LAS VEGAS – Prolific Google bug hunter Ian Beer ripped into Apple on Wednesday, urging the iPhone maker to change its culture when it comes to iOS security. He said the company suffers from an all-too-common affliction of patching an iOS bug, but not fixing the systemic roots that contribute to the vulnerability.
Since 2016, the Project Zero team member said he has found over 30 iOS bugs. In his Black Hat session “A Brief History of Mitigation: The Path to EL1 in iOS 11” he reviewed the “async_wake” exploit for iOS 11.1.2 he released in December along with reviewing nearly a half dozen additional bugs he suggested Apple dragged its feet to fix.
Beer said he doesn’t blame individual security researchers. Instead, he saved his criticism toward organizations with security leads that have an academic background versus an exploit background.
“Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”
Beer said each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”
And in a provocative call to Apple’s CEO Tim Cook, Beer directly challenged him to donate $2.5 million to Amnesty International – roughly the equivalence of bug bounty earnings for Beer’s 30-plus discovered iOS vulnerabilities.
“Two years ago on this stage Apple announced a bug bounty program… Apple said it welcomed people to join the program,” Beer said. Part of Apple’s pitch to the entire research community was that all bugs would be taken seriously and Apple would consider rewards to bounty hunters outside the program in an altruistic quest to secure the platform. Apple said in lieu of a bounty payments it would consider donating to a charity of the researcher’s choice.
Beer called on Cook to donate any bounty rewards Apple might be willing to share with Beer to Amnesty International.
Beers singled out the charity because of a recent attack against it. Earlier this month, Amnesty International released a report asserting it was targeted by a nation-state adversary who used the mobile cyberweapon known as Pegasus – sold by Israel-based company NSO Group. Beer noted that the messages sent by adversaries appeared to be iMessages.
In 2016, Citizen Lab and Lookout found that Pegasus was being used to take control of Apple devices using three zero-day iOS vulnerabilities, collectively called Trident. Amnesty reported both Android and iOS phones were targeted during its attacks.
Beer suggested that Apple needed to better lock down iOS because APT victims and alike are increasingly the users of iPhones. He cited another reported incident where backers of an anti-obesity tax on soda in Mexico were targets in an attack that singled out iPhone users with text messages that linked the Pegasus spyware.
“Targeted exploitation is more widespread than you think,” he said. He noted that Pegasus had moved from nation state attacks to what appeared to be attacks by a pro-sugary soft drink ring.
Beer called any security approach that uses bug fixes as a yardstick for safety flawed. He called it a “comfort blanket” that offered only an illusion of progress. The time of isolated security fixes is over, he said – and the goal is understanding root causes and mitigating against those.