Cybersecurity breach at Apple, some lessons to be learned

November 9, 2022

GUEST BLOG. On August 17, 2022, Apple announced the availability of an urgent update to fix two vulnerabilities. These were two cybersecurity flaws that allowed an attacker to take full control of an Apple product like your iPhone.

How do such vulnerabilities open doors for criminals and how can you better protect yourself? This is what I will explain using the latest vulnerabilities detected at Apple to illustrate my point.

In a good architecture like Apple’s, cybersecurity is built in layers. Each component has certain access privileges. Ideally, the privileges strictly necessary for the component to work, nothing more. It is for this reason that you must explicitly give additional access privileges for an application to use your camera, microphone and so on.

The first vulnerability is in a component called the “Web Kit”. This component is a window between your device and the internet. In its vulnerable state, the “Web Kit” would allow malicious WEB content to execute code on your device. By tricking you into loading a purpose-built website, an attacker could therefore execute code on your device without your consent. A base camp could be established there. However, due to layered cyber security, it probably wouldn’t have sufficient privileges to access your files, photos, microphone, and other sensitive data.

Once installed in his base camp and with the objective of making it to the top, the attacker will have to exploit the other vulnerability published on the same day. This vulnerability is found at the “kernel” level, i.e. the heart of the system. Orders placed through the “kernel” have full rights. The second vulnerability allows our basecamp attacker to execute a command as if it were the heart of your device. In this context, everything is allowed, open the microphone, copy your data, take photos, grant yourself all the privileges, etc.

Attacks are staged
Cyberattacks are like climbing a mountain, step by step. Researchers at Lockheed Martin have adapted an information security attack model. This is the “Cyber Kill Chain”. This model simplifies the understanding of the stages of a computer attack. If for each stage of the “Cyber Kill Chain” you have defensive measures in place, climbing the mountain will be very difficult for an attacker.

Stages of an attack according to the “Cyber Kill Chain” model
1- Recognition:

The attacker collects information about you and your business and identifies attack vectors they could exploit. This information allows him to establish a strategy.

In the Apple example, the attacker could use various quick and easy tricks to find out if you are using Apple products. He must then imagine in what ways he can exploit the vulnerabilities on your device and for what malicious purposes.

2- Armament:

The attacker must equip himself adequately before leaving on a mission or equip himself properly before climbing the mountain. It can build or acquire malware that allows it to reach the target.

In our example, he must have in his possession the code allowing to exploit the vulnerabilities of the “Web Kit” and the “kernel”. These malware are not always easily accessible. They are sometimes complex to produce or very expensive to acquire. In the case of Apple’s vulnerabilities, the toolkits to exploit them are not readily available at the time of this writing. I’ve seen some very informal postings where there was talk of a $8 million US price tag to get your hands on the exploit kit. For other vulnerabilities, acquiring malware is simple and free.

3- Delivery:

Like a shooter, our attacker must be able to get closer to his target. The attacker must find a way to bring your device into contact with the malware. Email is often used as the delivery method. USB keys and websites are also good delivery vectors.

In this case, the attacker must lure the victim into visiting a WEB page which will load malicious code designed to exploit the vulnerability of the “Web Kit” and then the “kernel”.

4- Exploitation:

This is the execution of malicious code on the target. The shooter pulls the trigger.

In our example, the victim took the bait and browsed to the website containing the malware. The latter was able to run on the device.

5- Installation:

The installation stage involves establishing a permanent and legitimate presence.

time on the target. After all the efforts made to deliver the malware, one would not want to have to start over just because the victim closes their browser. So the attacker wants to establish a permanent base camp on the victim’s device.

Documentation explaining how our two vulnerabilities can be exploited is not yet readily available, but one can imagine that the malware will create a permanent program that can restart when needed.

6- Command and control:

This step serves to establish a communication channel with the attacker’s headquarters. The malware installed on its target must find a way to communicate with the attacker controlling it. The communication link will be used to issue commands to the malware and potentially exfiltrate your data.

In the context of Apple, once the malware is installed on your device, it must communicate with the attacker so that the latter can control it and take advantage of the access privileges usually reserved for the “Kernel”.

7 — Action on the objective:

This stage consists of carrying out the intended misdeeds. Mischief can be brutal like sabotage, encryption, and destruction, or it can be silent like espionage and intellectual property theft. At this stage, the attacker has climbed the ranks of the “Cyber Kill Chain” and has given himself the means to accomplish his crime.

For our Apple device, this means the attacker is in control and can do whatever they want.

Layered protection reduces risk
You may find that exploiting a vulnerability to achieve mischief is not always straightforward. The attacker must go through several steps before they can perform a malicious action. If each step is complicated by security checks, the attacker will probably have a better return on his investment by going to attack someone else.

Recognition can be made more complex by protecting the public interfaces of your IT services and by being discreet on social networks.

By effectively managing vulnerabilities, the arming step becomes more complex.

By using email protection and WEB filtering software, the proportion of successful deliveries decreases drastically.

By using adequate protection on your workstations and servers, you reduce the chances of success in the operating and installation stages. Good EDR “Endpoint Detection and Response” type software will probably detect that something abnormal is happening. A good security team will be able to analyze the problem and eliminate it.

By controlling outgoing network traffic, you will be able to capture and block communications associated with the command and control stage. You will also be able to identify where the spyware is hiding.

Finally, a good architecture where each component is secure as if it were directly on the Internet makes it possible to limit the impact of misdeeds. The attacker may be able to take action on an objective, but he will not be able to strike the organization as a whole without exerting titanic efforts.

In contrast, if you have nothing to slow the attacker down in their ascent, all you have to do is accidentally provide them with access to a vulnerable or poorly protected device and their ascent will be very quick and effortless.

Leave a Reply Cancel reply

Related Articles