Vulnerabilities in Apple iOS 13
Apple’s iOS 13, released in September, stirred excitement. Some even lined up to buy the latest iPhone 11, which has the OS already installed. I was born on Friday the 13th, so it’s my lucky number. But early on, it wasn’t such a lucky number for Apple fans.
The first signs of trouble were usability bugs. iOS app developer Steve Troughton-Smith tweeted, “iOS 13 has felt like a super-messy release, something we haven’t seen this bad since iOS 8 or so. Definitely needs a lengthy period of consolidation and bug fixing. Apple’s adding more and more flakey layers between hardware and UI, and many subsystems need much more battle-hardening.”
When Chaim Gartenberg reviewed iOS 13 for The Verge, he wrote, “Apps randomly crash when opening them, cellular signals drop, the Camera app can be slow, pictures have randomly gotten new dates assigned to them, AirDrop has had issues, the text field flips out sometimes in iMessages, and more.”
And more? Whatever it is, it can’t be good. But as you’re reading ThreatVector, you clearly want to know about cybersecurity problems. Let’s take a closer look at some of the more noteworthy bugs in iOS 13.
Trouble in iOS Paradise
The first sign of trouble was a tweet from security researcher Jose Rodriguez. He posted a link to a video which shows how you can see the Contacts list on an iPhone 11 without entering a passcode.
The exploit (now patched) works when someone with physical access to the phone responds to a call with a custom message instead of answering conventionally. When Siri’s VoiceOver feature is toggled on and off from the message screen the user can then input a new contact. From there, the user (who may be unauthorized) has access to everything in Contacts. That’s not good. People’s phone numbers and email addresses are sensitive information, and only the authorized user who someone gave that data to should have access to it. It makes me wonder if malware could also grab contact information through the same vulnerability. That’d be even worse, right?
Then there’s another vulnerability that can be exploited with third-party keyboard apps. According to Apple, “Third-party keyboard extensions in iOS can be designed to run entirely standalone, without access to external services, or they can request ‘full-access’ to provide additional features through network access. Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven’t approved this access.”
It’s great that iPhone users can install their own keyboards these days, a feature Android has had for over a decade now. But this vulnerability opens the door wide open for keyboard Trojans that can completely hijack an iOS 13 device.
Apple acknowledged the vulnerabilities and worked hard to patch them in iOS 13.1. The update was originally going to be deployed on September 30th. But users should be relieved to know that they released the update ahead of schedule, on September 24th. I’m frankly impressed by how quick that was.
But hold on tight, because there were further issues on the horizon.
App Store Alternatives: Use at Your Own Risk
One of the bedrocks of iOS security is how, without jailbreaking, users can only install apps from the official App Store. Apple carefully examines new apps that developers want to upload to the store, and they’re only approved if they determine that the app is safe. Apple’s ironclad whitelisting approach to apps in their store has meant that deploying iOS malware has always been trickier than deploying Android malware. And Android has been the number one platform for malware for a while now. But that may change.
Developer Riley Testut says he’s making a third-party store for iOS apps. Third-party iOS app stores have existed for a while now, but Apple doesn’t condone them, and using them requires jailbreaking. Not anymore, apparently. Testut says his AltStore can be used on iPhones and iPads without jailbreaking, including support for iOS 13 and the new iPadOS 13. Previews for macOS and Windows can now be downloaded from his website.
How can AltStore be used without jailbreaking? It exploits a feature that’s used by iOS app developers to test their work on real iPhones and iPads, although it’s a little labor-intensive. AltStore fools your device into believing that you’re a developer sideloading test apps. You must keep the AltStore client on your macOS or Windows PC so that iTunes’ WiFi syncing framework can be used to reinstall your AltStore apps. Your apps will need to be code signed again every seven days.
Testut considered how Apple may react. “It would be interesting, because everything I’m doing, Apple is doing themselves. One heavy-handed approach is they could completely shut down the whole service, but that would affect everyone doing this, including schools. Anyone just using their free Apple ID on the side.”
What if Apple closes its WiFi syncing feature? “I don’t know how fast they’d react and what they would do, but even in the worst case, I think there’s still a path forward for AltStore. As long as iTunes can sync apps, AltStore can work.”
Testut’s a master of device exploits. His main work is developing video game emulators, notably for Nintendo platforms like SNES, Nintendo 64, Game Boy, and Game Boy Advance. Before AltStore, iPhones and iPads would need a jailbreak to run Testut’s emulators.
Testut has been finding iPhone exploits in his Nintendo emulator development work for years. When he released his GBA4iOS emulator in 2014, it was made to exploit an iOS vulnerability that enabled its installation. Gartenberg wrote at the time, “Using a loophole in Apple’s app installation systems, this emulator can easily be installed on any iOS device, for free. The trick involves setting the device’s date back a day, then downloading the app directly from the GBA4iOS website.”
He adds, “Aside from its ease of installation, GBA4iOS is simply one of the most polished GBA emulators on any platform, with full Game Boy Advance, Game Boy Color, and Game Boy support, accelerated speed, multiple and locked save states, as well as customizable skins and Dropbox syncing for saves between multiple devices. It also takes advantage of some the latest iOS features, including AirPlay streaming, AirDrop, and Apple’s recent MFI Bluetooth controllers.”
Apple soon patched the iOS 8 vulnerability that allowed for GBA4iOS installation without jailbreaking. But are they ready for Testut’s AltStore? It’s expected to be ready to use by September 30th. Can Apple patch the vulnerability that enables AltStore to be used without jailbreaking? Are people in Cupertino working on iOS 13.2 right now?
Apple doesn’t control AltStore, and I’m wondering if cyber attackers will use it to deploy malware to non-jailbroken iPhones. And if an alternative app store that doesn’t require jailbreaking is bad news, some even worse news lies in wait for Apple.
If AltStore is check, Chekm8 is checkmate. On September 27th, security researcher axi0mX tweeted: “EPIC JAILBREAK: Introducing checkm8 (read “checkmate”), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).”
axi0mX refers to the exploit as a “permanent unpatchable bootrom exploit.” Bootrom is the usually very secure bootloader that Apple installs on iPhones and iPads. The majority of the jailbreak exploits that have been released since the first iPhone in 2007 target iOS vulnerabilities rather than vulnerabilities in the Bootrom bootloader. Exploiting iOS is easier than exploiting Bootrom, but Apple has been able to fix iOS vulnerabilities that lead to jailbreaking with a simple update.
Bootrom is a different matter altogether. Bootrom cannot be patched. Bootrom vulnerabilities can only be fixed by making physical modifications to the chipsets with the firmware.
Checkm8 is currently available on GitHub. But unlike most jailbreaking packages, checkm8 isn’t bundled with any tools or consumer-friendly instructions. A word of caution here: I wouldn’t advise using checkm8 unless you’re very knowledgeable about iPhone firmware. Because you wouldn’t just void your warranty with Apple, you’d brick your iPhone if you make a mistake. As well known jailbreaker Luca Todesco said about checkm8, “It’s not a full jailbreak just yet. It can be developed into a full jailbreak.”
As axi0mX tweeted, all iPhones from iPhone 4S to iPhone X can be jailbroken with checkm8, but only if you have some very specific technical know-how. Surely axi0mX or someone else will work checkm8 into something an ordinary user can use, at some point. I wouldn’t be at all surprised if axi0mX or Todesco are making progress with cracking Bootrom on iPhone 11 as I write this.
Apple’s iOS developers have their work cut out for them in months to come.
Kim Crawley writes guest blogs for Cylance. Read more Cylance blogs here.