Three days 0 of iOS revealed by a researcher frustrated with Apple’s bug bounty


The pseudonymous researcher illusionofchaos joins a growing legion of security researchers frustrated with Apple's slow response and inconsistent adherence to policies when it comes to security flaws.
Enlarge / The pseudonymous researcher illusionofchaos joins a growing legion of security researchers frustrated with Apple’s slow response and inconsistent adherence to policies when it comes to security flaws.

Aurich Lawson | fake images

Yesterday, a security researcher passing illusionofchaos abandonment Public notice of three zero-day vulnerabilities in Apple’s iOS mobile operating system. Disclosures of vulnerabilities are mixed with investigator frustration with the Safety reward program, what illusionofchaos says you chose to cover up a previously reported bug without giving them credit.

This researcher is by no means the first to publicly express his frustration with Apple over its security rewards program.

Good mistake now shhh

illusionofchaos says they’ve reported four iOS security vulnerabilities this year – the three zero days they publicly disclosed yesterday plus an earlier bug that they say Apple fixed in iOS 14.7. It seems your frustration stems in large part from how Apple handled that first now-fixed bug in analyticsd.

This now-fixed vulnerability allowed arbitrary user-installed apps to access iOS analytics data, which can be found at Settings --> Privacy --> Analytics & Improvements --> Analytics Data—Without any permission granted by the user. illusionofchaos found this particularly disturbing, because this data includes medical data collected by Apple Watch, such as heart rate, irregular heart rhythm, atrial fibrillation detection, etc.

Analysis data was available to any application, even if the user disabled the iOS Share Analytics setting.

According to illusionofchaos, sent Apple the first detailed report of this bug on April 29. Although Apple responded the next day, it did not respond to illusionofchaos again until June 3, when it said it planned to address the issue in iOS 14.7. On July 19, Apple fixed the bug with iOS 14.7, but the safety content list for iOS 14.7 it did not acknowledge either the researcher or the vulnerability.

Apple said illusionofchaos that the failure to disclose the vulnerability and give them credit was just a “processing issue” and would be adequately reported in “an upcoming update”. The vulnerability and its resolution have yet to be recognized as of iOS 14.8 on September 13 or iOS 15.0 on September 20.

Frustration with Apple’s failure to deliver on its own promises led to illusionofchaos to threaten first and then publicly dismiss the three zero days this week. On illusionofchaosHis own words: “Ten days ago I asked for an explanation and then I warned that I would make my investigation public if I did not receive an explanation. My request was ignored, so I am doing what I said I would do.”

We do not have specific deadlines for illusionofchaos‘disclosure of the three zero days, or Apple’s response to them, but illusionofchaos says the new disclosures still adhere to responsible guidelines: “Google Project Zero reveals vulnerabilities within 90 days of reporting them to the vendor, ZDI, at 120. I have waited much longer, up to half a year in one case.”

New vulnerabilities: gamed, nehelper enumerate, nehelper Wi-Fi

Zero days illusionofchaos Drop Yesterday can be used by user-installed applications to access data that those applications should not have or have not been granted access to. We list them below, along with links to illusionofchaos‘Github repositories with proof of concept code, in order of (our take on) their severity:

  • Zero Day Played exposes email and full Apple ID name, exploitable Apple ID authentication tokens, and read access to Core Duet and Speed ​​Dial databases
  • Nehelper zero-day Wi-Fi exposes Wi-Fi information to apps that haven’t been granted that access
  • Nehelper List zero day exposes information about which apps are installed on the iOS device

Day 0 of the game is obviously the most severe, as it exposes personally identifiable information (PII) and can be used in some cases to be able to perform actions in *.apple.com which would normally have to be instigated by the iOS operating system itself or by direct user interactions.

Gamed’s zero-day read access to the Core Duet and Speed ​​Dial databases is also particularly concerning, as that access can be used to get a fairly comprehensive picture of the entire set of user interactions with others. on the iOS device, who is in your contact. list, who they contacted (using Apple and third-party apps) and when, and in some cases even files attached to individual messages.

Wi-Fi Zero Day is next on the list, as unauthorized access to Wi-Fi information from the iOS device could be used to track the user or possibly learn the credentials required to access the Wi-Fi network. -Fi of the user. Tracking is usually a more serious concern, as physical proximity is generally required for Wi-Fi credentials to be useful.

One interesting thing about Wi-Fi zero-day is the simplicity of both the flaw and the method by which it can be exploited: “XPC endpoint com.apple.nehelper accepts the user-supplied sdk-version parameter, and if its value is less than or equal to 524288, com.apple.developer.networking.wifi-info entitlement verification is skipped. “In other words, all you need to do is assert that you are using an older software development kit, and if so, your application ignores the verification that it should reveal if the user consented to access.

Nehelper Enumerate’s zero-day appears to be the least damaging of the three. It simply allows an application to check if there is another application installed on the device by querying the information of the other application. bundleID. We haven’t found a particularly scary use of this bug on its own, but a hypothetical malware application could exploit such a bug to determine whether an antivirus or security application is installed and then use that information to dynamically adapt its own behavior to better avoid the bug. detection.

Conclusions

Assuming illusionofchaosThe description of their disclosure schedule is correct: that they have waited more than 30 days, and in one case 180 days, to publicly disclose these vulnerabilities, it’s hard to blame them for the drop. We wish they had included full timelines for their interaction with Apple on all four vulnerabilities, rather than just the one already fixed.

We can confirm that this researchers’ frustration with Apple’s security rewards policies is in no way limited to this pseudonymous researcher. Since Ars published an article earlier this month about Apple’s slow and inconsistent response to security rewards, several researchers have contacted us privately to express their own frustration. In some cases, the researchers included video clips demonstrating the bug vulnerabilities as yet uncorrected.

We reached out to Apple for comment, but have not yet received a response as of press time. We will update this story with any responses from Apple as it arrives.


arstechnica.com

Leave a Reply

Your email address will not be published.