening its devices and operating systems, and the more secure Apple hardware and software products are, the less likely that Apple users will be vulnerable to attacks from hostile governments or organized crime. It’s unfortunate that increased security sometimes makes it harder to perform tasks that were once simple, but when Apple, a company known for emphasizing ease of use, makes those tradeoffs, there’s a good reason.
One improvement that Apple could make would be to develop an Administrator app that a security or other technology professional could install to gain insight into what their phone is doing by reading logs, showing running processes, reporting on open network connections, and so on—think of it as the iOS love child of the Mac’s Activity Monitor, Console, and Network Utility. Some researchers are calling for Apple to open iOS to certain categories of security tools, but that risks the bad guys exploiting such raw capabilities as they have on basically every other platform. Apple already has such monitoring running as internal processes—iOS is still Unix, after all—so creating a trusted, on-device-only tool could both help security professionals identify unusual activity indicative of a compromised device and help regular system administrators with common support tasks. It wouldn’t meet every research need, but it could be a valuable middle ground to provide professionals with better visibility into their devices.
In addition, Apple should keep paying bug bounties to researchers. Apple is currently expanding that program, and it offers some of the highest dollar payouts in the industry. That’s essential, given that Apple—like Google and Microsoft—is competing against the underground market for security vulnerabilities.
Apple should also continue to hold the line on strong encryption and device defenses. Creating backdoors for law enforcement of any nation, including the United States, will almost certainly lead to the company being forced to open access to other governments, or to leaks and compromises that will lead to the oppression of entire populations.
In the end, we hope we’ve conveyed the significance of what Google’s Project Zero revealed: a widespread attack targeting an entire population that both evolved and remained undetected for several years. It’s essential that we understand the level to which our phones can be used against us, which means that there will always be those who will try to convert them into tools for monitoring and control. Simultaneously, we hope you understand that most—perhaps all—TidBITS readers have nothing to worry about, either from these particular attacks or from similar watering hole attacks in the future. And note that this is yet another instance of the increasing tension between governments and the tech giants. How that story will continue to play out remains to be seen.
Security is difficult and that’s what we see here. China had a keen interest in iOS security holes and they probably spent a ton of money to find them and implement them. A bug bounty would not get the Chinese to reveal their find. Maybe it might encourage another user who found the same bug, but security holes like this are more likely to be state sponsored finds and immune from bug bounties.
Apple doesn’t appear to use automation tools that can find security holes during OS development, and they had been criticized before about this. It’s hard to say really. They aren’t designing an app, but an OS and that makes it more difficult. They also have their own development tools which make it harder to use already available tools.
I hope, if anything, this makes Apple a bit more self aware that almost a billion people depend upon their iPhone being secure and some of them are betting their lives on it. I hope this makes Apple a bit more vigilant with OS development.
I’ve deleted all the off-topic political commentary and will continue to do so.
The political/powerplay dynamics of this are vastly more interesting than the technical. We know that despite best efforts, weaknesses exist in most software. We know that black hat companies and white hat groups like TAG dedicate their resources to finding as many of these weaknesses as they can (either to sell them to govts or companies or to alert the vendors and help everyone).
What matters most if how efficiently these weaknesses, once found, make their way back to the vendor, how quickly the vendor fixes them, and how broadly and quickly the fix gets deployed to the devices in use. In this case we have no data on who originally found the 14 compromises (except it was probably a black hat actor). They clearly were held in secret for years without the black hat actors and their customers informing Apple. Once TAG informed Apple they took <7 days to fix all 14 and issue an update. The Apple ecosystem is such that updates promulgate to the vast majority of devices, old and new, very quickly.
It is highly relevant that this was apparently communicated to Apple back in Feb and fixed in Feb…but Google chose to release this information to the public ~1wk before Apple holds an event in which they are expected to release new hardware and software that greatly increases their already strong security value prop. Google is the company who created Android for the single purpose of vacuuming up every shred of data about a user and merging it with all the other data they acquire from other sources. Their privacy abuses are many, varied and nearly continuous and are having a huge negative impact on user behavior across multiple market segments. They have a strong vested interest in muddying the waters around Apple security and privacy and they appear to be assuming the Fear, Uncertainty and Doubt (FUD) role that Microsoft used to play.
How very tolerant and open-minded of you Adam. Just when people might step outside of the world of State Department press releases.
May I ask you to be kind enough to send me what I wrote so I could publish it independently? It doesn’t show up in my history here. Thanks for all your hard work publishing TidBITS over the years. TidBITS has been a great help to me many times. I write that to acknowledge I do not walk in your shoes and do not know the burdens you carry.
My level of tolerance and open-mindedness is irrelevant when it comes to conversations here veering off-topic, and the fact that I deleted these posts shouldn’t be interpreted as me agreeing or disagreeing with their content. Feel free to discuss US and Chinese domestic and foreign policy elsewhere.
I appreciate the kind words, and anything you can do to support the mission of TidBITS, which is to help individuals better use Apple and Internet technologies, is welcome.
Apple has now posted a statement taking Google to task for releasing this information.
And that has prompted a certain amount of pushback from the media.
Google told The Verge that its post was focusing on technical issues (which, if you read the actual post, is true):
Looks like some of these iOS vulnerabilities (along with a bunch of Android vulnerabilities) are being used against other populations too:
And what about the NSA ordered vulnerabilities in processors and communication devices which mean that German chancellor’s personal telephone was being intercepted and monitored by US intelligence agencies? What’s good for the goose is good for the gander, Adam. There’s a great deal of hypocrisy in every breath an American takes to condemn another nation of running a surveillance state.
There might be a slight difference between intelligence gathering and suppression of an unliked minority…not quite the same thing.
African-Americans everywhere are laughing hollowly at that comment.
Join the discussion in the TidBITS Discourse forum