- The reserarcher has discovered four vulnerablities of iOS releases
- Apple fixed one of the issues, with other three still in the wild
- Apple has not disclosed information about any of the issues on their security content pages
Between March and May 2021, a researcher reported four critical 0-day security vulnerabilities on Apple's iOS 14. It is claimed that even on the most recent versions of iOS 15, three issues are still present – with Apple not acknowledging the problems.
In a public release on a Habr IT blog, a researcher talks about his experience taking part in the open Apple Security Bounty program. Four vulnerabilities were discovered: they affect a wide range of iOS data, allowing perpetrators to gain access to app, browsing, and even personal health data.
While some of the problems were fixed, the others still remain. Meanwhile, Apple has not made any public disclosure or comment.
What vulnerabilities are they?
These are the four 0-day vulnerabilities the researcher discovered on iOS releases:
This vulnerability potentially allows all preinstalled apps on the iOS devices to access data without any user interaction. It includes:
- Apple ID email and full name associated with it
- Apple ID authentication token allowing to access at least one endpoint with *.apple.com on behalf of the user
- Complete file system read access to the Core Duet database (contains Mail, SMS, iMessage, 3rd-party messaging apps contact list and metadata about all user's interaction with these contacts, as well as some attachments
Previously, this vulnerability allowed full read access to the Speed Dial database and the Address Book database, with contact pictures as well as creation and modification dates. It's been fixed on iOS 15.
Nehelper Enumerate Installed Apps 0-day
One of the smaller issues, the Nehelper Enumerate Installed Apps 0-day vulnerability lets the perpetrator see the list of apps installed on a device.
Nehelper Wifi Info 0-day
This vulnerability affects a large list apps that require location access. By tweaking one parameter, the perpetrators can get access to the wi-fi information.
By far the biggest vulnerability on the list, it lets all installed apps access analytics logs on an iOS device, and see data such as:
- Medical information (heart rate, detected irregular heart activity events)
- Personal health information (menstrual cycle, age, whether user is logging sexual activity and cervical mucus quality, etc.)
- Device usage information (push notification count, user activity with them, device pickups in different contexts)
- Screen time information (including session count for all applications)
- Device accessory info (including manufacturer, model, firmware information)
- General browsing info (application crash and Safari web page language info)
This information can be accessed even if the user has analytics data tracking turned off on their devices. The vulnerability was patched up by iOS 14.7. However, Apple has not disclosed this information on the security content page and did not make the vulnerability public.
The researcher states that Apple have apologized for this oversight, promising to include it in future releases. With three releases since then, it is stated that Apple is yet to disclose it.
No response from Apple
Apple has been warned that this information was about to be made public. With requests ignored by the company, the researcher went in accordance with other disclosure guidelines.
Google Project Zero discloses the vulnerabilities 90 days after the report to the vendor, while Zero Day Initiative does it after 120. In this case, the researcher claims to have waited for up to half a year.
We have also contacted Apple, and will update this articles with new information as it transpires.