Interesting that this exploit has continued to work through 15.7. Apple’s earlier BlastDoor system (introduced with iOS 14) clearly hasn’t done enough to stop future zero-click iMessage exploits, so I wonder what attack surface these bugs are found in. Does anyone have a more complete understanding of why the BlastDoor mitigation has been so insufficient?
AIUI they put a lot of the message parsing into its own tightly sandboxed process. That surely makes exploitation harder, but ultimately that process will have to communicate the results of parsing to other processes, and considering the huge diversity of things iMessage messages can do, there must still be a lot of vulnerable surface area?
“ The malicious toolset does not support persistence, most likely due to the limitations of the OS”
This is an interesting way of phrasing “the OS is secure enough that even with full RCE and launching a separate binary, the attack cannot make itself survive a reboot”
Or maybe it was a deliberate tactic. If you can reinfect at will with RCE, persistent is just a bonus which may not be worth any compromise in, say, detectability.
Persistence beyond rethrowing your RCE is generally desirable not only because they limit the chain's exposure (each time you throw it, you're risking your $>1MM chain being captured and patched!) but because it allows you to use less reliable bugs and one-clicks, both of which are substantially cheaper and easier to find and develop. Fully interactionless bugs are really hard to come by and are not something you'd typically want to risk burning every single time a target's phone runs out of battery. If you can get a persistence bug, you're in a much better spot because then you only risk a few bugs (persistence+kernel chain) which, while still very high value, are more easily replaced.
Depends on how confident in your exploit catalog and your ability to find new exploits is. Quantifying the value of the collected data is almost impossible because it can quite literally be priceless. Imagine you can understand geopolitical strategy of a major adversary before they execute it...
Being non persistent also reduces your exposure on secondary payloads though. If I was a nation state with nearly unlimited resources, I would also monitor the mobile networks as well, which could give you a good idea when the jig is up.
> The malicious toolset does not support persistence, most likely due to the limitations of the OS.
This is a reminder to reboot your device if you haven't in a while. I have an app called iVerify, from Trail of Bits, which sends me periodic notifications reminding me to reboot or upgrade my OS.
Would be interested to know if by 15.7 they mean that it's currently a zero-day for 15.7.X devices, or if it's since been patched in security updates. Also not clear if any 16.X software is vulnerable.
Obviously not a good thing either way, but the most important part of this from the user perspective is whether or not up-to-date devices are vulnerable.
IMO it's a persistent zero-day for 15.7.X devices. Even the latest webkit vulnerability was fixed for iOS 16, but not iOS 15[1].
Additionally, I know this latest update did not happen on iOS 15 because (1) my phone did not receive an update, and (2) I am still seeing the sudden shut down and reboot activity when my battery is between 20-30% (as described by the webkit vulnerabilities as indication of an exploit).
However, according to Apple, iOS 16 is on 81% of all iPhones[2]. So I guess that means only 20% of mobile devices users are "targetable"? Lucky me...
Also, I will suggest that US Government officials NOT have older iPhones which do not support iOS 16. Seriously.
The article says the most recent version of iOS targeted is 15.7, which don't have the lockdown mode (it was introduced in iOS 16).
There isn't any details on how the exploit works yet, so it's hard to say.
“We are quite confident that Kaspersky was not the main target of this cyberattack,” Eugene Kaspersky, founder of the company, wrote in a post published on Thursday. “The coming days will bring more clarity and further details on the worldwide proliferation of the spyware.”
According to officials inside the Russian National Coordination Centre for Computer Incidents, the attacks were part of a broader campaign by the US National Security Agency that infected several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia, specifically from those located in NATO countries, post-Soviet nations, Israel, and China. A separate alert from the FSB, Russia's Federal Security Service, alleged Apple cooperated with the NSA in the campaign. An Apple representative denied the claim.
> infected several thousand iPhones belonging to people inside diplomatic missions and embassies in Russia
I'm surprised they use iPhone in those contexts. Specifically: I'm surprised that they allow usage of iPhone in such a context. Given how Russian intelligence perceives the US as its enemy, I would have guessed that using Apple devices would be banned entirely.
> The target iOS device receives a message via the iMessage service, with an attachment containing an exploit. Without any user interaction, the message triggers a vulnerability that leads to code execution
Ah but I'm glad Apple is at least focusing on the real issues, like blocking xhr and fetch requests over HTTP. facepalm
