Apple's iOS Contacts app claimed to be vulnerable to SQLite hack
Researchers at security conference Def Con 2019 demonstrated a method of exploiting regular database searches to produce malicious results, and used Apple's standard iOS Contacts app to prove it.
Apple's iOS Contacts is one of the many applications that uses SQLite
Security firm Check Point has demonstrated a vulnerability in the industry-standard SQLite database format which can be exploited. Speaking at Def Con 2019, the company showed the technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances can be enough to make the device run malicious code.
"SQLite is the most wide-spread database engine in the world," said the company in a statement. "It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite."
"In short, we can gain control over anyone who queries our SQLite-controlled database," they continued.
When you search for a contact or look up information in any app, you are really searching a database and very commonly that will be using SQLite.
Documented in a 4,000-word report seen by AppleInsider, the company's hack involved replacing one part of Apple's Contacts app and it also relied on a known bug that has hasn't been fixed four years after it was discovered.
"Wait, what? How come a four-year-old bug has never been fixed?" write the researchers in their document. "This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."
In other words, the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps. However, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it.
They replaced a specific component of the Contacts app and found that while apps and any executable code has to have gone through Apple's startup checks, an SQLite database is not executable.
"Persistency [keeping the code on the device after a restart] is hard to achieve on iOS," they said, "as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed."
Detail from the Check Point team's hack documentation
They had to have access to the unlocked device to install this replacement for part of Contacts. After that, though, they were able to choose what they wanted to happen when the Contacts database was searched.
For the purpose of the demonstration, they just had the app crash. The researchers said that they could have crafted the app to steal passwords.
"We established that simply querying a database may not be as safe as you expect," they said. "We proved that memory corruption issues in SQLite can now be reliably exploited."
"Our research and methodology have all been responsibly disclosed to Apple," they concluded.
This is not the first time that a problem in an SQLite database has resulted in a bug, nor one that remained unfixed for years.
Apple's iOS Contacts is one of the many applications that uses SQLite
Security firm Check Point has demonstrated a vulnerability in the industry-standard SQLite database format which can be exploited. Speaking at Def Con 2019, the company showed the technique being used to manipulate Apple's iOS Contacts app. Searching the Contacts app under these circumstances can be enough to make the device run malicious code.
"SQLite is the most wide-spread database engine in the world," said the company in a statement. "It is available in every operating system, desktop and mobile phone. Windows 10, macOS, iOS, Chrome, Safari, Firefox and Android are popular users of SQLite."
"In short, we can gain control over anyone who queries our SQLite-controlled database," they continued.
When you search for a contact or look up information in any app, you are really searching a database and very commonly that will be using SQLite.
Documented in a 4,000-word report seen by AppleInsider, the company's hack involved replacing one part of Apple's Contacts app and it also relied on a known bug that has hasn't been fixed four years after it was discovered.
"Wait, what? How come a four-year-old bug has never been fixed?" write the researchers in their document. "This feature was only ever considered vulnerable in the context of a program that allows arbitrary SQL from an untrusted source and so it was mitigated accordingly. However, SQLite usage is so versatile that we can actually still trigger it in many scenarios."
In other words, the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps. However, Check Point's researchers then managed to make a trusted app send the code to trigger this bug and exploit it.
They replaced a specific component of the Contacts app and found that while apps and any executable code has to have gone through Apple's startup checks, an SQLite database is not executable.
"Persistency [keeping the code on the device after a restart] is hard to achieve on iOS," they said, "as all executable files must be signed as part of Apple's Secure Boot. Luckily for us, SQLite databases are not signed."
Detail from the Check Point team's hack documentation
They had to have access to the unlocked device to install this replacement for part of Contacts. After that, though, they were able to choose what they wanted to happen when the Contacts database was searched.
For the purpose of the demonstration, they just had the app crash. The researchers said that they could have crafted the app to steal passwords.
"We established that simply querying a database may not be as safe as you expect," they said. "We proved that memory corruption issues in SQLite can now be reliably exploited."
"Our research and methodology have all been responsibly disclosed to Apple," they concluded.
This is not the first time that a problem in an SQLite database has resulted in a bug, nor one that remained unfixed for years.
Comments
Shocker. Those little (unimportant) bugs are important...
And why did they go to the trouble of replacing a ‘component of the Contacts’ app? Why couldn’t they just put an app on the store and give it permission to access the contacts? Is there something the contacts app is doing that isn’t available to third party developers?
Big whoop.
Pity you didn’t then, because that would’ve been a marginally more impressive demo.
If you put your passwords in your unencrypted contacts field then this hack is not your biggest problem.
I’m sure they have, and having assessed the risk, Apple decided to make it a low priority.
Multiple database (Contacts) please.
Apple native apps like Contacts are legacy apps. That’s why changing hardware (so called “upgrade”) is meaningless.
I keep a lot of contacts that I never call. So I put them in Outlook and don’t sync them to iCloud.
I’m walking down the street, and someone with a MacBook preloaded with hacking and jailbreaking software, and a decent SQL edit tool; a pair of dark glasses with dots painted on them; a small chemistry lab (in case I have a phone with TouchID) and a Lighting cable, lifts my phone from my pocket without me noticing.
Then he yells, “Hey you!”
When I turn around, I realise I’m in for the most bizarre four and half hours of my entire life …
Now they have to sift through every ridiculous scenario before they hit the ones that represent a genuine risk. Why? Because folk are chasing the money.
I wouldn’t pay out for anything that cannot work on a locked phone.
i would pay out for anything that can bypass FaceID or TouchID or a passcode of four alphanumeric characters (repeatedly on the same phone!) in less than four hours. (And I’m being generous: I’d be surprised if an owner couldn’t get to a web browser and wipe the phone in less than two hours).
* If a thief has access to user’s unlocked phone, tablet or computer, all the user’s content on that device is vulnerable.
- That is the main risk here & it is far more serious than someone hacking just the Contacts app.
* With just a flash drive a lot of information can quickly be taken from an unlocked computer like every file, screen shots/copies of bookmarked sites, every photo, and everything which is not password protected like social media sites.
- If financial sites are not individually password protected, there goes the user’s money.
Someone needs to have access to the device and the ability to install unapproved software - in other words, jailbroken.
Use iOS as intended and voila! No problem - kind of the reason Apple operates the ecosystem the way they do.
Jailbreak and turn your phone into a better version of Android - and inherit its problems.
Title could be better written as "don't give strangers your password with permission to jailbreak your phone and install malicious software on it." That's literally what this is about.
Meanwhile, “Forbes” now has an article -based entirely on this AppleInsider story- with a headline “Warning Issued for Apple’s 1.4 Billion iPad and iPhone Users.” The article then breathlessly relates that every device running iOS 8 through 13 is vulnerable. They then quote Tim Cook saying that there are 1.4 billion iOS devices out there, and stringing that into their premise in such a way that a careless reader will come away with the impression that Cook himself is confirming that every one of those devices is vulnerable and sure to be hacked. They mention nothing about a presumptive hacker first needing to borrow your unlocked device for a while so they can manually corrupt your contacts app.
Prepare for more breathless coverage this week, claiming Apple has left everyone vulnerable (and never mentioning the constant actual vulnerability of open OS devices like Android). Your best bet is to not worry about this “vulnerability” at all, but to wait a few days and buy some Apple stock after it drops. That’s likely what the folks at Forbes and other similar outlets will be doing, because that’s probably the reason they’ve published tripe like this. Click-bait gets a few advertising dollars, but scare mongering about Apple can create a nice stock price dip that will most assuredly go back up after people forget about this because nothing bad ever actually happened. That’ll make them way more money than their click-bait webpage ads.
Since AppleInsider is cited as the (misrepresented) source of this, it might behoove them to add an update at the top of this article, making it more clear what the actual risk to users really is, rather than leaving it to people to dig into the details to figure it out for themselves.
This is the critical part that most are missing. They made a trusted app, one that was approved that could have potentially appeared in the AppStore or the MacAppStore, that had the trigger code and instructions in place. This code would then attach itself to the DB. They had it crash the app, but it could have just as easily have sent your IDs and passwords to the mothership.
I suspect though that it will be patched with the iOS and macOS updates this fall.
https://support.apple.com/en-ca/HT204941
https://support.apple.com/en-ca/HT204942
The original CVE document (here) just hasn't been re-verified yet to confirm the fixes. That's not a fault of Apple's.
Did the researchers miss this, too?
This is a real reach, me thinks.
Edit: Or, it is already fixed as coolfactor has pointed out.