Even though the security mechanisms implemented by Apple to protect iOS and keep hundreds of millions of devices secure have improved by leaps and bounds, hackers are still finding ways to skirt around Apple’s protective measures. By its very nature, mobile security is something of a game of cat-and-mouse, and Apple, more often than not, typically finds itself reacting to newly unearthed exploits put together by increasingly sophisticated hackers.
Recently, researchers from Google’s Project Zero — a team whose sole mission is to identify zero-day vulnerabilities — revealed that hackers in 2020 were taking advantage of seven 0-day exploits to compromise Android, Windows, and iOS devices. The exploits were delivered via a watering hole attack whereby the malicious code was inserted into dozens of websites likely to be visited by specific targets or groups of people.
Some of the code and strategies implemented by the hackers responsible left Google’s security team impressed:
All of the platforms employed obfuscation and anti-analysis checks, but each platform’s obfuscation was different. For example, iOS is the only platform whose exploits were encrypted with ephemeral keys, meaning that the exploits couldn’t be recovered from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly.
The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited. In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out.
Notably, the most recent discovery of 0-days is believed to come from the same group of hackers responsible for similar attacks unearthed back in February of 2020. Even then, Project Zero researchers were taken aback by the level of sophistication employed by the hackers.
“These exploit chains are designed for efficiency & flexibility through their modularity,” the Project Zero team said via a blog post back in January. “They are well-engineered, complex code with a variety of novel exploitation methods, mature logging, sophisticated and calculated post-exploitation techniques, and high volumes of anti-analysis and targeting checks. We believe that teams of experts have designed and developed these exploit chains.”
While it remains unclear what websites were targeted and what the hackers were seeking to accomplish, watering hole attacks in the past have been used to target iPhones belonging to Uyghur Muslims in China. In one highly-publicized attack, which was brought to light by Project Zero back in 2019, hackers used a number of 0-day exploits to target websites frequented by Uyghur Muslims so that it could snoop on user photos, private messages, passwords, and even GPS location data.
The 2019 attack was believed to be the work of the Chinese government and given the level of sophistication of the 2020 attacks, it stands to reason that it was state-sponsored as well. But again, there’s not enough information at this point to speculate as to which country might be behind the current attacks.