OS Security: Rebelling against Hacks and the Government
Apple’s mobile iOS technology was introduced in 2007 and in eleven years, it has quickly grown to be one of the top smartphone operating systems. The iOS has been well-regarded as being the most secure compared to other mobile OS on the market. Although it has been continuously proclaimed for its security advancements, it has not been without its flaws. This paper will explore Apple iOS security technologies and a history of the malware hacks, both software and hardware, that have been able to penetrate through these defenses. Additionally, the hacks will be discussed in detail in how they operate, how they travel, and the type of data they are attempting to obtain. Furthermore, this paper will discuss how Apple has responded to these attacks and has continuously updated the iOS to counter future attempts. All of these are taken into account for the discussion in how Apple has changed its security posture with the federal government and intelligence agencies. Recommendations can be made for organizations and users in terms of security but there is no one single answer that can deliver sufficient means of defense against mobile malware.
Keywords: iOS, Security, Malware, Apple, Jailbreak
June 29th, 2007 was a pivotal moment for both Apple and the world of smartphone technology. This was the date that Steve Jobs, former CEO of Apple Inc., released the original iPhone. With this release came the first version of Apple’s mobile iOS, formerly known as the iPhone OS. The name was changed to iOS, as a sort of rebranding, with the release of the iOS 4.0 in June 2010. As new versions of iOS were released, so were newer and better security features.
In 2011, Robert Lemos stated that the “security on the mobile operating system was nearly nonexistent”. From early beginnings, the security features offered were bare minimum. It did take a few years for the first malware, in the form of a worm, to surface in 2009. From there, Apple was forced to re-evaluate the security features that were offered on the iOS devices. Many more forms of malware began to appear in the years that followed. New forms of malware, such as XcodeGhost, Pegasus, and AceDeceiver were more malicious and covert in their workings. According to Damopoulous et al “The evolution of malwares is a continuous race between intruders and defenders” (2011). These could now be downloaded in the background of the iOS with the user being completely unaware.
With each new vulnerability and hack, updated versions of the iOS were released and new security features added. The current security features offered protection for both the hardware and the software on the iPhone. According to Chung et al, “apple iOS devices are considered by many to be more secure than other mobile offerings” (pg. 1). The iOS security is considered so vigorous that it now has complicated the relationship between Apple, the federal government, and intelligence agencies. With current legislation, Apple does not have to assist as a third-party in obtaining information from a locked iOS device. Due to this, several companies have launched to create devices that can obtain encrypted information from Apple devices without the risk of deleting data.
Apple has a duty to protect its hardware and software from attacks and loss of confidential data. Organizations and users have this same duty to try and protect their own personal information. There are numerous techniques that are offered for iOS device owners to correctly implement.
Literature Review and Research
In 2016, Rene Ritchie stated that “security is all about defense in depth, and by doing all of these things, Apple makes iOS security increasingly deep”. Apple has always prided itself in maintaining iOS mobile security. Throughout the 11 years that the iOS has been in existence, Apple has consistently uploaded new security features to help keep their user’s information safe. Robert Lemos (2011) quoted Raimund Genes, CTO for software security first Trend Micro, “Apple owns the complete ecosystem – they own the hardware, they own the software, and it makes it quite safe. And thanks to the App Store, they also have a recall switch”. In terms of System Security, Apple deploys the following: secure boot chain, system software authorization, secure enclave, touch ID and face ID services. Apple’s 2018 iOS Security whitepaper published its “system security is designed so that both software and hardware are secure across all core components of every iOS device” (pg. 5). This begins with the system boot up process where Apple has cryptographically signed all the components in order to sustain the integrity of each one. Apple uses a mechanism called secure boot chain, also known as the “chain of trust”, which begins in the lower-level software. The Boot ROM encloses the code that is implemented inside the application processor when an iOS device is switched on. The 2018 iOS Security whitepaper continues to say that “the immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted” (pg. 5). This code houses the Apple Root CA public key which confirms the iBoot bootloader, or the Lower Level Bootloader on older devices. Once established and uploaded, the public key authenticates the Apple signature on the iOS kernel component. When all components have been uploaded, the iOS device is ready for use. If the system fails to confirm or upload during any point of the boot up process, the iTunes screen will display which indicates that the device has entered the Recovery mode. The device will not operate until it has been connected and reset back to default factory settings.
System Software Authorization is a process that is used to stop iOS devices from being reduced to older versions that do not have the most up-to-date security updates. This process has been put in place to prevent attackers from abusing vulnerabilities found in older versions of iOS. This could explain why there have been an extensive number of updates since the original iPhone OS release in 2007. The iOS updates can be installed two ways: through iTunes or OTA, over the air. The differences being that a full copy of iOS is downloaded when using iTunes and only the software updates will be downloaded when using the OTA option.
“During an iOS upgrade, iTunes (or the device itself, in the case of OTA software updates) connects to the Apple installation authorization server and sends it a list of cryptographic measurements for each part of the installation bundle to be installed (for example, iBoot, the kernel, and OS image), a random anti-replay value (nonce), and the device’s unique ID (ECID)” (“iOS Security”, 2018, pg. 6).
The authorization server checks the list of measurements and which versions of installation can upload. If a match is found, the ECID is added to the measurements and the server provides a signature. Through this process, the server can validate that the update is exactly how it is provided by Apple and that it is device specific.
The Secure Enclave feature can also be used in collaboration of the system software authorization and is considered a coprocessor. The 2018 iOS Security Whitepaper describes that the Secure Enclave “uses encrypted memory and include a hardware random number generator” (pg. 7). The Secure Enclave is housed on its own, preventing the main processor from being able to access sensitive information such as fingerprint biometrics or cryptographic keys. Jay Jay stated in 2017 that “all stored data is encrypted and stored in a secure vault. The keys to such vaults are securely stored in Secure Enclaves inside iPhones and even Apple can’t access such keys even if it wants to”. It is still a newer feature that was introduced with the iPhone 5. The secure enclave plays a large part for the Data Protection management that is discussed later. An added bonus with the secure enclave, it does not allow a replay of security-critical memory.
Touch ID and Face ID are considered newer security enhancements that Apple added to their security features. Touch ID is a fingerprint identifying system that can speed up access to the iOS device. The interesting aspect of the Touch ID feature is that it will continue to learn more about the fingerprint over time through its continued expansion of the fingerprint map. It can also read the fingerprint from different angles which makes it more user friendly by not requiring the user to place their finger in the exact same spot each time access is requested. Face ID can do exactly as the name describes, unlock the iOS device through the detection of the user’s face. The camera uses advanced technology and secure authentication to record the geometry of the individual’s face. This feature, reported by the 2018 iOS Security Whitepaper, “confirms attention by detecting the direction of your gaze, then uses neural networks for matching and anti-spoofing, so you can unlock your phone with a glance” (pg. 7). Fascinatingly, the software also automatically adjusts to the changes in the appearance of the user.
To use these features, a passcode is required during the initial set-up. If the features do not recognize either the fingerprint or facial appearance, a prompt requesting the passcode will appear. These passcodes are essentially the foundation of the iOS cryptographic protection. It is encouraged to provide a longer, more complex passcode due to the infrequency of input. Other conditions the passcode is required are: the device has been restarted or turned on, the device received a remote lock command, the device has been locked for over 48 hours, there have been 5 unsuccessful attempts to unlock, the passcode hasn’t been used in 6 days, Face ID hasn’t unlocked the device in 4 hours, or after initiating the power off command.
According to the 2018 iOS Security Whitepaper, “the secure boot chain, code signing, and runtime process security all help to ensure that only trusted code and apps can run on a device” (pg. 12). To increase security for the iOS devices, Apple also has encryption and data protection features. These features include: hardware security features, file data protection, passcodes, data protection classes, keychain data protection, access to Safari saved passwords, keybags, security certifications and programs.
Hardware security is just as important as software security. Every iOS device has been built with an AES-256 crypto engine. This engine is located between the flash storage and main system memory, which has claimed to make file encryption highly well-organized. During the manufacturing of these devices, a unique ID (UID) and group ID (GID) are assembled using the 256-bit keys and placed into the application processor and Secure Enclave. There is no way to access this data directly and can only be seen through encryption/decryption performed by the AES and the IDs as the key. On newer processors, the Secure Enclave generates solely on its own which makes this system and devices much more secure from outside attackers. The UID is unique to only that device but the GID is common among all the classes of devices using that processor.
In continuation of the encryption on the hardware, Apple also uses technology to protect the data that is kept in the flash memory of the iOS device. This technology is called Data Protection and it allows the device to use a class system and use said class system to assign protection on files that are used by the device. Simplified, this technology assigns a protection class key to the files that are used by the device and regulates when the file can be read from and written to. The types of protection include: complete protection, protected unless opened, protected until first user authentication, and no protection. These classes will protect the data inside the files or allow/reject access of files whether the device is locked or unlocked.
Passcodes were briefly touched on during the Systems Security section. To reiterate, passcodes are essentially the foundation of the iOS cryptographic protection. The 2018 iOS Security Whitepaper reports that the “iOS supports six-digit, four-digit, and arbitrary-length passcodes” (pg. 15). The passcode can be both numeric and alphanumeric. The UID is an important part of the passcode because they are intertwined making any type of attack to secure the passcode very time consuming and slow. Users can also select “Erase Data” option that will erase the device after 10 repeated incorrect tries to enter the passcode. Naturally, the complexity of the passcode increases the intricacy of the encryption key.
Keys and login tokens for applications are as equally important to secure as the passwords used to access them. The iOS Keychain provides the security for this information. This program is executed on the SQLite database and only provides one access to the database for processes and applications. The iOS Security Whitepaper writes that “keychain items can only be shared between apps from the same developer. This is managed by requiring third-party apps to use access groups with a prefix allocated to them through the Apple Developer Program via application groups” (2018, pg. 17). The data that is being secured uses a class system similar to the Data Protection classes. The amount of security needed in conjunction with the usability of the data will decide which class of protection is needed.
Keybags are used to manage the keys for files and Keychain Data Protection. Apple defines a keybag as “a data structure used to store a collection of class keys” (2018, pg. 80). iOS utilizes 5 different types of keybags: user, device, backup, escrow, and iCloud Backup. The User and Device keybags are exactly as the name describes. The User keybag stores the class keys for ordinary use of the device while Device keybags contain the class keys for very device-specific information. Although, if the device is set up for shared mode, the iOS device will use the class keys from the device keybag rather than the user keybag. Backup Keybags are created using new keys when iTunes backups a device and is secured with the iTunes password. The new file created is encrypted and uses this new keybag to re-encrypt the data. The data can only be uploaded on the original device. Keychain items can move to a new device if it still has the user ID password attached and backup password installed. When a user initiates a backup through iTunes, an Escrow Keybag is used. This keybag permits the backup of data without necessitating the user to put in their passcode. Once connected to iTunes, the escrow keybag is produced with the same class keys that are used on the device, but protected the freshly created key from the backup keybags. The data is then placed under the Protected Until First User Authentication class. Lastly, the iCloud Backup keybag resembles the makeup of the Backup keybag. These backups can be done in the background except the No Protection class data. This data is simply sent to the iCloud.
Security Certifications and programs remain to be a large part of Apple’s continued duty to their user’s data safety. Apple has received certifications for the Information Security Management System, ISO 27001 and ISO 27018, to support many of the features offered on iOS devices. They have been awarded compliance through the British Standards Institution and their certificates can be viewed on the BSI website. iOS 9 helped Apple achieve certifications in several topics under the Common Criteria Certification program such as the Mobile Device Fundamental Protection Profile, VPN IPSec Client Protection Profile, and Extended Package for Mobile Device Management Agents just to name a few. On top of these certifications, Apple has sustained its compliance with the U.S. Federal Information Processing Standards (FIPS) for the cryptographic modules in the iOS since the release of iOS 6. Apple must be revalidated each time they submit a new iOS release. FIPS confirms that the iOS version is properly utilizing the cryptographic services and permitted algorithms for all apps provided through Apple and third-parties. The 2018 iOS Security Whitepaper promotes that “Apple continues to evaluate and pursue certifications against new and updated versions of the cPPs available today” (pg. 22).
There have been several hacks that has penetrated through the iOS security features. This includes malware, spyware, worms, and botnets. La Polla et al have defined malware as “any kind of hostile, intrusive or annoying software or program code designed to use a device without the owner’s consent” (2013, pg. 448). Jay reported that “no matter how much Apple invests on the security of its devices, hackers may get past rare vulnerabilities and impact thousands of users and their sensitive details at the same time” (2017). The first iPhone was placed into circulation in June 2007, it had no 3G or App store, only in-house applications already preloaded onto the iOS device. In 2009, the first sign of malware, the “Rickrolls” worm, surfaced. This worm is more commonly known as the Ikee worm since the author of this code is referred to as “ikex”. This worm was seen more as a prank than anything truly malicious but according to F-Secure Labs, “it is possible for another hacker to use code from this variant and adapt it to carry a more sinister payload” (2009). The Ikee worm only affected iPhones that are considered ‘jailbroken’ – which defined by Jonathan Vanian “generally refers to an iPhone or iPad that has been modified without approval by Apple, so the user can install software and apps that aren’t available on the Apple App Store” (2016). F-Secure Labs reported that “once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable. If found, the worm installs itself on the new device” (2009). The iOS device that is infected has the wallpaper changed to the picture of Rick Astley with a message that states: “ikee is never gonna give you up” (Oliver, 2009).
Next in 2012, iOS first malware was suspected and confirmed in the Find & Call app. This app was available on both Google Play and the Apple App Store. The Kaspersky Lab was contracted to investigate and found that the app was secretly saving data from the users’ contact lists and uploading this material to the developer’s server. From there, advertising spam was sent to the user’s contacts through messaging using the user’s phone number as the sender. Pereira wrote “after researching the situation, they discovered that it was a Trojan Horse that was uploading the users’ phonebook to a remote server” (2012). The Find & Call app was quickly removed from the Apple App Store once confirmation was received from the Kaspersky Lab.
Three years later, in 2015, the first notable attack on Apple occurred. Claud Xiao described XCodeGhost to be “a new iOS malware arising from a malicious version of Xcode, which is Apple’s official tool for developing iOS and OS applications” (2016). “The malicious code was repackaged into some versions of Xcode installers” continued Xiao (2015a). This modified code originated in China when the malicious Xcode was uploaded to a file sharing cloud service, Baidu. From there, the revised code was used by Chinese developers to create or update their apps to the Apple App Store. Network speeds can be painfully slow causing developers to sometimes download the standard Xcode installer from other sources, including their colleagues. Through Palo Alto Networks investigations, all versions of Xcode that were available for download had links to Baidu and were found to be infected. The CoreServices file is the primary file that contains many of the fundamental system services and once the malicious code infects this file it will be added into any iOS app that uses this Xcode. Jay reported that “XCodeGhost infected over 4,000 apps on the App store, far greater than the 25 initially acknowledged by Apple” (2017). China was the primary location that was affected by XcodeGhost but some apps were used worldwide. Palo Alto Networks originally believed that XcodeGhost was not harmful or significant and that is why it was able to pass through the code review with ease (2015a) but this was short-lived. In an update, Xiao stated that XcodeGhost was believed to be “very harmful and dangerous malware that has bypassed Apple’s code review and made unprecedented attacks on the iOS ecosystem” (2015b). The malware would transfer device and app data to its command and control server and could also phish for user credentials. Whenever an infected app is opened by the user, XcodeGhost will take any stored data from the clipboard and place new data inside without the user’s awareness. Xiao believes that “stealing passwords or potentially exploiting vulnerabilities in iOS and in legitimate applications may be the true purpose of XcodeGhost” (2015b). Apple removed all infected iOS apps from Apple App Store and notified developers to edit their products and re-upload for approval. Recommendations have been stated to help avoid this type of malware from resurfacing in the future. Gui et al reported that “the developers should check the developing tool carefully to avoid malicious modified tools. The administers of App Store should test the submitted applications seriously to prevent malware attacks before they emerge. The users should pay attention to the officially reported security even when a malware attack is happening and act immediately to avoid further loss” (2016).
AceDeceiver, discovered in 2016, described by Xiao as a “new family of iOS malware that successfully infected non-jailbroken devices” (2016). This is concerning because this type of malware doesn’t need to have an enterprise certificate in order to install onto the iOS device. AceDeceiver was designed to circumvent iOS Digital Rights Management tool, specifically FairPlay, which has been used to download pirated iOS apps from a computer onto the device. Apple has known this has been happening since 2013 and labeled the term “FairPlay Man-In-The-Middle”.
“In the FairPlay MITM attack, attackers purchase an app from App Store then intercept and save the authorization code. They then developed PC software that simulates the iTunes client behaviors, and tricks iOS devices to believe the app was purchased by victim. Therefore, the user can install apps they never actually paid for, and the creator of the software can install potentially malicious apps without the user’s knowledge” (Xiao, 2016).
The apps that were uploaded to the App Store were able to bypass the code review seven times due to the fact, the Trojan’s behavior was customized on the actual geographic area in which it was implemented. AceDeceiver was found to have only impacted people in Mainland China. Palo Alto Networks had discovered these three apps that were infected by AceDeceiver and notified Apple, of which removed those apps. “Even though Apple may have removed the bogus apps from the App Store, the authors claim that the corrupted Windows app is able to download fraudulent apps no longer hosted on the App Store” reported Jonathan Vanian (2016). This is true because Claud Xiao reports that “the FairPlay MITM attack only requires these apps to have been available in the App Store once. As long as an attacker could get a copy of authorization from Apple, the attack doesn’t require current App Store availability to spread those apps” (2016). Another vital piece to this attack is the computer the iOS device is connecting to. It must have been compromised with the malware. During the investigation, Palo Alto Networks located the compromised software to be Aisi Helper. Claude Xiao continued to explain that Aisi Helper is “a software program for Windows systems that claims to provide services for iOS devices such as system re-installation, jailbreaking, system backup, device management, system cleaning” (2016).
Not all hacks have been created to be malicious and cause damages. Two hacks, iSAM and Mactans, were created by ethical hackers, or “white hats”, who try and uncover potential vulnerabilities of the iOS devices to try and get them patched to avoid future attacks. iSAM was produced “to stealthily execute, six malware mechanisms, self-propagate wirelessly to other iPhone targets and finally connect back to the iSAM bot master server to update its programming logic or to obey commands and unleash a synchronized attack” as explained by Damopoulos et al (2011, pg. 18). iSAM needs the device to be jailbroken in order to acquire root permissions. If the iOS device is not already jailbroken, it can be through simply sending an infected PDF file that automatically downloads when clicked on by the user. This infected PDF file is already carrying the malicious code of iSAM and will download with the PDF file consecutively. As previously mentioned, this malware has six malware mechanisms involved. The iSAMScanner controls the subroutines which manages the transmission of the malware, iSAMUpdate commands the botnets, and the malware actions are labeled as iCollector, iSMSBomber, iDoSApp, and iDosNet. Each subroutine is responsible for certain tasks; iSAMScanner constantly looks for jailbroken phones through a Secure Shell weakness. Once detected, the subroutine connects to the device on the SSH server and downloads a package with command code. iSAMUpdate is in charge of the botnets and reconnecting with the iSAM to confirm an updated version is accessible for download. The final four subroutines do as their name describes; iCollector steals private information straight from the device, iSMSBomber secretly sends large numbers of SMS messages to the iOS device contact list and random numbers generated by the malicious code. These messages contain the link to download the malware if the user clicks on it. Damopoulous et al communicated that “one of the main iOS applications is Springboard that manages the iOS home screen by displaying all icons of the available applications, starts the WindowServer and launches and bootstraps other applications” (2011, pg. 26). iDoSApp subroutines stops an app from loading when the user touches the icon. This attack doesn’t happen for long periods of time and happen randomly. iDoSNet purposely shuts down the communications services by switching Airplane mode on for the device at random times. Again, the time frame is short as to not alert the user that anything is defective with the iOS device.
Mactans was created with the intention of introducing malware into an iOS device through the use of a compromised charger. Chung et al explained this type of attack can “occur automatically without a user’s consent or knowledge” (pg. 3). This type of attack can be more common than research shows, especially as charging stations with chargers provided are becoming more popular in shopping malls and airports. An attacker only needs to switch out the provided charger with the compromised one and wait. An unsuspecting victim will plug their device in to be charged, unknowingly downloading the malicious malware. The iOS device does not need to be jailbroken but it does “require the phone to be unlocked at least once after being connected. While this requirement may seem to render Mactans impractical, we posit that users will regularly create this situation while charging their device” Chung et al announced (pg. 10).
The most recent iOS hack occurred near the end of 2016 with the malware Pegasus. Pegasus is listed as a spyware, “a malicious application designed to retrieve specific information from an infected device without the victim’s knowledge” (Lookout, 2016, pg. 5). Pegasus was discovered when a well-known person from the United Arab Emirates had received multiple messages from an unknown sender. Rather than click on the links, he had these messages analyzed by Citizen Lab researchers. Citizen Lab researchers reached out to Lookout to help with this investigation. The Technical Analysis released by Lookout, Inc. stated, “Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others” (2016, pg. 3). The Israeli group, NSO, takes responsibility of manufacturing and selling this product for over $25,000 per objective. This malware identified three weaknesses in the iOS software, called the Trident, which allows the attacker to install the spyware onto the iOS device without the user’s knowledge. The Trident consisted of memory corruption in WebKit, Kernel information Leak and Kernel memory corruption that leads to jailbreak were the flaws exploited by Pegasus. During the analysis of this malware, Lookout was able to distinguish that all iOS devices were at risk. The transfer of Pegasus is very similar to iSAM, a message is sent to the intended victim with an infected link that, once clicked, will initiate the download of the malware. Once Pegasus is inside the iOS, it jailbreaks the device and begins to steal the user’s data. Lookout, Inc. published that “Pegasus takes advantage of both the remote jailbreak exploit and a technique called ‘hooking’ (2016, pg. 7). “Hooking” is a way to bypass the iOS security tools that stop normal apps from eavesdropping on each other. The user’s iOS device is under total observation by the attacker, including their location. The attacker can even turn on the camera and microphone at any time in order to listen and watch at any point. The most interesting aspect of Pegasus is that “it has a highly sensitive self-destruct mechanism to ensure that the product is not discovered. When the software appears to be threatened, it will self-destruct, removing its persistence mechanism” as reported by Lookout, Inc. Analysis Report (2016, pg. 19).
Not all hacks happen on the iOS software. Two companies have come into existence to solely break into the iOS hardware to be able to access the data. Cellebrite and Grayshift are still considered young compared to other companies but they have made quite the name for themselves. Each of these companies boast about how they help law enforcement and other security professionals hack into even the latest of iPhones and Android devices. Cellebrite has been around longer than Grayshift, launching in 2007 and according to the company website their “products support the entire investigative team – from forensic examiners and analysts in the lab to investigators and first responders in the field, to the prosecutors building strong defensible cases, and agency management optimizing investigative resources” (2018). While all of this sounds remarkable, Cellebrite will obviously not share their secrets with Apple. What is known is that Cellebrite has the capability to be able to break into Apple and Android products. It is rumored, but not confirmed, that Cellebrite was the company that assisted FBI agents with unlocking an iPhone when Apple would not in 2016. Cellebrite was itself a victim of hacking and information about how some of its products worked was released. Malcolm Owen published that “along with brand-specific exploits, the iOS-related code allegedly used scripts originally used to jailbreak iPhones, as well as firmware altered to break security on older devices” (2018). It is also thought that this company may have been able to locate a vulnerability within the iPhone’s Secure Enclave feature, which as described earlier controlled security features of the actual device. According to Owen, “the report suggests that the unlocking process can be relatively inexpensive, priced as low as $1,500 per device” (2018). Grayshift, on the other hand, is slightly older than two years old launching in 2016. This company tries to stay more on the cryptic and low-key side but, is becoming more popular with law enforcement across the country. Looking on the company’s website it shares bare minimum with only a P.O. Box as it’s address. But this new company displayed its device at a forensics conference which caused the company’s booth to be surrounded by attendees and a security guard present. According to Robert McMillan from the Wall Street Journal, this little box designed to work strictly on Apple devices called Graykey can be sold for $15,000 to law enforcement or other authorized users. McMillan continued his report on the workings of GrayKey, that the owner “plugged an iPhone X into the GrayKey’s Lightning cable, clicked a handful of options on a management screen and the device went to work” (2018). This small box bypasses Apple’s newest security feature of preventing law enforcement from accessing an iPhone through the charging cable port completely. Apple has made changes to counter this that will not prevent GrayKey from being used but it will limit the time allowed to access the device once it is connected.
With each new hack or exploit of the iOS device, Apple has always been quick to fix the problem. Apple releases an update to its iOS when any vulnerability has been exposed. Since the iOS version 11.0 release on September 19th, 2017, there have been fifteen updates or patches released. The most recent being the release of 11.4.1 on July 9th, 2018. This version patched several bugs that affected different components, such as Bluetooth, FontParser, CoreGraphics, Contacts, Mail, and other Security features. Apple has also responded to exploitations by launching a bug bounty program in September 2016. According to Kate Conger, “Apple’s head of security engineering and architecture, Ivan Krstic, announced to Black Hat attendees that Apple will begin offering cash bounties of up to $200,000 to researchers who discover vulnerabilities in its products” (2016). Apple hasn’t been open to these types of programs in the past but hopefully this will help close security gaps that are overlooked accidentally. Conger also reported that “Apple says that discovering vulnerabilities is becoming more difficult for in-house testers and external researchers alike, so it’s time to start offering more incentives for bug reports” (2016). Unfortunately, people who try to find these vulnerabilities can get higher payouts from law enforcement or the government indicating that Apple’s reward amount may not size up. For Apple’s bug bounty program, it is by invite only to researchers that have already made beneficial discoveries but will eventually accept new researchers if they can prove their abilities. Apple has listed five different categories with a corresponding amount for weaknesses found within the iOS. More specific examples on how Apple has responded to these hacks have been discussed in earlier sections. In regard to GrayKey and Cellebrite, Apple will continue to enhance its security features, as is the pattern seen, when a new vulnerability is located to try and prevent the iOS software and the device from being hacked into. At the forensics conference, Mr. Miles who is the owner of Grayshift LLC announced “Grayshift plans to deliver new iPhone-cracking methods to GrayKey users via software updates” as reported by Robert McMillan (2018). Apple will continuously be a step behind these types of devices because research of new methods and flaws will always be of great importance to these companies.
Apple’s increased security surrounding the iOS, particularly the disabling of the Lightning port preventing law enforcement from hacking into iPhones, relations with federal agencies has become more strained. Prior to this, law enforcement and Apple had always maintained a civil relationship when working on cases together to retrieve data from iOS devices. Matthias Schulze disclosed:
“In early 2016, the Federal Bureau of Investigation (FBI) issued a court order to compel Apple to unlock an encrypted iPhone 5C that was used by the San Bernardino attacker in December 2015. The FBI wanted Apple to rewrite its iOS software, to disable encryption security features that would allow the enforcement agency to guess the correct passcodes in a trial and error fashion” (2017, pg. 54).
Apple refused even after the FBI issued a court order demanding them to do so under the All Writs Act of 17989. John Potapchuk of the Boston College Law School stated “in February 2016, a U.S. District Court agreed with Apple and stated they did not have to break into the iPhone (2016). The FBI had every intention of taking Apple into court in order to have their assistance mandated but was able to receive help from an outside source. Apple has been increasing the security features for iOS to the point where they cannot provide any type of assistance to law enforcement or government agencies. Matthias Schulze believes this is a continuation of “the so-called crypto-wars, defined as technological debates whether the government should have access to encrypted communication” (2017, pg.54). Apple believes that the government was abusing their power and would be setting a dangerous precedent (Gamet, 2018). Apple’s outright refusal to assist in hacking into the iPhone has now hindered law enforcement’s ability to access stored information. This has been referred to as “going dark”, the growing gap between the government’s right to conduct criminal investigations and the capability to use that power in light of technological developments (Potapchuk, 2016). Governments are now pleading with Congress to change legislation that will allow intelligence agencies and federal agencies to be able to access encrypted information more easily but until that happens, it will be more challenging to acquire such information. Until such legislation is passed into law, Cellebrite and Grayshift are law enforcements best chance at recovering encrypted data within the iPhone devices.
The previous section discussed several different types of malware and the security advancements that were implemented to counter them. The iOS system harbors both System and Data Security mechanisms. The System Security mechanisms include the Secure boot chain, which begins at the time of boot up that validates only signed Apple code is on the iOS; System Software Authorization, a program that doesn’t allow a device to be downgraded to older versions; the Secure Enclave, which is housed on its own and holds the cryptographic key used for data protection; and Face and Touch IDs, which uses stored biometric data of the user to allow easier access to the iOS device. Not all of these features have been included since iOS launched in 2007 but rather have been in responses to several hacks that have been successful. iOS also has taken steps to ensure data protection through encryption. These tools are used to keep user’s data protected from unauthorized people trying to access the device, either remotely or physically.
The malicious malware has evolved over the past decade. They have progressed from a simple prank with no malice, the Ikee worm, to sophisticated spyware that could control the iOS device completely without the user’s awareness, Pegasus spyware. It has also evolved to have the capability to know when to self-destruct if it has the chance of being detected. Although many of these hacks have been found to impact only those in China, it still was a concern for all iOS users. With each malware discovered, Apple responded with patches and upgrades to fix the vulnerabilities found within the iOS. Although Apple is quick to fix any software exploits, they have yet been able to counter the iOS hardware hacking devices that have become more popular in recent years. Grayshift LLC and Cellebrite have successfully been able to hack into an iPhone device and capture all encrypted data without worry of deletion, as is one of Apple’s newest security feature provided to its users, although these devices come with a price.
Due to the security patches and increased encryption tools used by Apple, the federal government and intelligence agencies have rekindled the on-going “crypto-wars”. Apple refused to assist in hacking into an iPhone for the FBI, resulting in a plea to legislators to change the current laws. Their claim of preventing law enforcement from commencing an investigation and evidence collection will have higher consequences than maintaining the user’s right to privacy.
As much as Apple has a duty to protect their user’s personal information, the user has an equal amount of responsibility to protect themselves. There are number of ways that users can implement to protect their data from attacks. First and most important, users should keep their iOS updated with the latest version released from Apple. This will ensure that the iOS device is protected from any vulnerabilities that may exist. Keep the iOS device locked with a passcode and the “Erase Data” setting enable. As previously stated the longer the passcode, the stronger the protection. With having the “Erase Data” setting enabled, the user can ensure that no sensitive information can be accessed if a brute-force attack is initiated. After 10 unsuccessful attempts, the phone will wipe clean. Clicking on unknown URLs or PDF files is also advised against, especially if the user cannot verify the sender. Malware can be transported through infected websites and PDF files which can ultimately contaminate the iOS device without the users’ knowledge. Veracode also suggests “regularly delete the keyboard cache that iOS devices store for text autocorrect. Keystrokes can be stored for up to 12 months if they are not regularly cleared” (DuPaul). Furthermore, do not jailbreak the iOS device. Most forms of malware can distribute among jailbroken iPhones due to the lack of security that Apple provides in their iOS. The same recommendations can be issued for organizations.
Apple’s mobile iOS is renowned for its security enhancements and its reputation is clearly earned. From the original release of the first iPhone with no security enhancements, to the latest iPhone X that provides complex encryption and biometric password protection, Apple has been considered to be more secure in mobile security. Although there have been several hacks that have penetrated the iOS, such as XcodeGhost and Pegasus spyware, Apple’s rapid responses and updates still prove that user’s confidential data is a top priority. Upon a vulnerability being discovered and presented to Apple, either through the bug bounty program created specifically to find problems or through malicious activity, an updated version patching the problem is released in a matter of days. The sheer fact that Apple has released fifteen security updates since iOS 11 validates this claim.
The types of malware that were discussed is evidence that those who are creating these are becoming smarter and more malicious. Although some malware is more of an annoyance, others have proven to be particularly dangerous. The Ikee worm was not intended to be malicious but rather opened the door as to what could happen in future. This path led hackers to create the Pegasus spyware which is a prime example of just how malicious malware can be. This malware can ultimately control the iOS device while running in the background without the user ever knowing and it can easily be downloaded onto a device through a simple click of a PDF or URL.
Law enforcement and Apple had kept a civil relationship when any assistance was needed in solving specific cases. But as Apple increased its security features, the working relationships it had with the federal government had become tense. A “falling out” occurred between the two which led to the federal government attempting to bully Apple through the judicial system. The federal government did not obtain what they wanted through this measure and ended up paying a third-party company to break into the iOS hardware and retrieve the information. This method of bypassing Apple’s security features has become more popular with law enforcement and authority agencies across the country. This will continue to be a “cat and mouse game” between these parties to try and stay ahead of the other.
By following Apple’s recommendations, not jailbreaking the iOS device, and practicing common sense will decrease the probability of malware infection. Unfortunately, not everyone who owns an iOS device will follow these recommendations, which will only continue this constant cycle of malware infection, security upgrades, and stolen data.
- Lemos R. (2011) Apple iOS: Why it’s the most secure os, period. InfoWorld.
-  Damopoulos D., Kambourakis G., Gritzalis S. (2011) iSAM: An iPhone Stealth Airborne Malware. In: Camenisch J., Fischer-Hübner S., Murayama Y., Portmann A., Rieder C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg
- Chung P., Jang Y., Lau B., Song C., & Wang T. (n.d.) Mactans: Injecting malware into iOS devices via malicious chargers [White paper]
- Ritchie R. (2016) Apple has patched the Pegasus malware, but here’s what you need to know. iMore
- Apple. (2018). iOS security: iOS 11 [White paper]
- Jay, J. (2017). TEISS®: Cracking Cyber Security. IOS and security: timeline of Apple’s iPhone security evolution.
- La Polla, M., Martinelli, F., & Sgandurra, D. (2013) A Survey on Security for Mobile Devices. IEEE Communications Surveys & Tutorials, 15(1), 446-471
- F-Secure Corporation. (2009). Worm:iPhoneOS/Ikee.
- Vanian J. (2016) This Nasty New Malware Can Infect Your Apple iPhone or iPad. Fortune.
- Oliver, S. (2009). First-known iPhone worm ‘Rickrolls’ jailbroken Apple handsets.
- Pereira, A. (2012). First iOS malware hits App Store via the Find & Call app, promptly pulled down- Technology News, Firstpost.
- Xiao, C. (2016). Palo Alto Networks Blog. AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device – Palo Alto Networks Blog.
- Xiao, C. (2015a) Palo Alto Networks Blog. Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store – Palo Alto Networks Blog.
- Xiao, C. (2015b) Palo Alto Networks Blog. Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps – Palo Alto Networks Blog.
- Gui, X., Liu, J., Chi, M., Li, C., & Lei, Z. (2016). Analysis of Malware Application Based on Massive Network Traffic. China Communications, 13(8), 209-221. Doi:10.1109/CC.2016.7563724
- Lookout. (2016) Technical analysis of Pegasus spyware: An investigation into highly sophisticated espionage software [White Paper]
- Cellebrite. (2018) Digital intelligence for a safer world.
- Owen, M. (2018). Cellebrite advertises its ability to unlock devices running iOS 11, including the iPhone X, to government agencies. Apple Insider.
- McMillan, R. (2018, June 15). Meet Apple’s Security Headache: The GrayKey, a Startup’s iPhone-Hacking Box. The Wall Street Journal.
- Conger, K. (2016). TechCrunch – Startup and Technology News. Apple announces long-awaited bug bounty program – TechCrunch.
- Schulze, M. (2017). Clipper Meets Apple vs. FBI – a comparison of the cryptography discourses from 1993 and 2016. Media and Communication, 5(1), 54-62. doi:10.17645/mac.v5i1.805
- Potapchuk, J. L. (2016). A Second Bite at the Apple: Federal Courts’ Authority to Compel Technical Assistance to Government Agents in Accessing Encrypted Smartphone Data under the All Writs Act. Boston College Law Review, 57(4), 1403-1446
- Gamet, J. (2018). The Mac Observer – Apple iPhone, Mac, Watch and iPad News, Opinions, Tips and Podcasts. Apple is Making iPhone Hacking a Lot More Difficult for Law Enforcement with iOS 11.4 – The Mac Observer.
- DuPaul, N. Use Veracode to secure the applications you build, buy, & manage. IOS Security Guide: Data Protection Tips | Veracode.