A new Google report discusses how iPhone hacks developed by Italian company RCS Lab have been used by law enforcement agencies in Europe. The RCS Labs hacks used multiple exploits to allow its customers to spy on users’ private messages, passwords, and contacts.
Security researchers in Google’s Threat Analysis Group (TAG) revealed the existence of the exploits, which Apple has patched to plug the security holes used by six exploits, protecting the iPhone from the hacks.
TAG has for years tracked the activities of commercial spyware vendors, including RCS Lab.
Seven of the nine zero-day vulnerabilities [across iOS and Android] our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.
Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.
The RCS attacks require iPhone owners to be tricked into clicking a link. The apps use an official Apple method intended for companies to install internal apps on iPhones used by employees.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.
The resulting application is signed with a certificate from a company named 3-1 Mobile SRL (Developer ID: 58UP7GFWAA). The certificate satisfies all of the iOS code signing requirements on any iOS devices because the company was enrolled in the Apple Developer Enterprise Program […]
The app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database.
Macworld reports that Apple has patched each of the iOS exploits used, so users with iPhones that have been updated to at least iOS 15.2 are safe from the hacks.
- CVE-2018-4344 (a.k.a LightSpeed): iOS 12
- CVE-2019-8605 (a.k.a SockPuppet): iOS 12.3
- CVE-2020-3837 (a.k.a TimeWaste): iOS 13.3.1
- CVE-2020-9907 (a.k.a AveCesare): iOS 13.6
- CVE-2021-30883 (a.k.a Clicked2): iOS 15.0.2
- CVE-2021-30983 (a.k.a Clicked3): iOS 15.2
To check which version of iOS is installed on your iPhone, you can do so in Settings -> General -> About. To update, go to Settings -> General -> Software Update.
(Via 9to5Mac)