Security firm Check Point says it has found a way to hack every iPhone and iPad running iOS 8 right up to betas of iOS 13: that’s approximately 1.4 billion devices.
Demonstrated at DEF CON 2019, the security researchers exploited a vulnerability in the industry-standard SQLite database; tricking a device user searching their contacts into running malicious code that can steal sensitive user data like passwords.
In a 4,000-word report seen by AppleInsider, the company documented how it replaced a part of Apple’s Contacts app, relying on a known, four-year-old bug.
“Wait, what? How come a four-year-old bug has never been fixed?” write the researchers in their document, as reported by AppleInsider.
See also: Invitation Only “Azure Security Lab” Will Pay Out $300k for VM Escapes
“This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios,” they wrote. (Critics noted that the exploit would require existing access to the phone, by which point many of your secrets are moot anyway…)
(As one cynic commented on that report: “’m walking down the street, and someone with a MacBook preloaded with hacking and jailbreaking software, and a decent SQL edit tool; a pair of dark glasses with dots painted on them; a small chemistry lab (in case I have a phone with TouchID) and a Lighting cable, lifts my phone from my pocket without me noticing. Then he yells, “Hey you!” When I turn around, I realise I’m in for the most bizarre four and half hours of my entire life…”
Apple Bug Bounty
The disclosure does, however, come as Apple introduced a substantial bug bounty programme, with Ivan Krstić, Apple’s head of security engineering and architecture, announcing a major overhaul of the company’s bug bounty program late last week.
It is now available to all security researchers, rather than being invite only, and will include vulnerabilities in macOS, tvOS, watchOS, and iCloud.
A million dollar bounty is up for grabs for proof of a zero-click, full chain kernel code execution attack. Previously the bounty for zero-click vulnerabilities was set at $200,000. The rise comes as Apple zero days continue to fetch a high price on the grey zero day market, where buyers including nation states pay highly for exploits.
Bug Bounty Hunters Primed to Cash In
Apple was the latest to ratchet up bug bounties, following Google and Microsoft in pledging to pay security researchers more.
Google tripled its financial reward for bugs discovered in Chrome this month, with a critical bug now netting $15,000. Google wrote this month: “On Chrome OS we’re increasing our standing reward to $150,000 for exploit chains that can compromise a Chromebook or Chromebox with persistence in guest mode.”
Microsoft meanwhile launched its Azure Security Lab which will pay hunters’ $300,000 if they can demonstrate a functional exploit that enables escape from a guest Virtual Machine (VM) to the host or to another guest VM.