August 2019 was an unexpected wake-up call for many, in the space of a month three major iOS attacks were reported, revealing numerous vulnerabilities. The first, in iMessage, allowed an attacker to read files off the iOS device without any interaction from the end user. The next threat, known as SockPuppet, allowed a previously patched vulnerability to be exposed once more when a device was updated to iOS 12.4, demonstrating once again that human error is always a potential threat vector.

The latest attack, billed as the “first large-scale exploitation of iOS”, took advantage of five chains of vulnerabilities to attack nearly every version from iOS 10 to iOS 12. Apple, which was upheld as a producer of some of the most secure devices in the industry, is quickly losing this reputation. In fact iOS exploits have become common enough that Zerodium, a zero-day exploit broker, is offering more for Android hacking techniques than iOS. That isn’t to say that breaking into mobile devices is easy, zero-click iOS attacks are still valued at $2million.

How the latest attack worked

The recent attack took advantage of 14 vulnerabilities over the course of the five chain exploits, abusing weaknesses in the iOS kernel and web browser as well sandbox escapes. It isn’t enough to just rely on device and app security in the face of modern security threats. Network protection could have prevented the attack before it started, and block data exfiltration by malicious code to command and control servers.

The attack began when iOS devices visited hacked websites, these sites had been infected to initiate watering hole attacks – indiscriminate attacks against anything that visited them. Estimates show that some of these sites received thousands of unique visitors every day, and although the scale of the attack is disputed, it does demonstrate the lengths taken to steal data from mobile devices. If successful, the site would then install an implant onto the device to target data on the device.

If the implant was successfully installed it would then begin a series of app breakouts and permission escalations to gain access to other parts of the device. The implant would search for the app’s container directories, which often contain where iOS apps store their data, including unencrypted copies of sent and received messages from end-to-end encryption apps. Finding this information, the implant would attempt to transmit it back to it’s command and control centre, and send updates including location data every 60 seconds.

Blocking attacks before they begin

Wandera’s network protection prevents end users from visiting potentially malicious sites by acting as a secure entrance from the device to the web. In the network Wandera’s MI:RIAM utilizes two main techniques to identify and block dangerous sites:

  1. Threat identification – sites that are behaving suspiciously or have suspicious code can be detected by MI:RIAM and then scrutinised to determine whether or not it is safe for users to visit.
  2. Contextual Inspection: if Wandera has already identified the IP addresses hosting the webpage as suspicious due to prior activity they can also be blocked. Preventing devices from reaching harmful websites is key to stopping attacks before the occur.

Preventing data exfiltration

By protecting customer’s connection Wandera’s gateway will also prevent confidential information escaping in this manner through two techniques:

  1. If the server that data is being sent to is known to be malicious the packets will be stopped. However, MI:RIAM can detect that personal information is being sent in an unencrypted format and will mark the communication as suspicious and prevent it reaching its destination
  2. Our data science capability can detect the repeated periodic anomalous activity, such as the routine 60 second communication. This technique was developed by Wandera’s threat hunting team to help combat the Xcodeghost attack, the team can build specialized code to defend against specific attacks like this

Wandera’s Threat Ops teams are also proactive, noticing a number of devices attempting to send suspicious communication they can investigate the cause and share the threat intelligence across the gateways to prevent any device protected by Wandera from sending data to the malicious command and control center.

Prevention is better than cure: Why network protection is necessary

The power of mobile devices partly comes from the fact that they are always connected, but as this attack shows the connection can allow threats in and your data out. Wandera’s network protection can improve your mobile security posture by preventing devices going to risky sites and blocking confidential information from leaking:

  • Utilize a tool to monitor and manage your fleets operating system and to ensure that the latest security patches are in place
  • Deploy Wandera’s MTD security service that employs network protection to prevent attacks before they happen and block data exfiltration if compromised