Apple Patching, zero day exploits and zero click infections using SMS
Updated: Sep 24, 2020
Apple recently released an emergency patch for the iOS system, designed to resolve three zero day vulnerabilities. The fact that Apple actually released this patch in between their regular updates demonstrates just how serious the threat is.
The most interesting of these vulnerabilities is the CVE-2016-4657. This is a memory corruption bug in the Safari WebKit, allowing an attacker to compromise the device when a user clicks on a link.
It sheds light on a constantly recurring problem, which is the good old GSM standard we all use, dating back to 1985.
To put this into perspective, during a recent tidy up, I found my old Motorola flip phone from 1989, complete with the charger and all the usual bits and pieces. Just for the fun of it, I charged it and put in a brand new SIM-card, not really expecting it to work but it did – flawlessly. This was the first ‘pocket sized’ phone to be sold here in Norway. It cost an arm and a leg, but it was the phone to have at the time, nicknamed ‘the yuppie phone’. So, the good old standards are still in place and this is one of the big problems we face today, legacy devices that still has to work even in a very modern environment. Modern devices has to conform to the same old standards, and we all know that mobile security wasn’t really a topic when these standards were designed.
According to lookout.com, the exploit that Apple recently addressed has been around for a long time. There are clear indications that spyware using this exploit has been around since iOS 7, dating back to 2013.
This also coincides with the establishment of the Israeli company NSO group, a low profile Israeli company which avoids the press at all costs and doesn’t even have a website.
It is known is that the NSO Group’s Director of Product Management , Guy Molho, created these exploits in 2013.
What is even more interesting is that he made two versions of this exploit, and the information was made known after the Italian company Hacking Team were – well – hacked, resulting in huge amounts of sensitive information being leaked.
As it seems, two different attack vectors were created by Mr. Molho, one of those being the one the human rights activist Ahmed Mansoor was subjected to.
The first attack was a classic phishing scheme. It was a text message offering him information about secrets, detailing ways that detainees were tortured in the UAE. This information was accompanied by a link to a site where these secrets would allegedly be revealed. The link, as it turned out, led to a webpage not giving out secrets, but containing some very malicious secrets of its own. The webpage would first assess what kind of device was accessing it and based on that, it determined if the devicecould be infected or not. If it determined that this particular device could be infected, it automatically downloaded the correct infection and pushed it to the device. Very clever indeed.
The second type of attack was not used on Ahmed Mansoor, and works by sending a special kind of SMS message, like a WAP Push Service Loading (SL) message to the phone, triggering it to automatically go to said webpage where the device will be infected. The frightening part of this is that all this happens without the knowledge of the user and cannot be stopped or prevented.
The latter was for the most part stopped by Apple’s recent patching and Telco’s worldwide are working to avoid these from being used. However, they can only stop what they know is being used.
Examples of known tools for infecting phones using those kinds of SMS’s are the MonkeyCalendar attack from NSA, the Smurf suite from GHQC and more. We know these exist and infect, but only limited information is available as to exactly how they infect.
When it comes to tools for industrial espionage, there is very little out there in terms of information, but seeing how stealthily NSO group have operated until now, it would not be surprising to learn that companies like this sell their software also to this market segment.
So, how much can they really monitor?
The answer to that is, very scarily, a lot. This is what they confirmed that the NSO Group attack can do:
Record phone calls
Record Viber calls
Record WhatsApp calls
Monitor messaging systems
Monitor calendar entries
Monitor mail systems
Monitor all files on the device (including photos and videos)
Turn on microphone at will and record audio
Turn on camera at will and record video and audio
How is it possible to monitor that much on a device that is already well secured?
Well, part of the explanation is that as long as you are within the OS, you have access to a lot of things, but the fact is that modern smartphones are built to accommodate EMM/MDM systems and offer extensive functionality to those systems. Lacking an EMM/MDM system, the infection is free to use this functionality to its own (and not to the owner’s) benefit.
We are safe now after Apple patched the iOS, right?
Wrong. This is just the top of the iceberg. Zero day exploits are hot selling commodities on the dark web, and there are more out there, many more. How do we know? We can just look at the brochure the German company Wolf Intelligence gave out in 2015, and we see that they advertise that they have more than 22 Zero day Exploits, which presumably means they have 23.
They are only one of a number of companies offering such services, and this is how they introduce themselves, also cut from their brochure:
Wolf Intelligence, an internationally recognized leader in the Cyber warfare ﬁeld, oﬀers practical and realistic solutions to counter threats. With customers across the globe in all major continents, law enforcement agencies, governments, intelligence agencies, corporations, and ﬁnancial institutions have come to rely on Wolf Intelligence for the skills, products, and services it oﬀers. Wolf Intelligence has met with considerable success in recent years, leading to large proﬁts and the potential for future growth. In fact, the ﬁelds of cyber warfare and security will be a four trillion dollar market next year. This success has been the result of some of the services oﬀered by Wolf Intelligence which include unparalleled support, innovative product mix, reliability even under adverse conditions, and cost eﬀective solutions for today’s tough economic times. Please consider just a sample of what we have to oﬀer.
Wolf Intelligence is operation openly, with a website, exhibiting at various events like the MilPol in Paris in November. NSO was operating covertly until they were caught in the limelight of the press, but there are no doubt many other companies like NSO that sells these kinds of intelligence tools.
Breaking down the smartphone
When we researched this, it became strikingly obvious after a while, that the smartphone is no safer than the average IoT device. How so you say? After all, both Google and Apple are investing heavily in the safety of their operating systems. At the operating system level, although not bulletproof, these devices are fairly well secured. However, the problem doesn’t lie there. The problem lies in the two other operating systems running on a smartphone, one being the modem. This is an autonomous processor, with usually embedded Linux as its OS. The other is the SIM-card, which is also an autonomous processing unit, usually running embedded Java. So if you look at a smartphone from that perspective, it consists of pretty much the same components as any IoT device and is not protected by the OS. In fact, you can’t even see into the processes running in those two processors from the OS.
Why attack the front gates when you can sneak in through an unguarded hole in the fence?
This stunning discovery is one I’m quite sure we aren’t alone in seeing. Smartphones are the ideal target these days, as they contain pretty much all the information you have on your corporate network, yet at the same time, they lie outside the corporate network security system for most of the time. Using old technologies like SMS’s to attack, they are actually outside the corporate network security system all the time. Silent SMS’s have a lot of functionalities for the operators, like provisioning, SIM-card updates, network selection commands and much more, commands never meant for the user to see or relate to. Furthermore, there are also binary SMS’s which, once they have gained access to the smartphone, can carry a code to be installed in the SIM card or the modem. Finally, you have Hayes codes, remote modem commands that are still in use. The youngest of these technologies are from 1995, the others from 1985 and 1981. In other words, they were created in a time where cyber security wasn’t even invented, let alone a term.
How naïve are we?
After all you’ve read above, doesn’t it strike you that we have completely overlooked this part of cyber security? It is as if these old technologies are too ‘uncool’ – ‘archaic’ and ‘basic’ for cyber security specialists to even bother looking at them. Nothing could be further from the truth. You don’t need a high powered sniper gun to break a window, an old fashioned stone will do the job nicely.
We know these threats are real, the evidence is out there and more evidence surfaces every day. How much do we need to see before we understand that we need to stop these kinds of attacks?
Every business that has something to protect needs this kind of protection. If not, all the other investments in corporate security, firewalls, intrusion detection systems and countless security measures is for naught.
This is why we developed the Verji SMC suite, an encrypted collaboration tool that simultaneously protects against SMS attacks and IMSI catcher attacks. When combined with a state of the art EMM/MDM system, it provides businesses with the complete security solution.
In the meantime, ask yourself just how much data are you prepared to lose before close the smartphone loophole in your organisation’s network security? How much will a data breach cost your business, both financially and in terms of reputation, and is this a price you’re willing to pay when a simple, cost effective solution is out there?