Free Trial

iOS Vulnerability: ZipperDown

By Colm 9th July 2018

It is widely thought, and advertised, that Apple products are indestructible when it comes to malicious software or threats. However as industry research has recently shown, this is not the case in reality and ZipperDown is just the latest iOS vulnerability to make itself known. Using this software, cybercriminals can take advantage of a flaw in Apple’s iOS code and allow themselves access to user information while performing other malicious activities. It was found by Pangu Lab, a Chinese security laboratory – who observed the vulnerability in 10% of the apps that they tested (15,978 out of 168,951). Bearing in mind that there are 3.8 million applications on Apple’s App Store, the overall vulnerability rate may be much higher or indeed lower, but we know for certain that there are 100 million people that have already downloaded these vulnerable apps. Another industry entity, Appthority, claims that this figure is higher, finding 190,420 apps that contained the vulnerability and 31,820 (17%) that were able to be exploited in their testing. So, there are a significant amount of iOS apps that are exploitable – but how can iPhone users be attacked and what can they do to prevent this?

What is ZipperDown?

ZipperDown relies on two key factors to operate: the absence of an app ‘sandbox’ and a connection to a compromised network, such as an attacker-controlled public WiFi. To elaborate, an app sandbox is a security feature that contains an app’s communication to a specified area. Think of it as a walled garden – if something happens in the garden that kills the grass, the area around the walled garden will be unaffected. If an app is only allowed to interact with pre-agreed resources, it is virtually impossible for an app-based threat to compromise the security of the entire iPhone. In theory, this idea is actually very smart – the problem however, is that it is not a requirement for apps on the App Store. Interestingly, app sandboxing is a requirement for every app on the Mac App Store, but not for the rest of Apple’s devices. This leaves some apps less secure than others and is a prerequisite for the exploitation of the ZipperDown vulnerability. The second factor is an unsecured WiFi network. When we talk about unsecured networks, we’re referring to a wireless network that anyone can connect to, commonly found in coffee shops, hotels, and other guest-accommodating businesses.

Once these two requirements are met, the attacker accesses the mobile device and looks for an app with this vulnerability. Once located, there is a specific file that is targeted – a small, benign .zip file buried in the application’s directory. All the attacker has to do is replace this file with their own malicious version, and they are free to execute whatever arbitrary code they please. Simply put, they can make your iPhone do whatever they like.

iPhone – Apple’s Titanic

It’s no secret that Apple has worked hard to perfect the construction of iOS from a security perspective. iPhones are indeed safe devices for the most part, and we certainly don’t disagree with their reputation as such. However, to think that iPhones (or any other computer systems) are completely impenetrable is somewhat misguided. Just as the Titanic was thought of as the unsinkable ship, the iPhone is sometimes touted as an impregnable mobile device and unfortunately, this simply isn’t true. There have been many incidents with iOS and malicious attacks, most of which are noted in this list of known iOS malware. iPhone-focused attacks do exist, most infamously with ‘Pegasus’. Pegasus was arguably the most powerful mobile spyware ever seen, but even 12 months after its emergence, one can still find articles that dispute the need for any security on iOS devices. We’re not disputing the iPhone’s security architecture, we just disagree with the sentiment of invincibility – the Titanic was a fantastic feat of engineering, but it still needed lifeboats. With that said, let’s investigate Pegasus’s capabilities on an iPhone that has no security solution.

Pegasus

Pegasus was the ultimate spyware for mobile devices. It was first discovered in 2016, by an activist from the UAE. It quickly became infamous for its ability to compromise any iPhone and iPad, and later for the same ability on Android devices. It worked by utilizing a spear phishing attack, where victims were pre-selected and sent text messages with malicious links. Once the victim clicked the link, the spyware started taking hold of the device. Pegasus was created by NSO Group, who sell the software for commercial use – allowing anyone to use it for the right price. Once Pegasus installs its necessary modules, it can read the user’s messages and email, listen to calls, take screenshots, record pressed keys, export browser history and contacts, listen to encrypted audio streams and steal encrypted messages – to name but a few of its capabilities. After 60 days of no communication with its C&C server, the spyware would remove itself in an attempt to remain hidden. Lookout determined that the spyware had existed for a significant amount of time, spanning multiple iterations of iOS updates. They also have a great technical analysis of Pegasus, for some extra reading.

So, now that we know why any claim of iOS invulnerability should be regarded with caution, how should we protect our devices moving forward?

Protecting against ZipperDown and Cyber Attacks

Protecting mobile devices against malware, spyware, and other cyber threats usually comes down to two main pillars: security measures and human behaviour. To avoid attacks like ZipperDown, the device user needs to stay aware of the triggers and steer clear of any suspicious activities. While public WiFi is the usual suspect in some cases of cyber attacks, ZipperDown absolutely relies on compromised wireless networks so it is best to simply use mobile data when you can’t verify the security of your WiFi. For more information on staying safe and using unfamiliar wireless networks, check out our blog post on this very subject. Security measures that can be taken include using a mobile antivirus system, and for public networks to always using a VPN. Unfortunately, however, there is no way to check the sandbox status of your apps. The only advice one can follow in this instance is to download apps only from the official Apple App Store and to refrain from using unauthenticated sources enabled by a device jailbreak.

Hopefully, we’ve made it clear that Apple’s devices and their users are not immune to cyber attacks – there is simply too much evidence to deny the value of strong mobile device security solutions. Not only can mobile surveillance risk people’s personal safety, it can steal sensitive corporate data and compromise enterprise networks.

 

To discover how to fortify your organizations’ mobile defense higher than the iPhone’s current imaginary wall, as well as how to protect Android devices from similar attacks, check out Coratta’s solutions or contact us at info@corrata.com.