An Apple security fix in iOS 15.6.1 back in August of last year was said to close two major security vulnerabilities, one of which could have allowed a rogue app to execute arbitrary code with kernel privileges (aka do Very Bad Things). But it’s now been revealed that the more serious vulnerability wasn’t closed after all.
Apple did succeed in blocking a specific way of exploiting the vulnerability, but didn’t address the root issue until last week’s iOS 16.5 update, some nine months later …
Last year’s Apple security fix
When Apple released iOS 15.6.1 in August 2022, the company said that the update “provides important security updates and is recommended for all users.”
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
This was indeed actively exploited by an attack dubbed ColdIntro. Apple patched iOS against ColdIntro.
But the vulnerability remained
Unfortunately, while Apple blocked the specific attack route used by ColdIntro, security researchers at both Jamf and Google’s Project Zero saw similar attacks succeeding even after the update. These fresh attacks used a variation on ColdIntro, named ColdInvite.
In one example, an attacker managed to fool mobile carrier Vodafone into disabling the plan of a target. The attacker then sent a fake message to the victim asking them to install the My Vodafone app (a genuine app) in order to restore the plan. The link was to a fake version of the app, which contained the malware.
The attack begins by gaining access to the Display Co-Processor (DCP), and then uses this to gain access to the Application Processor (AP).
Analysis revealed that Apple had not blocked the underlying vulnerability which made such attacks possible. Jamf reported this to Apple, and the company applied fixed the vulnerability itself in iOS 16.5.
How serious is this?
While the phrase “an application may be able to execute arbitrary code with kernel privileges” can be code for “a rogue app can do anything it likes to the phone,” that isn’t the case here. Jamf says that ColdInvite just gets an attacker closer to being able to take over the iPhone.
[Both exploits allow] an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.
From the real-world example cited by Google, it also appears that the bad guys would need to fool you into installing their app, meaning that this is most likely to be used as part of a targeted attack on specific individuals. The risk to the average user thus seems low.
All the same, Jamf notes that the approach of compromising one processor in order to gain access to another is only going to increase, so it’s always worth installing iOS updates as soon as possible.
However, if you rely on Apple’s Lightning to USB 3 adapter (which is broken by iOS 16.5), you can safely wait for a fix so long as you don’t tap on links, or open attachments, which you aren’t expecting.
Photo: TechieTech Tech/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments