The targeted hack resulting in the iOS 9.3.5 security patch 

The Situation

After a targeted hack by a foreign government on one of its citizens who owned an Apple iPhone 6, Apple released iOS 9.3.5, a new firmware version to patch 3 vulnerabilities in iOS. 

The Huff-n-Puff
An Israeli ?? (allegedly) organization (NSO) created the spyware deployed in a targeted attack (a remote iPhone hack)  on a man who is from the UAE ?? by his own government: the UAE ?? . The last name of the target is Ahmed Mansoor and his equipment was a stock iPhone 6 ?. I’m not going to get into his background although I have read up on it, and other than being deployed to the region in 1995 (Dubai, Jebal Ali and Abu Dhabi), I only know that he is a political activist and citizen from the UAE ??.

The technical details

These aren’t as sexy as what we are going to get into, but there were 3 exploits patched: 

http://cve.mitre.org/data/refs/refmap/source-APPLE.html

The link above will get you to the Apple section of the common vulnerabilities and exposures (CVE) database. At the bottom there are 3 CVE’s identified as:

APPLE-SA-2016-08-25-1

  • CVE-2016-4655 
  • CVE-2016-4656 
  • CVE-2016-4657

Each CVE points to the respective support page (the same one) that describes the attack method and risk.

pwnt
The fullest of full control. The hack gives the attack complete control of the handset. Silently.



The deployment details

Mansoor gets an anonymous text message that says: ‘Tap here and we will show you some stuff!’. I’m paraphrasing, but the result of this incredibly noobish attempt is utter and complete failure. Hassan gets in touch with security research groups Citizen and Lookout, who published the report on mobile tools used in mobile device espionage.

There is more.

Last year, I wrote a piece on jailbreaking iOS for money. That is…selling the intellectual property rights to someone else for an exploit you have found and can demonstrate a remote attack package. 

The broker: a Frenchy Frenchman named Chaouki Bekrar. He is French and comes from France ?? where they eat French fries and put French dressing on their salad and French braid their hair. 

This is the epitome of the true  Merovingian…the Frenchman information broker. Bekrar…his frenchness…less than 12 months ago, set up shop in Las Vegas, Nevada. Shortly thereafter, he put up 3 million bucks in reward money 3 for iOS exploits. These exploits look somewhat similar to the 3 exploits deployed in the Hassan attack.



1, 2 and 3

So, the founder of the contractor (dare I say defense contractor?) Vupen from France ?? sets up shop in the USA ?? under a different LLC., sends out a solicitation for the exact…the EXACT 3 exploits used by the UAE government ?? on one of its own dad gum citizens…a known activist…using Israeli ?? spyware.


These 3 exploits can be extrapolated to CVE’s 4655, 4656 and 4657 that Apple states they patched in iOS 9.3.5 last Friday. Reported time from the report of the attack to Apple issuing a patch? 2 weeks.

That is pucker-factor 10 fast.

These are the same three million bucks worth of exploits that were brokered last year by Zerodium: The Las Vegas Nevada company who now brokers what amounts to weaponized code to governments for money. Those governments will then try (and in this case very obtusely fail with the complete lack of competency in the social engineering department)  to effectively deploy the code on a specific target after partnering with the entities that are in the solution provider supply-chain in order to gather intelligence.

But who is to say the next attempt won’t be so foolish…or that the next target won’t be an American?

The UAE bought a package intended to remote jailbreak a specific targets handset…an iPhone 6 running a stock version of iOS, but were too stupid to get the target to engage. The engagement was so obviously a phish…that the target was compelled immediately take his handset to mobile security research experts where they notified him of the attack.

Causality
This is no bueno. 

While this attack seems to have been executed with incompetence…seems to have been….you cannot discount the fact that the fate of  your mobile device security can be negotiated on the black market. Negotiated openly and in your face – in your own back yard – using what is described by one former Las Vegas Metro police officer ? as a Craig’s list ad:


Why you should care

I don’t know about you, but if the shit this guy is selling is so good…why does he have to come here to sell it? He is brokering code, so it’s not like inventory weighs a whole lot. Why does his French-ness need to come to the wild-wild-west of the United States to peddle the technology that remote jailbreaks your iPhone with a kernel exploit that gives the attacker full control of the device?

Is it an export compliance issue? Why does a French contractor who already does business in the United States with an HQ (Vupen) in Maryland, need to open up shop in Vegas under a different LLC?


I don’t want to be any part of that. Hopefully you don’t either. 

This country was founded on certain ideals, and one of those ideals is that a person is secure in his person, house, papers and effects. We also believe this right encompasses our electronic devices. 

The congress needs to investigate foreign companies that come to this country to broker code to foreign governments that use a, “Made in the USA”, solution to violate the rights of their citizens.

Advertisements
%d bloggers like this: