While conducting a demo of a toolkit that lets users test the hardware security of an Apple iPhone, researchers at North Carolina State University reported Monday they found a new vulnerability that lets a program gain access to cryptographic keys used by one or more programs on an Apple mobile device.
In a blog post, the researchers said the issue was worth noting because with the right keys, attackers could then gain access to whatever information the other affected program or programs on the mobile device could access.
The researchers called this vulnerability iTimed, which they said was a cache timing side-channel attack. In a side-channel attack, the hacker attempts to compromise a crypto system by analyzing the time taken to execute cryptographic algorithms.
While the researchers haven’t seen evidence of this attack in the wild yet, the NC State team did notify Apple of the vulnerability. The researchers are sharing much of the toolkit as on open-source resource for other security researchers.
“A lot of people interact with Apple’s tech on a daily basis,” said Gregor Haas, first author of the research paper and a recent master’s graduate at NC State. “And the way Apple wants to use its platforms is changing all the time. At some point, there’s value in having independent verification that Apple’s technology is doing what Apple says it is doing, and that its security measures are sound.”
The findings by the NC State researchers underscores the importance of independent researchers contributing their findings to help secure the broader technology ecosystem, said Hank Schless, senior manager, security solutions at Lookout. An outside perspective on both hardware and software that’s constantly under development at a rapid pace can help point out inevitable flaws in what’s released, Schless said.
“While this particular vulnerability hasn’t been discovered in the wild, the North Carolina State team has helped Apple get ahead of something that could harm its users and hurt the company’s reputation,” Schless said. “Exploitable vulnerabilities vary greatly depending on what software or device they’re on. Threat actors prioritize exploitable vulnerabilities that let them gain access to sensitive infrastructure or data. Organizations need to be sure they’re securing everything from the endpoints their employees use to the apps and data they access from those endpoints. Dynamic access and data loss prevention policies found in cloud access security brokers as well as zero-trust network access solutions help ensure that only authorized and secure users can access sensitive data.”
Saryu Nayyar, CEO at Gurucul, added that the Apple hardware vulnerability found by researchers and reported to Apple represents the way that finding and understanding new vulnerabilities should work. Nayyar said the actual vulnerability sounds difficult to exploit because attackers have to understand how to access and read the hardware cache as a first step. However, for those who have the skills, Nayyar said it’s potentially a significant vulnerability.
“Over the years Apple has tended to have fewer vulnerabilities than Windows, but it’s not clear if that’s because it’s more secure or Windows is more ubiquitous,” Nayyar said. “And Apple has also kept greater control over their own software, as well as third-party applications, which provides fewer opportunities to find and exploit vulnerabilities. But today and in the future, any operating system — server, desktop, phone, IoT, embedded — is fair game.”
Apple issues emergency updates
In a separate development Monday, Apple issued emergency software updates following the discovery of a zero-click, zero-day vulnerability in its iMessage application. Citizen Lab security researchers discovered the flaws when examining a Saudi activist's iPhone which had been infected with spyware from Israel's NSO Group. It’s the latest example of how NSO’s surveillance tools — which the company claims are only sold to responsible governments and only after a rigorous vetting process — instead routinely end up on the phones and devices of human rights activists, journalists and victims of repressive government regimes.
The Cybersecurity and Infrastructure Security Agency issued its own warning to users as well, urging all iPhone users to quickly patch.
"An attacker could exploit these vulnerabilities to take control of an affected device. CISA is aware of public reporting that these vulnerabilities may have been exploited in the wild," the notice reads.
SC Media Senior Reporter Derek B. Johnson contributed to this report.