A Very Deep Dive Into iOS Exploit Chains Found in the Wild googleprojectzero.blogspot.com

Ian Beer of Google’s Project Zero team:

Earlier this year Google’s Threat Analysis Group (TAG) discovered a small collection of hacked websites. The hacked sites were being used in indiscriminate watering hole attacks against their visitors, using iPhone 0-day.  

There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant. We estimate that these sites receive thousands of visitors per week.  

TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12. This indicated a group making a sustained effort to hack the users of iPhones in certain communities over a period of at least two years.

I’ll investigate what I assess to be the root causes of the vulnerabilities and discuss some insights we can gain into Apple’s software development lifecycle. The root causes I highlight here are not novel and are often overlooked: we’ll see cases of code which seems to have never worked, code that likely skipped QA or likely had little testing or review before being shipped to users.

The posts in this series truly are a deep dive — each post is technically dense with exploit code and explanations of how they worked. That doesn’t mean that these methods are advanced, but they are exploit chains and, given what the implant pilfers, I wouldn’t be surprised if these attacks were the fault of state actors intending to hit specific targets. Beer doesn’t say exactly that, but he hints at its possibility:

Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.

Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. […]

If you aren’t interested in reading the entire series, this introductory post and the description of the payload are worth spending some time with.

Update: Zack Whittaker of TechCrunch is reporting that these exploit chains were deployed by the Chinese government to target Uyghur Muslims.