Apple's iOS Contacts app claimed to be vulnerable to SQLite hack

Posted:
in General Discussion edited August 2019
Researchers at security conference Def Con 2019 demonstrated a method of exploiting regular database searches to produce malicious results, and used Apple's standard iOS Contacts app to prove it.

Apple's iOS Contacts is one of the many applications that uses SQLite
Apple's iOS Contacts is one of the many applications that uses SQLite


Security firm Check Point has demonstrated a vulnerability in the industry-standard SQLite database format which can be exploited. Speaking at Def Con 2019, the company showed the technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances can be enough to make the device run malicious code.

"SQLite is the most wide-spread database engine in the world," said the company in a statement. "It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite."

"In short, we can gain control over anyone who queries our SQLite-controlled database," they continued.

When you search for a contact or look up information in any app, you are really searching a database and very commonly that will be using SQLite.

Documented in a 4,000-word report seen by AppleInsider, the company's hack involved replacing one part of Apple's Contacts app and it also relied on a known bug that has hasn't been fixed four years after it was discovered.

"Wait, what? How come a four-year-old bug has never been fixed?" write the researchers in their document. "This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."

In other words, the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps. However, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it.

They replaced a specific component of the Contacts app and found that while apps and any executable code has to have gone through Apple's startup checks, an SQLite database is not executable.

"Persistency [keeping the code on the device after a restart] is hard to achieve on iOS," they said, "as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed."

Detail from the Check Point team's hack documentation
Detail from the Check Point team's hack documentation


They had to have access to the unlocked device to install this replacement for part of Contacts. After that, though, they were able to choose what they wanted to happen when the Contacts database was searched.

For the purpose of the demonstration, they just had the app crash. The researchers said that they could have crafted the app to steal passwords.

"We established that simply querying a database may not be as safe as you expect," they said. "We proved that memory corruption issues in SQLite can now be reliably exploited."

"Our research and methodology have all been responsibly disclosed to Apple," they concluded.

This is not the first time that a problem in an SQLite database has resulted in a bug, nor one that remained unfixed for years.
«1

Comments

  • Reply 1 of 25
    mobirdmobird Posts: 758member
    " And then, using a cheap pair of sunglasses and some tape..." ;)
    cornchip
  • Reply 2 of 25
    "They had to have access to the unlocked device to install this replacement for part of Contacts." Well, if they have your unlocked device everything on the device is accessible. No need to install the replacement part of Contacts.
    andrewj5790bb-15pscooter63hagarnetmagephilboogiejony0
  • Reply 3 of 25
    This is why MacOS needed a bug bounty program (which they now have).  

    Shocker.  Those little (unimportant) bugs are important...
    macseeker
  • Reply 4 of 25
    macplusplusmacplusplus Posts: 2,116member
    SQLite is not a full scale SQL RDBMS. As it name implies it is a small core offered to applications for their management of mundane data tasks, every developer is aware of that. If SQLite was threatening iOS security architecture Apple wouldn’t include it in iOS, remember how Flash has been made defunct by Apple. I bet that 4000 word report has a very short, say 40 to 400 word falsification from Apple engineers. “We exposed but they didn’t proceed” is not security nor engineering, it is marketing or sycophantism. “iOS security architecture is wrong, it must be implemented the way I have divinated after years long transcendental worshipping to ultimate singularity powers”. You wish... No one listens to you except click-freak media.
    edited August 2019
  • Reply 5 of 25
    Rayz2016Rayz2016 Posts: 6,957member
    To be honest, if I give a perfect stranger my unlocked phone and then watch while they jailbreak it so they hacK replace “components” of the  contacts app, then I’d be a lot more worried about my mental state than hacking my contacts list. 

    And why did they go to the trouble of replacing a ‘component of the Contacts’ app? Why couldn’t they just put an app on the store and give it permission to access the contacts? Is there something the contacts app is doing that isn’t available to third party developers?

    For the purposes of the demonstration they had the app crash. 
    Big whoop. 

    The researchers said they could have crafted the app to steal passwords.

    Pity you didn’t then, because that would’ve been a marginally more impressive demo. 

    If you put your passwords in your unencrypted contacts field then this hack is not your biggest problem. 

    Our research and methodology have been responsibly disclosed to Apple

    I’m sure they have, and having assessed the risk, Apple decided to make it a low priority. 

    edited August 2019 bb-15muthuk_vanalingamnetmagephilboogiejony0
  • Reply 6 of 25
    ivanhivanh Posts: 597member
    Field level security please. 
    Multiple database (Contacts) please. 
    Apple native apps like Contacts are legacy apps. That’s why changing hardware (so called “upgrade”) is meaningless.

    I keep a lot of contacts that I never call. So I put them in Outlook and don’t sync them to iCloud.
  • Reply 7 of 25
    Rayz2016Rayz2016 Posts: 6,957member
    Wait. Okay. I have a scenario. 

    I’m walking down the street, and someone with a MacBook preloaded with hacking and jailbreaking software, and a decent SQL edit tool; a pair of dark glasses with dots painted on them; a small chemistry lab (in case I have a phone with TouchID) and a Lighting cable, lifts my phone from my pocket without me noticing.

    Then he yells, “Hey you!”

    When I turn around, I realise I’m in for the most bizarre four and half hours of my entire life …

    cornchippscooter63hagarnetmageFileMakerFellerjony0
  • Reply 8 of 25
    wizard69wizard69 Posts: 13,377member
    mobird said:
    " And then, using a cheap pair of sunglasses and some tape..." ;)
    You are ready for the beach! 😂😂😂😂😂😂😂😂😂
    mobird
  • Reply 9 of 25
    Rayz2016Rayz2016 Posts: 6,957member
    This is why MacOS needed a bug bounty program (which they now have).  

    Shocker.  Those little (unimportant) bugs are important...
    Actually, this is probably why they didn’t bother for so long. 

    Now they have to sift through every ridiculous scenario before they hit the ones that represent a genuine risk. Why? Because folk are chasing the money. 

    I wouldn’t pay out for anything that cannot work on a locked phone.
    i would pay out for anything that can bypass FaceID or TouchID or a passcode of four alphanumeric  characters (repeatedly on the same phone!) in less than four hours. (And I’m being generous: I’d be surprised if an owner couldn’t get to a web browser and wipe the phone in less than two hours). 
    edited August 2019 macplusplusbb-15mobirdcornchipnetmage
  • Reply 10 of 25
    bb-15bb-15 Posts: 283member
    Rayz2016 said:
    To be honest, if I give a perfect stranger my unlocked phone and then watch while they jailbreak it so they hacK replace “components” of the  contacts app, then I’d be a lot more worried about my mental state than hacking my contacts list. 

    This.
    * If a thief has access to user’s unlocked phone, tablet or computer, all the user’s content on that device is vulnerable. 
    - That is the main risk here & it is far more serious than someone hacking just the Contacts app. 

    * With just a flash drive a lot of information can quickly be taken from an unlocked computer like every file, screen shots/copies of bookmarked sites, every photo, and everything which is not password protected like social media sites.
    - If financial sites are not individually password protected, there goes the user’s money.  
    edited August 2019
  • Reply 11 of 25
    SQLite is not a full scale SQL RDBMS. As it name implies it is a small core offered to applications for their management of mundane data tasks, every developer is aware of that. If SQLite was threatening iOS security architecture Apple wouldn’t include it in iOS, remember how Flash has been made defunct by Apple. I bet that 4000 word report has a very short, say 40 to 400 word falsification from Apple engineers. “We exposed but they didn’t proceed” is not security nor engineering, it is marketing or sycophantism. “iOS security architecture is wrong, it must be implemented the way I have divinated after years long transcendental worshipping to ultimate singularity powers”. You wish... No one listens to you except click-freak media.
    This, and other head-in-the-sand responses, completely misses the point. *Many* things use SQLite on the Mac as well as iOS. (Tons of other software from tons of other vendors, too.) A lot of people are going to have to spend a lot of time checking code or rebuilding with a fixed SQLite.

    This could be a significant issue on the Mac because apps are so much less siloed. We'll see.

    As for the ostriches who think this is no big deal because the phone has to be unlocked: Maybe so. But you don't have enough info yet, not by a long shot. Contacts itself is just the tip of the iceberg.
    larryjwprismatics
  • Reply 12 of 25
    9secondkox29secondkox2 Posts: 3,039member
    So... iOS is not vulnerable to this at all.

    Someone needs to have access to the device and the ability to install unapproved software - in other words, jailbroken.

    Use iOS as intended and voila! No problem - kind of the reason Apple operates the ecosystem the way they do. 

    Jailbreak and turn your phone into a better version of Android - and inherit its problems. 

    Title could be better written as "don't give strangers your password with permission to jailbreak your phone and install malicious software on it." That's literally what this is about. 
    cornchipbb-15pscooter63netmage
  • Reply 13 of 25
    So... iOS is not vulnerable to this at all.

    Someone needs to have access to the device and the ability to install unapproved software - in other words, jailbroken.
    That may be true. But also it may not. I would hope that AppleInsider would have specifically mentioned the requirement for a jailbreak, if it existed, rather than just the requirement that the device be unlocked.

    My guess is that you do NOT need to jailbreak, because they specifically talk about how Apps need to be signed, but the stuff that they're messing with does not.

    But that's just a guess. We just don't have enough info about this issue yet. And again, this doesn't help the Mac at all.
    gatorguy
  • Reply 14 of 25
    AppleZuluAppleZulu Posts: 2,143member
    The problem with this sort of story is that the devil is in the details, and nobody cares about the details, particularly those who would profit from not caring about the details. It would seem that, considering the details discussed here, this is a very, very low probability exploit that would be difficult to carry out, requiring that the hacker have full, unfettered access to the device before doing a “hack” to gain access to the device. So probably most people don’t need to worry about this.

    Meanwhile, “Forbes” now has an article -based entirely on this AppleInsider story- with a headline “Warning Issued for Apple’s 1.4 Billion iPad and iPhone Users.” The article then breathlessly relates that every device running iOS 8 through 13 is vulnerable. They then quote Tim Cook saying that there are 1.4 billion iOS devices out there, and stringing that into their premise in such a way that a careless reader will come away with the impression that Cook himself is confirming that every one of those devices is vulnerable and sure to be hacked. They mention nothing about a presumptive hacker first needing to borrow your unlocked device for a while so they can manually corrupt your contacts app. 

    Prepare for more breathless coverage this week, claiming Apple has left everyone vulnerable (and never mentioning the constant actual vulnerability of open OS devices like Android). Your best bet is to not worry about this “vulnerability” at all, but to wait a few days and buy some Apple stock after it drops. That’s likely what the folks at Forbes and other similar outlets will be doing, because that’s probably the reason they’ve published tripe like this. Click-bait gets a few advertising dollars, but scare mongering about Apple can create a nice stock price dip that will most assuredly go back up after people forget about this because nothing bad ever actually happened.  That’ll make them way more money than their click-bait webpage ads.

    Since AppleInsider is cited as the (misrepresented) source of this, it might behoove them to add an update at the top of this article, making it more clear what the actual risk to users really is, rather than leaving it to people to dig into the details to figure it out for themselves.
    bb-15pscooter63macplusplustokyojimuFileMakerFeller
  • Reply 15 of 25
    netmagenetmage Posts: 314member
    The replaced a component of the Contacts app... assuming that language is precise, an unlocked phone isn't sufficient. While some parts of the file system are accessible via USB, they are restricted to the data partition and there is no way to tamper with an App without jailbreak and afc2 or something comparable.
    AppleZulu
  • Reply 16 of 25
    AppleZuluAppleZulu Posts: 2,143member
    netmage said:
    The replaced a component of the Contacts app... assuming that language is precise, an unlocked phone isn't sufficient. While some parts of the file system are accessible via USB, they are restricted to the data partition and there is no way to tamper with an App without jailbreak and afc2 or something comparable.
    That’s kind of what I was thinking. 
  • Reply 17 of 25
    DAalsethDAalseth Posts: 2,979member
    This is a bit more serious than most of the posters here seem to think
    AppleInsider said:, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it..
    This is the critical part that most are missing. They made a trusted app, one that was approved that could have potentially appeared in the AppStore or the MacAppStore, that had the trigger code and instructions in place. This code would then attach itself to the DB. They had it crash the app, but it could have just as easily have sent your IDs and passwords to the mothership. 

    I suspect though that it will be patched with the iOS and macOS updates this fall. 
    gatorguyFileMakerFeller
  • Reply 18 of 25
    coolfactorcoolfactor Posts: 2,327member
    I think AppleInsider missed the part where Apple DID fix the bugs.... four years ago!

    https://support.apple.com/en-ca/HT204941
    https://support.apple.com/en-ca/HT204942

    The original CVE document (here) just hasn't been re-verified yet to confirm the fixes. That's not a fault of Apple's.

    Did the researchers miss this, too?

    FileMakerFeller
  • Reply 19 of 25
    coolfactorcoolfactor Posts: 2,327member
    So a Contacts app with a compromised database (not the original user's database of contacts) is vulnerable. So I fail to see the point here... if the hackers first needed to replace the SQL database with one that can be compromised, doesn't that very act nullify the risk here?

    This is a real reach, me thinks.

  • Reply 20 of 25
    macplusplusmacplusplus Posts: 2,116member
    DAalseth said:
    This is a bit more serious than most of the posters here seem to think
    AppleInsider said:, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it..
    This is the critical part that most are missing. They made a trusted app, one that was approved that could have potentially appeared in the AppStore or the MacAppStore, that had the trigger code and instructions in place. This code would then attach itself to the DB. They had it crash the app, but it could have just as easily have sent your IDs and passwords to the mothership. 

    I suspect though that it will be patched with the iOS and macOS updates this fall. 
    Apple crucifies those “developers” who distribute malware under Apple trust !.. This the most idiotic and amateurish crime a programmer can commit. Hackers are not that idiot... That supposed vulnerability is not unknown to Apple, it is not zero-day, on the opposite it is 4 x 365 + 1 days old ! That’s what makes the article clickbait. If that was something 0-day you are right to hold your breath but this is not one of such vulnerabilities. If it is not processed this is because Apple has sound reasons.

    Edit: Or, it is already fixed as coolfactor has pointed out.
    edited August 2019
Sign In or Register to comment.