The vulnerabilities were actively used by threat actors who also used compromised websites to carry out watering hole attacks against iPhone users. Almost all versions between iOS 10 and iOS 12 were affected. The websites used in these attacks were visited thousands of times on a weekly basis.
“Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day,” wrote Ian Beer of Google Project Zero.
Were the attacks targeted? It appears that they were not as simply visiting one of these hacked sites was enough for an attack to be launched. In case of a successful exploit, the attack ended with a piece of spyware dropped on the compromised device.
Google’s Threat Analysis researchers were able to “collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years”.
iOS Exploit Chains: Details
The researchers discovered exploits for fourteen vulnerabilities across five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes. One of the privilege escalation chains was considered a zero-day as it was unpatched at the time of discovery (CVE-2019-7287 & CVE-2019-7286).
The researchers suspect that all the exploit chains were written contemporaneously with their supported iOS versions. This means that the exploit techniques which were used suggest that the first exploit, for example, was created around the time of iOS 10.
The first exploit chain leverages only one kernel vulnerability that was directly reachable from the Safari sandbox.
The second exploit chain targets iOS 10.3 through 10.3.3. Ian Beer independently discovered and reported the bug to Apple, and it was patched in iOS 11.2.
The third chain targeted the versions between iOS 11 and 11.4.1, spanning almost 10 months. This is the first chain the researchers observed having a separate sandbox escape exploit:
The sandbox escape vulnerability was a severe security regression in libxpc, where refactoring lead to a < bounds check becoming a != comparison against the boundary value. The value being checked was read directly from an IPC message, and used to index an array to fetch a function pointer.
The fourth exploit chain was created for versions iOS 12-12.1. It should be mentioned that the two vulnerabilities were unpatched when they were discovered in the wild. “It was these two vulnerabilities which we reported to Apple with a 7-day deadline, leading to the release of iOS 12.1.4,” Beer explained.
The fifth exploit chain is “a three way collision between this attacker group, Brandon Azad from Project Zero, and @S0rryMybad from 360 security”:
On November 17th 2018, @S0rryMybad used this vulnerability to win $200,000 USD at the TianFu Cup PWN competition. Brandon Azad independently discovered and reported the same issue to Apple on December 6th, 2018. Apple patched this issue on January 22, 2019, with both @S0rryMyBad and Brandon credited in the release notes for iOS 12.1.4 (CVE-2019-6225). It even won a pwnie at Blackhat 2019 for best privilege escalation bug!
The victims in these attacks were infected shortly after visiting one of the hacked websites, with spyware being dropped and launched on the compromised iPhones.