Security Week 25: Apple ID vulnerability

Last week researcher Laxman Muthiyah published details of an already closed vulnerability in Apple’s server infrastructure. Previously known for parsing similar account issues Instagram and Microsoft, Lakshman found a non-trivial way to get around the rather strict limits on the number of requests to Apple’s servers.

This loophole, in turn, allows you to hack any Apple ID account, provided that the attacker knows the phone and mail linked to it. A purely technical vulnerability would have remained so if Apple specialists had not mentioned the connection of the account recovery system with a password code to unlock the device during the discussion with the researcher. So there was an unexpected plot twist: Lakshman claims that the hole he discovered also allowed him to find out the access key to the iPhone or iPad. In his findings (not confirmed by Apple), he is so confident that he refused to pay under the bug bounty program.

The system for recovering access to Apple ID works like this: you must specify the email address and phone number associated with the account. After that, a one-time code will be sent to your phone and mail. Enter the codes, you get the opportunity to change the password. The codes are six-digit, for brute-force you need to go through a million options.

Naturally, Apple’s servers do not allow a straightforward brute-force attack: six unsuccessful attempts to enter – and the password reset procedure is blocked for several hours. But the researcher found loopholes. First, the servers of the reset system respond to six different IP-addresses, each with an individual limit of calls. Secondly, simultaneous requests from different IPs were allowed.

A real attack would look like this: from a very large number of IP addresses, within a short time, we send six requests to each of the six Apple servers. It would take ~ 28 thousand IP addresses to iterate over all variants of the one-time code. Difficult but doable. Along the way, Lakshman found out that the space of IP addresses of popular cloud services (AWS, Google Cloud), which allows organizing such a “botnet”, is also blocked on Apple’s side.

A difficult but realistic attack with dire consequences for the victim has been considered by Apple for several months. That would be the end of it, but after analyzing the draft of the study, company representatives asked Muthia to change the wording: they say, not all Apple ID and iCloud accounts were subject to the attack, but only those that were not associated with any Apple device protected by a password code , which is entered to unlock the device itself. This hint allowed the researcher to assume that the password-code was somehow involved in this story.

One more element of the system of emergency access to the accounting enters the scene: with the help of “ “Trusted device”“. This is an iPhone, iPad, iPod touch or Apple computer that you are already logged in to. If you are trying to reset access to your Apple ID from another device, you will be prompted for a passcode for that trusted device. But they, according to Apple, are stored only on the device? Yes, but Apple servers have a fairly reliable cryptographic algorithm that makes sure that the passcode is real without transmitting the passcode itself.According to Lakshman, the circumvention of rate limiting most likely extended to this process If this is the case, a successful attack would allow an attacker not only to gain access to the Apple ID, but also to find out the access code for the device.

On a phone with a jailbreak, the researcher was able to analyze the system for checking the code-password and the algorithm for communicating with the server, but completely failed to verify the guess. The vulnerability at this particular point was either already closed, or it did not exist at all. As a result, Lakshman turned down his proposed payment of $ 18,000 under the Apple Bug Bounty program. Argumentation: even for a universal vulnerability to iCloud, the vendor promised to pay $ 100 thousand, and for theft of data from a physical device, the reward is even greater – $ 250 thousand.

What else happened

Theoretical study shows how to use the project management system as a C&C server for a botnet.

An interesting attack on the supply chain: users of the Ledger crypto wallet (customer data was previously leaked on one of the underground forums) send out new devices, ostensibly to replace faulty ones. In fact, this is a flash drive with malware designed to steal a private key to access a cryptocurrency.

Another curious study describes breaking into Amazon Dash buttons. These discontinued devices were intended for quick ordering from an online store. Due to the termination of service, an update was sent to already purchased devices to turn them off. It was possible to bypass the need to register on Amazon servers using a non-trivial attack. In addition to WiFi connection, Amazon Dash can be configured “ultrasound”, much like a regular modem. The attack exploits a vulnerability found in 2016, and this is a nice hack: we take headphones, bring them to the device and play a WAV file.

Kaspersky Lab experts disassemble ransomware exploiting vulnerabilities in Microsoft Exchange Server.

Similar Posts

Leave a Reply