Zero-day iOS: Apple’s race against time

Apple has released a new update for its mobile operating system, aimed at correcting two zero-day flaws, one of which was allegedly exploited by the NSO Group, according to CitizenLab.

The vulnerability, identified as CVE-2021-30860 or as FORCEDENTRY, allowed an attacker to execute code on the target’s device, tricking it into opening a trapped PDF file. It did not require user interaction and allowed control of the target device without the knowledge of its owner.

It worked on iOS, but also on macOS and watchOS.

Apple reacted quickly

According to the CitizenLab investigators behind the discovery, traces of exploitation of this flaw were discovered in March on the phone of an activist attacked by Pegasus software, a forensic interception software sold by the Israeli company NSO Group. This same software was accused of having been used by foreign intelligence services to spy on various personalities and members of the French government in early July.

As Le Monde reminds us, it is this flaw that was questioned during the July revelations about the infection of various phones by Pegasus software. The newspaper explains that the first elements communicated to Apple in July by the Amnesty International team had not allowed the editor to accurately identify the vulnerability at the origin of the commitments.

CitizenLab released new material from the compromised phone, analyzed in March, September 7 to Apple. The company came up with a patch released yesterday, a speed to which it gives credence.

One of patched, ten of found

For Apple, the challenge is significant: the publisher has positioned its iPhone as one of the phones with the best security guarantees for its users. Therefore, it is frequently used by people who want to protect themselves against intrusions and espionage. Unfortunately, the software released by Apple is not without vulnerabilities, and an ecosystem of companies with questionable practices has formed to bypass iPhone protections. First link in the chain, zero-day fault brokers, who buy and sell the loopholes discovered by researchers.

One of the best known players in the sector, Zerodium, does not hesitate to publish on its site an indicative price list for various zero-day defects: for an iMessage defect that allows remote code execution and privilege elevation without interaction of the user, as was the case with the FORCEDENTRY failure, Zerodium explains that it can go up to $ 1.5 million. Some iOS vulnerabilities can run as high as 2 million.

Fault runners get information about zero-day vulnerabilities from security researchers. They then monetize this information with companies and governments that want to design spying or surveillance tools. Some of these clients, such as the NSO Group, which developed Pegasus, or the Gamma Group, which markets Finfisher spyware, are private players. Others are intelligence services and governments. Officially, these tools are reserved exclusively for the fight against terrorism and police investigations, but recent revelations about the use of Pegasus show that not all clients of these brokers are necessarily overlapping rights. Humans, and that traces of infections are found on the devices of activists or political opponents.

The tree that hides the forest

Given this, Apple must rely on the work of its engineers, but also on its bug bounty program to retrieve the information: Apple promises to pay bonuses of up to $ 1 million for a failure that allows remote code execution without user interaction . Or the kind of flaw reported by CitizenLab, and one that vulnerability brokers are willing to buy for double the price.

Unfortunately, this bug bounty program doesn’t make everyone happy. In a Washington Post article published last week, many researchers point to Apple teams’ lack of goodwill toward the company’s bug bounty program. Lack of communication, discounted bonuses, excessively long error correction time: reading the complaints of the researchers interviewed by the American newspaper, we say that the correction of the FORCEDENTRY flaw in less than a week is rather an exception.

Aside from “media” vulnerabilities, such as the one identified by the CitizenLab teams, Apple is apparently slower at distributing patches. An investigator discouraged by Apple’s bad reputation might be tempted to put aside his good conscience and sell discovered vulnerabilities to breach brokers, who promise far greater rewards.

A history of numbers

The total bonuses distributed by Apple’s program speak volumes on this topic: Google’s bug bounty program redistributed $ 6.7 million in bonuses during 2020, Microsoft $ 13.7 million during 2020/2021. Apple, for its part, redistributed $ 3.7 million.

For the Washington Post journalists, Apple’s corporate culture does not fit well with the demands of security researchers, who would like greater transparency on their part in the payment of bonuses and the correction of vulnerabilities.

However, Apple seems to want to evolve these practices and informed the Washington Post that a new director had been hired for its bug bounty program. Premiums should also be revised upwards. However, the manufacturer did not want to formalize anything with journalists, perhaps to keep the first scoop of the announcement on the occasion of its back-to-school conference scheduled for tonight.

Back to top button