Researcher releases source code for three unpatched iPhone exploits
Image: Thomas Trutschel / Photothek via Getty Images
Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and feature story on the dark underbelly of the Internet.
A security researcher has released details of three vulnerabilities affecting up-to-date iPhones, which could be used by a malicious application to collect personal information.
The researcher, who calls himself Illusionofchaos, published details in a blog post Thursday, and he also released the source code for exploits that take advantage of these vulnerabilities on GitHub.
The blog post and source code give other security researchers, as well as malicious hackers, the ability to reproduce the unpatched vulnerabilities and exploit them, according to other researchers who analyzed the disclosed bugs .
Illusiononofchaos wrote that he has decided to go public with his “frustrating experience of participating in the Apple Security Bounty”.
“I reported four zero-day vulnerabilities this year between March 10 and May 4, so far three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them they apologized, assured me it was due to a processing issue, and promised to list on the next update’s security content page, ”they wrote in the blog post.“ There have been three releases since then and they’ve broken their promise every time. Ten days ago, I asked for an explanation and then warned that I would make my research public if I did not receive an explanation. My request was ignored so I am doing what I said I would do. “
Apple did not respond to multiple requests for comment. Illusionofchaos could not be reached for comment.
Wojciech Reguła, head of mobile security at cybersecurity company SecuRing, told Motherboard it took him around 30 minutes to reproduce all the vulnerabilities.
Are you looking for vulnerabilities and exploits for iPhones? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire / Wickr @lorenzofb, or by email at [email protected]
It is very rare for researchers to release the full source code of exploits, especially for iOS. Research teams like Google Project Zero sometimes do this, but only after the bugs have been fixed. In addition, GitHub recently changed its policy on posting such code, which prohibits users from posting code that could be used to attack users’ devices.
GitHub did not immediately respond to a request for comment.
The good news is that these bugs cannot, used alone, be used to hack an iPhone remotely, according to Reguła.
“On the other hand, they do actually violate sandbox restrictions (like getting an Apple ID, the ability to list all installed apps, access to contacts),” he said in a statement. live chat. “[A] a malicious attacker can of course use these exploits, but it requires the installation of a malicious application on the victim’s device. And it’s not really easy. “
“Generally, the world will not die because of these three zero days,” he added.
Getting malware from the Apple App Store is extremely difficult, and there have been very few instances where this has happened. This case, however, shows once again that security researchers are not happy with the way Apple is handling their reports.
Last week, The Washington Post published an article based on interviews with several security researchers who said they were frustrated with Apple for being slow to fix the bugs they reported and for not paying what they thought the bugs were worth.
These frustrations are not new. In 2017, Motherboard reported that several security researchers who were invited to the Apple bug bounty program while behind closed doors thought it just wasn’t worth reporting the bugs to the company. This was because they said vulnerabilities were worth a lot more if they were sold to zero-day brokers who then sold them to governments. The other big reason, they said, was that some bugs are needed in order to be able to continue researching iPhones, given that you need several unpatched vulnerabilities to inspect the iOS code.
Subscribe to our CYBER cybersecurity podcast, here.