Researcher Publishes Source Code for Three Unpatched iPhone Exploits

A security researcher published the details of three vulnerabilities that affect up-to-date iPhones, which could be used by a malicious app to gather personal information. 

The researcher, who goes by Illusionofchaos but whose real name is Denis Tokarev, published the details in a blog post on Thursday, and he also published the source code for exploits that take advantage of those vulnerabilities on GitHub. 

The blog post and the source code give other security researchers—as well as malicious hackers—the ability to reproduce the unpatched vulnerabilities and exploit them, according to other researchers who have analyzed the disclosed bugs. 

Tokarev wrote that he decided to go public to share their "frustrating experience participating in Apple Security Bounty program." 

"I've reported four zero-day vulnerabilities this year between March 10 and May 4, as of now three of them are still present in the latest iOS version (15.0) and one was fixed in 14.7, but Apple decided to cover it up and not list it on the security content page. When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update," they wrote in the blog post. "There were three releases since then and they broke their promise each time. Ten days ago I asked for an explanation and warned then that I would make my research public if I don't receive an explanation. My request was ignored so I'm doing what I said I would."

Apple did not respond to multiple requests for comment.

Wojciech Reguła, the head of mobile security at cybersecurity firm SecuRing, told Motherboard that it took him around 30 minutes to reproduce all the vulnerabilities.

It is very rare for researchers to publish the full source code of exploits, especially for iOS. Research teams such as Google Project Zero do it sometimes, but only after the bugs have been patched. Moreover, GitHub has recently changed its policy on the publication of such code, which prohibits users posting code that could be used to attack users' devices. 

GitHub did not immediately respond to a request for comment. 

The good news is that these bugs cannot, used on their own, be used to hack an iPhone remotely, according to Reguła.

"On the other hand, they indeed break sandbox restrictions (like getting AppleID, ability to list all installed apps, getting access to contacts)," he said in an online chat. "[A] malicious attacker can use those exploits of course, but it requires a malicious application to be installed on victim's device. And that's not really easy."

"Generally the world will not die because of those three zero-days," he added. 

Tokarev also admitted that the potential impact is limited.

"There are much more dangerous vulnerabilities than these, like RCE (remote code execution). For those kinds of vulnerabilities Apple releases fixes very quickly. The ones that I've released do not lead to complete device compromise but still allow malicious apps to gather a tremendous amount of sensitive and personal data," they said in an online chat. "It's possible for any app to know exactly who you are, all your social circle, your patterns of communication with them and build a deep profile of you based on your communications and the kind of apps you have installed."

Getting malware on the Apple App Store is extremely hard, and there have been very few cases of that happening.

But Tokarev said that one of the exploits he published could be included in an app and potentially pass Apple's review. Tokarev said he tried this himself by uploading the malicious code to Apple's App Store Connect, a developer service to manage apps, and installed it on his own iPhone with TestFlight, Apple's online service that allows developers to test their own apps. 

"It passed all the security checks that are performed when an app is being uploaded," he said.

This case does show once again that security researchers are not happy about how Apple handles their reports. 

Last week, The Washington Post published an article based on interviews with several security researchers who said they are frustrated with Apple for being slow to fix the bugs they reported, and for not paying what they thought the bugs were worth. 

These frustrations are not new. In 2017, Motherboard reported that several security researchers who were invited to the then closed-doors Apple bug bounty program thought it was just not worth reporting the bugs to the company. That was because they said the vulnerabilities were worth much more if sold to zero-day brokers who then sell them to governments. The other big reason, they said, was that some bugs are necessary to be able to keep doing research on iPhones, given that you need multiple unpatched vulnerabilities to inspect iOS's code. 

This story has been updated to include comments from the researcher Illusionofchaos and to add his real name, Denis Tokarev.

Subscribe to our cybersecurity podcast CYBER, here.