Major Watering Hole Attack on iOS Shows Massive Challenge of Mobile Device Security

Major Watering Hole Attack on iOS Shows Massive Challenge of Mobile Device Security
featured image

This article originally appeared in CPO Magazine on September 9, 2019.

iOS devices are widely considered to be more secure than their Android counterparts; Apple has even run recent ad campaigns with this as the central premise. Part of that is owed to Apple’s “walled garden” approach to limit the sharing of development information, and part is simply that Android has so much more market share. Those factors have been effective in slowing down cyber criminals, but the mistake is in thinking that it will entirely stop them. A recent iOS watering hole attack – discovered by none other than Apple’s chief rival Google –  should prompt consumers to reconsider their preconceptions about mobile device security.

The iOS watering hole vulnerability

Google’s “Project Zero” team of security experts proactively search out previously unknown vulnerabilities. This team has been responsible for the discovery and investigation of some high-profile exploits, such as Heartbleed.

An internal threat analysis group at Google discovered a number of hacked websites in early 2019 that were running a previously unknown iOS exploit. The sites were passively attacking any iOS devices that visited, able to exploit iOS 10 to iOS 12. Given the exploit chains in place, researchers estimated the sites had been quietly hacking visitors with Apple devices for as much as two years prior.

Apple was privately notified by Google security researchers on February 1 and given a seven-day timeframe to patch the vulnerabilities, which they were able to do. Apple notified users of the mobile device security update on Feb. 7, but did not go into detail about the source. Project Zero’s series of blog posts on August 29 was the first indication of a passive watering hole attack that could be spread by simply visiting a compromised site.

The present state of iOS mobile device security

Though Apple patched the vulnerability on February 7, iOS users who visited an infected site prior to that may have unknowingly had nearly all of their personal sensitive data compromised. Neither Apple nor Google named the sites that were passing these exploit chains.

The infected sites had the ability to access the iCloud keychain, which contains users’ account logins and banking information. This would also grant access to their cloud storage, location data and messaging history and would compromise any encryption.

The exploit would be removed from the device after a reboot, but once an attacker had accessed the keychain they could extract that information for future use. Attackers could also potentially deploy other, more persistent forms of malware while they still had access to the device. Stolen data was also being transmitted back to attackers in unencrypted form, which means that compromised devices on public WiFi were broadcasting this information for the entire network to see.

All of this means that the extent of this breach and the amount of compromised devices is impossible to know. While iOS users don’t have to worry about new compromise at this point, it’s unclear how many had personal information exposed before the vulnerability window was closed earlier this year or how many may still have other forms of malware on their device.

Beenu Arora, Founder & CEO at Cyble noted that,”Attackers have been on the lookout for software vulnerabilities to target organisations and consumers and achieve their goals (such as financial gains, cyber espionage). Cyble has seen a number of similar attacks where attackers have exploited the software supply chain, and such attacks are not slowing down. We strongly recommend consumers to keep their apps and phone up-to-date, and stay vigilant about unexpected SMSs and emails with web links.”

Securing mobile devices: A massive challenge

The first and most important lesson to take from this incident is to not assume that mobile device security is adequate based on a brand name or advertising. It’s true that some products are more resilient than others, but any device can (and eventually will) be hit with exploits.

Usman Rahim, Digital Security and Operations Manager for The Media Trust, expanded on this idea:

“The identification of these exploits targeting iOS devices prove that even products designed from the ground up to protect your privacy aren’t 100% secure.  The notion that only you can access your device is far from the truth. Your device and the apps that run on it are supported by many third-parties who can potentially access your behavioral and personal information, from how many steps you’ve taken this morning to where you bought your coffee to which article you read on which online publication. That’s just three of the many things you did this morning; it doesn’t include your location even with your GPS off, the credit card balance you paid off, and what pictures you IM’d to whom. This is today’s surveillance economy made possible by the digital ecosystem’s growing presence—with our unmindful consent–in our daily lives. And in this economy, the only way we can restore our privacy is for manufacturers, developers, online publishers, adtech/martech, data management providers, and everyone else in between, to work together on setting higher privacy and security standards that should include knowing who all their digital third parties are, what these third parties are doing and for what purpose, and uprooting these third parties from the digital ecosystem when they violate digital policies.”

As Rahim points out, even a fully secure device is passing information to all sorts of services that may not be nearly as secure. Third-party breaches are also not the only concern; businesses trusted with this information could potentially be distributing it to parties that have bad intentions.

The very nature of the market exacerbates these mobile device security issues. Phones and tablets essentially serve as a computer for people who do not have the time or inclination to learn how to use computers. The standard end user wants to be able to push buttons and have things handled for them automatically. That puts the onus of security almost entirely on the creators of the operating system, their various software developers and whoever the end user chooses to interact with online. Developers all along this chain have to anticipate an end user who will do nothing to proactively protect themselves and will be easily fooled by malicious actors.

Ori Sasson, CEO at Blackscore has this advice:

“The key measure users can take to protect themselves is to avoid clicking unknown links and avoid installing unknown apps. For Android users it is also important to avoid installing apps from unauthorised app marketplaces. In addition, it is important to keep apps and device operating system updated to the latest release. This may not help for unknown exploit chains but would prevent being vulnerable to known attacks such as the one discovered by Google. A good practice would be to periodically change passwords, and periodically reboot or restart devices to remove non persistent attacks.”

Even a savvy end user with an encrypted and secure device is not immune to exploits such as the one seen here, however. Apple devices tend to be more secure because the complexity of developing exploits for their software generally restricts them to private markets, where they are often scooped up by nation-states (or Apple themselves via their bug bounty program) for millions of dollars. This particular attack required 14 different zero-day vulnerabilities in a chain to function. An iOS attack this complex has never been seen in public before; its discovery raises the question of how many similar chains are out there quietly stealing data in the background.

iPhone users are also heavily relying on Apple for their mobile device security. Though no one would seriously argue that Android is better for keeping data safe even in the wake of this news, this breach demonstrates how Apple’s uniformity and walled garden approach can invert and become a liability when the company’s core software is compromised.

#Google discovered hacked websites which were running an #iOS exploit and passively attacking any iOS devices that visited. #respectdataUnfortunately, there is no perfect answer to this inherent mobile device security problem other than keeping sensitive data entirely off of them. That’s an unrealistic proposition for most people to function in their personal and business lives, so the best harm reduction strategy is to rigorously keep on top of security updates as John Aisien (CEO of Blue Cedar) points out:

“Mobile device security has historically been a slow-moving and often frustrating undertaking, but the result has created spikes in mobile device weaponization like the news we saw today. This raises profound concern about the security of the devices we carry around on an everyday basis, and which we increasingly use to access and process both personal and corporate data. By hacking into popular mobile apps like WhatsApp and iMessage, cybercriminals can gain access to sensitive information like encrypted messages, personal health information, location data, and in extreme cases, things like industrial plans or sovereign policies like we saw with the recent Huawei news in Africa. This type of attack will come as a shock to some, as it goes against the security promised by these types of applications. But the security software likely isn’t the culprit here – it’s possible this breach is the result of a lapse in the security update integration time. Companies should be responsible for immunizing their applications to prevent potential devastation, as ineffective mobile device and data security is something that will continue to generate concerns in the coming years.”