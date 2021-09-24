



Extended / Pseudonym researcher illusion of chaos joins an increasing army of security researchers who are dissatisfied with Apple’s slow response and inconsistent policy compliance regarding security flaws.

Orrich Lawson | Getty Images

Yesterday, a chaotic fantasy security researcher dropped three zero-day vulnerabilities in Apple’s iOS mobile operating system. The disclosure of the vulnerability is mixed with researchers’ dissatisfaction with Apple’s Security Bounty program. This program chooses to distrust and hide previously reported bugs.

The researcher wasn’t the first to publicly express dissatisfaction with Apple about the security bounty program.Nice bug now

illusionofchaos states that it reported four iOS security vulnerabilities this year. These are the three zero-day attacks released yesterday and the bugs they said were fixed by Apple in iOS 14.7. Their frustration seems to be primarily due to how Apple handled the first bug fixed in analyticsd.

Due to this fixed vulnerability, any app installed by the user can be used without the user’s permission.[設定]->[プライバシー]->[分析と改善]->[分析データ]I was able to access the iOS analysis data in. The illusion of chaos made this particularly annoying, as this data includes medical data collected by the Apple Watch, such as heart rate, arrhythmia, and detection of atrial fibrillation.

Analytics data was still available in all applications, even if the user disabled the iOS Share Analytics settings.

According to illusionofchaos, they sent Apple the first detailed report of this bug on April 29th. Apple responded the next day, but didn’t respond to the illusion of chaos again until June 3, when it announced that it would address the issue in iOS 14.7. On July 19, Apple did fix a bug in iOS 14.7, but the iOS 14.7 security content list didn’t admit any researchers or vulnerabilities.

Apple told the illusion of chaos that disclosure of vulnerabilities and credit failures are just “processing issues” and appropriate notifications will be given in “future updates.” This vulnerability and its solution have not yet been confirmed as of iOS 14.8 on September 13th or iOS 15.0 on September 20th.

Frustration about Apple’s failure to fulfill its promise first threatened the illusion of confusion and then led to the public drop of three zero-days this week. In fantasy chaos: “I asked for an explanation 10 days ago and warned me to publish my study if there was no explanation. My request was ignored and I am doing what I said.”

There is no specific timeline for the disclosure of the three zero-day attacks by illusionofchaos, or Apple’s response to them, but according to illusionofchaos, the new disclosure still complies with responsible guidelines. “Google Project Zero will disclose the vulnerability within 90 days of reporting it to vendor ZDI. In 120 years. I’ve been waiting a long time. In one case it’s up to half a year.”

New vulnerabilities: games, nehelper enumeration, nehelper Wi-Fi

The zero-day illusion of chaos dropped yesterday can be used by user-installed apps to access data that they shouldn’t have or aren’t allowed to access. Below, they are listed with links to the illusion of chaos Github repository, along with proof-of-concept code in order of severity.

Gamed Zero Day exposes Apple ID emails and full names, exploitable Apple ID authentication tokens, and read access to the Core Duet and Speed ​​Dial databases. Nehelper Wi-Fi zero-day exposes Wi-Fi information to apps that are not allowed access to Nehelper.Enumerating zero-days reveals information about apps installed on iOS devices

Gamed 0-day is clearly the most serious as it can be used to expose personally identifiable information (PII) and in some cases allow you to take action on * .apple.com. By the operating system itself or by direct interaction with the user.

Gamed zero-day read access to core duet and speed dial databases is also particularly troublesome. You can use that access to get a fairly complete picture of the entire series of interactions with other users on your iOS device in your contact list. Who you contacted (using both Apple and third-party applications), when and in some cases, we may attach attachments to individual messages.

Wi-Fi zero-day is next to the list because unauthorized access to Wi-Fi information on iOS devices can be used to track users. You may learn the credentials needed to access your Wi-Fi network. Tracking is usually a more serious concern because the Wi-Fi credentials themselves usually need to be in physical proximity to be useful.

One of the interesting things about Wi-Fi zero-days is that both the flaws and the ways they can be exploited are simple. “The XPC endpoint com.apple.nehelper accepts the user-specified parameter sdk-version, and if its value is less than or equal to 524288, the com.apple.developer.networking.wifi-info entitlement check is skipped.” This means that simply claiming to be using an older software development kit will cause the app to ignore the check that discloses whether the user has agreed to access.

The Nehelper Enumerate zero-day attack seems to be the least damaging of the three. By querying the bundle ID of another app, it just allows the app to see if another app is installed on the device. The particularly horrifying use of this bug is not considered by itself, but fictitious malware apps can take advantage of such bugs to determine if a security or antivirus app is installed and that information. You may use to dynamically adapt your own behavior. It is better to avoid detection.

Conclusion

Assuming that the illusionary confusion in their disclosure timeline is correct, they have waited more than 30 days, and in some cases 180 days, to publicly disclose these vulnerabilities. I wish I had included a complete timeline to interact with Apple about all four vulnerabilities, not just the ones that have already been fixed.

We can see that this frustration of researchers for Apple’s security bounty policy is by no means limited to this one pseudonym researcher. Since Ars published an article about Apple’s slow and inconsistent response to security bounties earlier this month, several researchers have personally contacted us and their own. I expressed my dissatisfaction. In some cases, researchers have included video clips showing exploits for bugs that haven’t been fixed yet.

I asked Apple for comment, but at the time of the press there was no response yet. This story will be updated with a response from Apple upon arrival.

