Spyware Zero-Day Hits Show Apple Ecosystem's ImperfectionsApple Apparently Pushes 'Zero Click' Patch, But Are Much Stronger Measures Required?
Is Apple's "walled garden" ecosystem secure enough for safeguarding corporate secrets, not to mention journalists and civil rights defenders' communications - or should the technology be doing more to defend customers?
Revelations that Israeli commercial spyware vendor NSO Group was able to exploit a zero-day flaw in the latest version of Apple's iOS mobile operating system, running on its latest iPhone 12, demonstrate the Israeli company's ability to purchase and use expensive zero-day exploits against both Apple and Android users (see: Spyware Exposé Highlights Suspected Apple Zero-Day Flaws).
NSO Group continues to face accusations that its Pegasus spyware is used by repressive regimes - Azerbaijan, Bahrain, Saudi Arabia and others - to spy on journalists, human rights defenders and critics, some of whom have been murdered.
The attacks are also posing technical questions for Apple, given how the company positions iOS, backed by a walled garden model in which all apps must be vetted before being offered to users.
The vulnerability targeted in iOS 14.6, however, wasn't with a third-party app, but rather a piece of Apple's own technology: iMessage. Late Tuesday, Apple announced the release of iOS 14.7, which multiple security experts, including Costin Raiu, director of Kaspersky's security research team, anticipate will fix the flaw exploited in iMessage by NSO Group to infect devices with its Pegasus spyware.
iOS 14.7 is out, fixing a number of unspecified vulnerabilities in Safari and the OS itself. Details to be added "soon". Given recent happenings, this looks most welcome. pic.twitter.com/LWIk9ERzDO— Costin Raiu (@craiu) July 20, 2021
Apple says it regularly updates iOS to better defend against the latest surveillance tool and spyware capabilities. And it contends that "security researchers agree iPhone is the safest, most secure consumer mobile device on the market."
Concerns over how commercial spyware vendors are able to break into Apple and Android devices has intensified in recent days, as a consortium of media outlets, coordinated by French nonprofit Forbidden Stories, has begun publishing the results of months of research into leaked NSO Group data. The group, dubbed the Pegasus Project, says the leaks included an apparent target list of 50,000 individuals, including journalists, human rights advocates, business leaders, presidents and prime ministers.
NSO Group says the list was compiled from publicly available sources and in no way represents a targeting list. The company insists that it sells Pegasus only to "vetted governments" for law enforcement and intelligence agency use and that all sales must comply with export-control rules in Israel, Bulgaria or Cyprus.
The company's continued use of zero-day flaws in Apple devices earned it a rebuke from the technology giant.
"Apple unequivocally condemns cyberattacks against journalists, human rights activists and others seeking to make the world a better place," it says in a statement.
'The SpaceX of Surveillance'
One security problem for Apple and its customers is that accessing zero-day flaws used to be difficult. Finding or purchasing zero-day flaws for Apple's latest version of iOS is expensive, unless done in-house - for example, by an intelligence agency - in which case, it requires a lengthy, resource-intensive process.
"There's always going to be someone who is very talented out there, motivated by the high remuneration they get from finding these [security] issues, working in all possible ways to bypass and find workarounds to these mitigations," Claudio Guarnieri, the head of Amnesty International's Security Lab, tells The Guardian.
Spyware firms such as NSO Group, thanks to their revenue, have demonstrated that they're able to buy such exploits.
"NSO's genius is that they've done something that attackers were never incentivized to do in this past: democratize access to exploit technology," says cryptography expert Matthew D. Green, an associate professor at Johns Hopkins University, in a blog post. "In other words, they've done precisely what every 'smart' tech business is supposed to do: take something difficult and very expensive and make it more accessible by applying the magic of scale. NSO is basically the SpaceX of surveillance."
Apple says it continues to refine the defenses in its software to better block such exploits. "Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life and are used to target specific individuals," it says. "While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data."
Attackers Blew Past 'BlastDoor' Firewall
But some security experts say Apple and Google could be doing even more to harden their operating systems.
The "zero click" exploit that Amnesty International found Pegasus was using to infect victims' phones, for example, targeted a vulnerability in iMessage. One problem is that the communications software accepts many different types of input, making it difficult to screen them all for what might be attack code.
"Perhaps it's time for a slight change in UX [user interface] and implementation where unknown senders don't get access to full attack surface until the first message is accepted," says Dino A. Dai Zovi, a veteran iPhone security researcher and co-author of "The iOS Hacker's Handbook," published in 2012.
Apple has continued to improve the defenses it employs for iMessage. With the release of IOS 14 in September 2020, for example, "one of the major changes," according to a teardown published by Google's Project Zero team of vulnerability hunters, was "the introduction of a new, tightly sandboxed 'BlastDoor' service which is now responsible for almost all parsing of untrusted data in iMessages."
Google's write-up, published in January, came in the wake of the University of Toronto's Citizen Lab, which researches surveillance software, reporting that a "zero click" exploit seen in the wild being used by NSO Group's software didn't appear to work against Apple devices running iOS 14.
The reason Apple added a firewall is because they obviously *don’t* feel that iMessage is secure by itself. There’s too much unsafe parsing code. Adding a firewall is basically an admission that the core product can’t be secured in its current form. 5/— Matthew Green (@matthew_d_green) July 20, 2021
Unfortunately, as the Pegasus Project has revealed, BlastDoor was eventually blasted open. Green says firewalls are always an imperfect solution to any security problem, so what's needed is to completely redevelop iMessage. But that would be a more costly and time-intensive process than simply building a firewall, difficult to make reverse-compatible and risky - in the sense that any errors in the code would be magnified across Apple's large user base, he says.
Green notes that Apple already performs some type of reverse telemetry, looking for signs of users being targeted by surveillance, advertisers or other trackers. "This kind of telemetry could be expanded as much as possible while not destroying user privacy," he says.
Strategy: Make Attacks Much Costlier
One benefit of doing more such telemetry is that it would make evading Apple's checks more difficult - and thus costly - for NSO Group and other commercial spyware manufacturers.
Such a strategy is also being employed by Western governments against unfriendly nation-states' advanced persistent threat teams.
In recent years, the U.S. and U.K. have begun attributing some nation-state attacks and releasing precise details on the tactics, techniques and procedures being used. Officials say this strategy is simple: Besides helping organizations better defend themselves, they're also aiming to make launching these types of attacks more time-consuming and costly for adversaries. Of course, foreign governments will still target organizations with hack attacks. But hopefully they'll have to pick their targets more carefully, and go after fewer of them (see: Turla Teardown: Why Attribute Nation-State Attacks?).
Green advocates a similar strategy for dealing with NSO Group and other companies selling spyware, backed by continuing defensive improvements from operating system developers.
"Companies like Apple and Google can raise both the cost and risk of exploitation ... at least on specific channels like iMessage," he says. "This could make NSO's scaling model much harder to maintain. A world where only a handful of very rich governments can launch exploits - under very careful vetting and controlled circumstances - isn't a great world, but it's better than a world where any tin-pot authoritarian can cut a check to NSO and surveil their political opposition or some random journalist."