The device has been at the center of political furores, celebrity scandal and dangerous consumer obsession. Thanks to its almost gravitational power, it’s also caught the attention of hackers of every ilk, from seedy government contractors to white hats hoping to help Apple fix its mistakes.
To celebrate (and despair?) on the device’s tenth birthday (Jan 9), in no particular order, here are the 10 most significant iPhone hacks ever.
The San Bernadino shooter
It’s been little over a year since Syed Rizwan Farook walked into his ex-employer’s offices at the Inland Regional Center in San Bernardino, California, and killed 14 people. Out of that tragedy came one of the most significant narratives in the history of technological privacy, as the FBI sought to force Apple into opening Farook’s iPhone 5C to retrieve possible evidence. When Apple declined in early 2016, a protracted legal tussle between James Comey’s agency and Tim Cook’s Cupertino giant ensued. Apple gained supporters from Silicon Valley rivals like Amazon and Google, whilst the FBI received backing from Republican candidate Donald Trump, at that point an apparent no-hoper in the race for President, amongst other hardliners.
Comey eventually caved, when it emerged that despite the many times the FBI said it couldn’t get into the device, a contractor stepped forward with a working hack. We still don’t know who eventually helped the FBI crack the device. Just this weekend, the government’s response to a Freedom of Information request returned 100 heavily-redacted pages revealing next to nothing, other than to note three companies other than the successful party had offered assistance. Whoever broke the phone walked away with upwards of $1.3 million, according to comments from Comey. It’s assumed iPhones remain vulnerable to whatever hack was deployed.
Israeli spy contractor’s ‘Trident’
In August 2016, researchers from the University of Toronto’s Citizen Lab uncovered malware on an iPhone belonging to noted UAE activist Ahmed Mansoor. On investigation, the infection turned out to be something considerably more startling that a run-of-the-mill hack: it required three iOS vulnerabilities chained together to work. That was unprecedented.
Also unprecedented was Apple’s speed to respond. It took just 10 days from Citizen Lab’s disclosure to the company for it to patch all three flaws.
The malware itself was also significant: it was created, the researchers said, by a government spyware creator based in Israel, NSO Group, that sold its Pegasus lawful intercept software for as much as $500,000. A FORBES profile on the firm also revealed it was part of a larger group, Francisco Partners, which owned at least one other Israeli surveillance supplier, Circles. A later report revealed Francisco Partners portfolio company Procera Networks was accused of helping Turkey spy on its citizens. With those three under its wing, the group was said have acquired NSA-grade hacking power.
The $1m exploit
If it wasn’t already apparent from the aforementioned cases, iPhone exploits have come to be worth a lot. And there’s an open market for iOS vulnerabilities, as evidenced by so-called zero-day merchant Zerodium. In October 2015, it announced a bounty for an iOS 9 exploit, offering $1 million for successful researchers. A month later, an unnamed party claimed the prize.
What happened to Zerodium’s acquisition then? “The iOS exploit that was acquired in 2015 was sold to one unique party as part of an exclusive agreement,” company chief Chaouki Bekrar told me. “The details of the exploits and deal will not be revealed as they are under a perpetual non-disclosure agreement.”
More have been purchased, Bekrar claimed. “We’ve acquired a few other million plus exploits since the first million dollar bug bounty but we cannot disclose or discuss the financial nor technical details of such acquisitions.”
As in the San Bernardino case, it’s believed iPhones remain vulnerable to whatever exploits were used.
Fingerprint faking
Researchers have repeatedly shown how to create a fake fingerprint to bypass Apple’s TouchID. It’s something cops could use in earnest too.
Last year, Dr. Anil Jain of Michigan State University was approached by local law enforcement to create a fake finger that would unlock a Samsung device. Using technology and materials that cost just $500, Jain and his team succeeded. Once they’d given the unlocked phone back to the feds, they tried it on an iPhone 6. It worked.
In the meantime, police are pushing through warrants allowing them to force people (in some cases anyone suspected of having a TouchID device inside a specified building) to open iPhones with their fingers. In December, FORBES revealed numerous warrants had been signed off in 2016 for just that. At the same time, a Florida judge ruled a man suspected of taking pictures up women’s skirts should be compelled to hand over his passcode. Fifth Amendment protections against self-incrimination, he ruled, did not stand.
The original jailbreak
The jailbreaking scene, where hackers strip away Apple’s control over the iPhone, is alive and well. But where did it all start?
According to noted iOS security expert Jonathan Zdziarski, it was a community effort that he was part of that resulted in the “Dropbear” hack in 2007. Here he is, pseudonym NerveGas, posting about it on a hacker forum 10 years ago:
The jailbreak involved “a sort of shell game” in which their own files would be swapped in for Apple’s official ones, Zdziarski told me. It eventually granted the iPhone owner root control via a secure shell (SSH) — i.e. they could add and remove software as they pleased.
“It was a total team effort,” Zdziarski added. “Of course back then we all feared lawsuits from Apple so nobody used their identities.”
Jailbreakme
The hacker noms de guerre lived on not as anonymizers, but signifiers of a scene, as jailbreaking exploded in the early years of the iPhone. As hackers young and old broke down Apple’s security measures designed to keep devices under its control, a perpetual cat and mouse game emerged.
One of the more significant jailbreaks of during those heady days was Jailbreakme, created by then-teenager and future Apple employee Nicholas Allegra, then known only by his handle Comex. The first came in 2007, followed by sequels in 2010 and 2011. When FORBES spoke with Allegra in 2011, shortly after the third iteration, he described his iPhone as “totally insecure.”
To many in the community, Apple has improved a great deal since then, but jailbreaks continue to rain down, as global research teams seek to peal away the added layers of security.
The Charlie Miller show
Also in 2011, a former NSA analyst Charlie Miller revealed an iPhone exploit that allowed him to bypass the code-signing protections in iOS designed to allow only Apple-approved software to run. He even managed to get his proof-of-concept malware on the App Store. It could steal photos, data and make the device vibrate… or much worse if he had malicious intent.
Apple wasn’t happy. Miller was swiftly barred from the Apple developer program. It didn’t stop him carrying out somewhat risky hacks, as he went on to break Jeep’s security and remotely control cars as they hurtled down highways.
One-text crash
Here was a hack anyone could carry out. In May 2015, it emerged a single string in a text could crash an iPhone. The iMessage “Effective Power” bug (or “Unicode of Death”) would cause any iPhone in lock mode to repeatedly crash. The message simply read: “effective. Power لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗”.
Apple couldn’t issue a software fix right away, so chose instead to offer a temporary fix before a full patch later in the summer. Given the number of users venting their annoyance across Reddit and Twitter, it may have been one of the most widely exploited iOS vulnerabilities ever.
One-text hack
In another one-text hack, in July 2016, Cisco Talos researcher Tyler Bohan found a critical bug in ImageIO, used by iOS to handle image data. Though it was patched before it became a nuisance, the connotations were serious: the exploit would run silently as soon as a multimedia message was received and would hand over authentication information to the hacker.
Bohan described it as “an extremely critical bug, comparable to the Android Stagefright as far as exposure goes.” Given how frequently Google Android bugs are uncovered, this was a shot in the arm for anyone complacent about iPhone security.
XcodeGhost
The iPhone has, fortunately, remained relatively malware free. But there have been notable scares, and the outbreak of XcodeGhost was one of them.
The perpetrators found a sneaky way of getting their malicious code into official apps on the App Store in September 2015, as they sought to pilfer iCloud login details. They infected the Xcode developer tool hosted on the Baidu cloud file sharing service, knowing it was popular amongst Chinese coders.
Apple was concerned enough about the issue, releasing a list of the top 25 most popular affected apps. Though the problem first emerged in September, XcodeGhost continued to haunt iPhones until the end of 2015, when it faded into a bad, distant memory.
No comments:
Post a Comment