
Websites have been quietly hacking iPhones for years, says Google - gopalggk
https://www.technologyreview.com/s/614243/websites-have-been-quietly-hacking-iphones-for-years-says-google/
======
jsgo
I use Apple products and will continue to, but...

> Apple patched the bugs quickly in February 2019 so everyone who has updated
> their iPhone since then is protected. Rebooting the iPhone wiped the malware
> but the data had already been taken.

Why in the world did they silently fix the issue and remove the malware? I'm
fine with all of this, but shouldn't they disclose to the user "hey, some very
sensitive data from your device has been taken. It is passwords, messages,
etc." so that users could at least try to mitigate the impact somewhat
(contact their contacts, change passwords, maybe change numbers, etc.)?

~~~
oarsinsync
The websites delivered non-persistent jailbreaks. Rebooting the device removes
the jailbreak.

Please read the original source at
[https://news.ycombinator.com/item?id=20835223](https://news.ycombinator.com/item?id=20835223)

~~~
cromwellian
People almost never reboot their phones. I rarely reboot.

So if you don’t tell me I need to reboot my iPhone, I won’t.

~~~
denisw
I'd say many people actually reboot their phones frequently - every time they
cannot or forget to charge in time and the phone goes black. :)

~~~
SketchySeaBeast
That's horrifying to me - I've had many phones, and never let that happen.
It's bad for the battery, it's bad for the phone, it's just a bad option all
around. You can't let your phone do that on a regular basis and then complain
that it's slow and the battery doesn't last.

~~~
coldtea
Actually it's not bad at all much less "horrifying", that's all old wives
tales...

It's not bad for the phone, and whether it's bad for the battery depends on
the battery technology. In fact previous battery technologies were
recommending the occasional full drain!

For lithium-ion batteries the kind used in the iPhone draining to 0% can
indeed strain them (though less than you think, as shown by research), but the
iPhone doesn't let them go to 0% anyway. It switches off way before that (even
if it shows it as 0%). Mind you that regular use cycles (defined by Apple as
using 100% of a full charge, even if it's broken down as going from 100% to
80% for five days and recharging) also strains the battery. You cannot not
strain it, all current technology batteries degrade over time.

Also note that getting lithium-ion batteries to 100% and keeping them charging
can also harm them (although modern devices have mechanisms to prevent that).
In general it's advisable to keep going from 80%-20% and back, than to go all
the way to charged (or down to 0). Same, one should not store long term fully
charged.

But most of this is irrelevant micromanagement unless you plan to keep your
phone for years and don't ever consider replacing the battery. Even so, the
battery lifespan vendors like Apple give is around 3 years of cycles.

All in all, you can fully drain your lithium-ion iPhone battery as often as
the average person does (e.g. just avoid doing it all the time), and you'll
see no special degradation. It will run its cycles and will degrade by regular
use after a few years even if you never let it drain (and you can trivially
replace it with a new one).

~~~
dota_fanatic
> _Similar to a mechanical device that wears out faster with heavy use, the
> depth of discharge (DoD) determines the cycle count of the battery. The
> smaller the discharge (low DoD), the longer the battery will last. If at all
> possible, avoid full discharges and charge the battery more often between
> uses. Partial discharge on Li-ion is fine. There is no memory and the
> battery does not need periodic full discharge cycles to prolong life. The
> exception may be a periodic calibration of the fuel gauge on a smart battery
> or intelligent device._ [1]

Why should we trust your statements over ones like these which seemingly are
backed by more data and and explanations of the underlying physics?

[1]
[https://batteryuniversity.com/learn/article/how_to_prolong_l...](https://batteryuniversity.com/learn/article/how_to_prolong_lithium_based_batteries)

~~~
Accacin
When Apple displays the battery stats to the user it's not actually even close
to 0%. That would mean you are avoiding full discharges so you're both right.

~~~
coldtea
Yeah, I mention that. It works on the other side too: iPhones also won't keep
batteries charging when they're at 100% so they're protected from such
"trickle charging" as well.

------
xvector
Can someone explain to a C/C++ newbie why the iPhone is so vulnerable to
overflows? My understanding is that tools exist to check your code and
identify overflow-able areas or general unsafe pointer areas. Am I incorrect
here?

Also, from a broader point of view - is there any way to perform static code
analysis and enumerate all code paths that access sensitive resources? For
example, create a graph of functions and search for edges to and from the
keychain. If one path ends up in a WebGL content renderer, that’s a
vulnerability. I feel like this especially would help you enumerate most
exploits and zero-days.

~~~
ndesaulniers
Not the iPhone itself but all C and C++ codebases. It's possible to write code
in these languages without these bugs, but there's a strong positive
correlation between lines of code written in these languages, and this class
of bug. Other languages will either insert a check before access (which is
overhead) or try to elide it as a compiler optimization.

Current static analyses are imprecise, while dynamic analyses require actual
execution which can be difficult.

Modern research is looking to combine the two. Rather than brute force fuzzing
(dynamic analysis), static analyze the source to better mutate the input to a
few potentially interesting cases.

~~~
eridius
> _It 's possible to write code in these languages without these bugs_

I would go so far as to say in any non-trivial codebase it's virtually
impossible to avoid introducing a bug of this nature. SQLite is probably the
codebase that has the highest chance of being safe from this, due to its
extremely thorough test suite and amount of fuzzing that's been done, but even
that codebase was found to have a significant bug (I forget the details) in
one of the optional first-party extensions, as that extension did not have the
same rigorous test suite that the SQLite core did.

To be clear, when I say thorough test suite, IIRC SQLite's test suite has 3x
as many lines of code as the code being tested. And I think there's some sort
of instrumentation to ensure the test suite covers every single code path.

~~~
nojvek
Covering the every single branch of code isn’t enough. One needs to test that
every single branch isn’t vulnerable to an overflow attack.

It’s kind of testing every possible valid, invalid and malicious input the
program can take in.

Gets even crazier with race conditions and such.

Testing is really hard. And given how many companies skip on testing I am led
to believe security is a myth. There’s gonna be someone somewhere with an
exploit getting your info.

~~~
eridius
Yeah, which is why fuzzing is important even with tests covering every code
path. And even with that, this is why I simply said that SQLite is probably
the codebase that comes the closest, rather than saying it actually is bug-
free.

------
leoh
I always suspected this. Years ago, there was a public jailbreak technique
that could be initiated merely by visiting a webpage. It always seemed to me
that if this technique were found for a later release of iOS and not
publicized, it could be used for the deeply nefarious purpose of stealing
information.

~~~
rnotaro
It was JailbreakMe : [http://osxdaily.com/2010/08/02/easy-iphone-
jailbreak/](http://osxdaily.com/2010/08/02/easy-iphone-jailbreak/)

And apparently this one works until iOS10 :
[https://www.theiphonewiki.com/wiki/TotallyNotSpyware](https://www.theiphonewiki.com/wiki/TotallyNotSpyware)

------
el_duderino
This blog post is a duplicate of:
[https://news.ycombinator.com/item?id=20835223](https://news.ycombinator.com/item?id=20835223)

~~~
xvector
This title much more accurately reflects the severity of the incident.

People do “deep dives” of exploits all the time, the amazing thing about this
particular one is that it gets to the keychain and is via a website.

------
nvr219
I am not able to read this article on my iPhone SE. first the two pop ups (one
about cookies and one about how I read 1/3 articles) covered the entire
screen. I took a screenshot and sent it to someone. When I went back to safari
I was greeted with a full page ad with no way to close it. So I cannot read
the article. Sad.

------
thom
So right now, basically every single iOS user should be resetting every
password stored in their keychain?

------
mrfusion
How do you know if your iPhone has been hacked? I always thought they were
pretty safe from the web.

~~~
wereHamster
Exploits can be anywhere. Just because you use only web doesn't mean that
there are no usable exploits. WebKit / JSC are written in C/C++, so there are
still plenty of holes to be found.

~~~
xvector
Given the frequency of exploits via WebKit/Safari (feels like a new one pops
up every week, at least), is it feasible for Apple to perform a rewrite with a
memory safe language?

Aren’t there tools that can analyze existing code and enforce memory safety?

~~~
saagarjha
> Aren’t there tools that can analyze existing code and enforce memory safety?

Not perfectly.

------
graeme
I once foolishly clicked a link in a text message. Out of curiousity: I knew
it was spam.

Should have used a link previewer. It went to a porn site that looked....odd.
Like one big static image mimicking a porn site, nothing clickable.

This was a couple years back. Always wondered about it. Does it seem remotely
likely it was some kind of exploit that may still be running on my phone. Have
upgraded since and am fully updated.

Note: THIS exploit is removed by the patch. Am wondering if this is a
reasonable worry in general that would warrant wiping the device and restoring
photos, messages etc via icloud sync rather than a backup.

~~~
MauranKilom
As explained above, this particular exploit only remains in memory until you
reboot the device. Unless you visit the site again after the reboot, no trace
of it would be left on your phone.

If it was indeed this exploit, they had your data at that point already
though. No action will undo that, but changing secrets might help.

------
hello_tyler
A list of the websites hosting this stuff would have been nice....

~~~
PunchTornado
the issue with that would be that it's not an exhaustive list. people would
feel wrongly safe because they don't visit those websites while in theory a
lot more websites could be infected.

------
weinzierl
> Malware could steal passwords, encrypted messages and contacts

Does this include 1password passwords? As far as I understand 1password
encrypts the passwords and they can only be accessed either by supplying the
master password or the fingerprint.

~~~
Mathnerd314
The exploit gets full root and full access to the keychain store. And
apparently the 1password master password is stored in the keychain when sync
is enabled
([https://discussions.agilebits.com/discussion/10412/storage-o...](https://discussions.agilebits.com/discussion/10412/storage-
of-master-password-on-ios-devices)). So they had the technical ability to
steal at least a few 1password passwords.

But 1password is not in the default list of apps to steal
([https://googleprojectzero.blogspot.com/2019/08/implant-
teard...](https://googleprojectzero.blogspot.com/2019/08/implant-
teardown.html)), so you'd have to know what commands their server sent to get
a definitive answer. Most likely they didn't bother, as it seems more like a
surveillance / monitoring operation than for financial gain, but then again
attackers are getting more sophisticated all the time.

~~~
tucif
What kind of sync is that? Only if you manage your vaults externally (e.g.
Dropbox)?

~~~
Mathnerd314
I was thinking about the sync you get with a premium membership
([https://support.1password.com/sync-
options/](https://support.1password.com/sync-options/)), but I guess the
thread is about syncing with Dropbox. It's quite an old thread, this paper
suggests they use the "secure remote password" protocol for memberships, so
perhaps the master key isn't stored for that:
[https://1password.com/files/1Password%20for%20Teams%20White%...](https://1password.com/files/1Password%20for%20Teams%20White%20Paper.pdf)

It's definitely stored for Touch ID/fingerprint 1password access though
([https://support.1password.com/touch-id-security-
ios/](https://support.1password.com/touch-id-security-ios/)).

One of their employees wrote about it here:
[https://discussions.agilebits.com/discussion/106629/ios-
secu...](https://discussions.agilebits.com/discussion/106629/ios-security-
breach). His response is basically that OS-level 0days aren't in their threat
model, so they're continuing their usual bug-fixing routine. And it's true,
nothing can really stop a rootkit from sniffing passwords as they're being
used, besides winning the anti-rootkit race. Perhaps 1password could have a
little more explanation of the insecurity of using Touch ID / Face ID though
rather than simply saying it's as secure as possible.

------
mola
what could be the reason for Google to avoid publishing the site list? There's
something being hidden here..and how could they even discover this? Is not
like they did basic cyber research and found the exploits

~~~
ehsankia
Maybe Chronicle [0] found it?

[https://chronicle.security](https://chronicle.security)

------
s_dev
Can Firefox users on macOS be affected or is it just Safari?

~~~
nvrspyx
It’s just iOS. But, considering that all browsers have to basically use Safari
(or rather WebKit/WebViews) on the backend, I would assume it affects any
browser on iOS. With that said, that’s just a guess and I do not know for
sure.

~~~
jtwaleson
Interesting, never knew that!

[https://stackoverflow.com/questions/11259152/chrome-ios-
is-i...](https://stackoverflow.com/questions/11259152/chrome-ios-is-it-just-a-
uiwebview)

------
skizm
Did this exploit exist for all browsers on iOS? Or just Safari?

~~~
nvrspyx
All browsers on iOS basically use Safari on the backend since Apple doesn’t
allow other browser engines on the App Store. My guess would be that it
affects all, but I don’t know for sure.

I haven’t seen other browsers mentioned anywhere.

------
SmileyRedBall
How did this malware compromise the iPhone in the first place. Did Apple
insert a backdoor for the spooks that was discovered by a third party. It
wouldn't be the first time as Google is reported to have inserted a government
backdoor that was subsequently used by the Chinese.

[https://support.google.com/mail/forum/AAAAK7un8RUqYupi59QYXM...](https://support.google.com/mail/forum/AAAAK7un8RUqYupi59QYXM/?hl=en&gpf=d/topic/gmail/qYupi59QYXM)

[https://web.archive.org/web/20190322185231/http://edition.cn...](https://web.archive.org/web/20190322185231/http://edition.cnn.com/2010/OPINION/01/23/schneier.google.hacking/)

------
novaRom
Seriously, it is like every second month on average a news about how insecure
are different Apple products. I personally decided to go away from Apple
ecosystem just after their famous "empty root password" issue was discovered.
It is sometimes sounds like a joke, but their level of incompetence in
software engineering is simply above any reasonable amount. If you trust your
data to them, think twice.

~~~
Jonnax
Okay? So you probably also don't trust Microsoft.

Well then if you use Linux, it's pretty secure. But most money goes into
headless servers.

Do you trust the GNOME project, is it well funded? Or KDE or whatever.

Actually fundamentally. Do you trust the X Server?

~~~
Mathnerd314
The X server is known to be insecure, in the sense that keyloggers can steal
credentials from anything else running. But in that sense no OS is
particularly secure besides Qubes OS.

The discussion was on phones, there the issues are mostly core Android's lack
of updates from manufacturers (but quite good record of Google releasing
patches) vs iOS's closed-source buggy OS.

IDK, security is hard. The easiest solution is to get a nice clay brick and
smash whatever phone you have to pieces.

