One hacker found no less than seven zero-day vulnerabilities that enabled him to construct a kill chain, using just three of them, to hijack the iPhone camera successfully. Well, any iOS or macOS camera for that matter. Here’s how he did it and what happened next.
Ethical hackers, those security researchers who put their hacking talents to use in helping secure the products and services they break, can make a pretty penny. Just last month, I reported how work from home elite hackers participating in the virtual PWN2OWN event earned $130,000 in only 48 hours. Indeed, Google paid ethical hackers $6.5 million last year as part of its vulnerability reward programs, and Apple has a top bug bounty of $1.5 million for the most serious of iPhone hacks. It was as part of this Apple bug bounty program that Ryan Pickren, the founder of proof of concept sharing platform BugPoC, responsibly disclosed his seven zero-day vulnerabilities discovery that enabled him to hijack the iPhone camera, and earned a none-too-shabby $75,000 from Apple for his efforts.
Who is Ryan Pickren?
A former Amazon Web Services (AWS) security engineer, Ryan Pickren, has a particularly colorful of hacking in its many forms. As a student, he was arrested and indicted after pulling off a prank by adding an event to an unsecured University of Georgia that read: “Get Ass Kicked By GT.” This referred to a forthcoming college football game. That earned him a couple of hours in jail on Christmas Eve and a year of community service. That community service was helping a non-profit with cybersecurity and marked the start of his career. Pickren told me during an email conversation that he also earned “over $300,000 (£242,500) worth of airline miles back in college from the United Airlines Bug Bounty Program over the course of a summer.” Later, he proved his hacking skills across hardware and software by building a physical Amazon IoT button that let him order a drink at Starbucks with one click. This involved bypassing certificate pinning, monitoring app traffic, spoofing API calls, writing a Python library, and making an AWS function, which also sent him a text message confirming the order. Pickren was, and remains, nothing if not systematic and thorough in his approach to matters of security.
How did this hacker gain unauthorized access to the iPhone camera?
During December 2019, Pickren decided to put the notion that “bug hunting is all about finding assumptions in software and violating those assumptions to see what happens” to the test. He opted to delve into Apple Safari for iOS and macOS, to “hammer the browser with obscure corner cases” until weird behavior was uncovered. Pickren focused on the camera security model, which he readily admits was “pretty intense.” That’s something of an understatement as Apple has made the camera very secure, or so it thought, by requiring any and every app that wants access to be explicitly granted camera/microphone permission, permission that is handled by an OS alert box. Pickren found the exception to the rule, Apple’s apps, which is what led him to prod away at the Mobile Safari app to see how he could gain unauthorized access to the camera and microphone.
To cut a very long and technical story short: Pickren found a total of seven zero-day vulnerabilities in Safari (CVE-2020-3852, CVE-2020-3864, CVE-2020-3865, CVE-2020-3885, CVE-2020-3887, CVE-2020-9784, & CVE-2020-9787) of which three could be used in the camera hacking kill chain. The vulnerabilities involved the way that Safari parsed Uniform Resource Identifiers, managed web origins and initialized secure contexts. Yes, this involved tricking a user into visiting a malicious website. Still, that website could then directly access the camera provided it had previously trusted a video conferencing site such as Zoom, for example. “A bug like this shows why users should never feel totally confident that their camera is secure,” Pickren said, “regardless of operating system or manufacturer.”
What happened next?
Pickren reported his research fully via the Apple Bug Bounty Program in mid-December 2019. “My research uncovered seven bugs,” Pickren says, “but only 3 of them were ultimately used to access the camera/microphone. Apple validated all seven bugs immediately and shipped a fix for the 3-bug camera kill chain a few weeks later.” The three-0day camera kill chain exploit was dealt with in the Safari 13.0.5 update released January 28. The remaining zero-day vulnerabilities, judged to be less severe, were patched in the Safari 13.1 release on March 24.
The $75,000 (£60,665) bounty paid was the first that Pickren has earned from Apple, which is quite a good start it has to be said. “I really enjoyed working with the Apple product security team when reporting these issues,” Pickren told me, “the new bounty program is absolutely going to help secure products and protect customers. I’m really excited that Apple embraced the help of the security research community.”
A very viable form of attack
Security researcher Sean Wright told me that while everyone has been paying attention to their webcams on PCs and laptops, “few have been paying attention to their webcams as well as microphones on their mobiles.” Which, when you stop to think about it, is bizarre as it’s a far more likely route an attacker will take to eavesdrop on victims. “People are a lot more likely to have their mobile on them for most of the time,” Wright says, “especially perhaps when discussing sensitive matters.” And while the need to socially engineer a user into visiting a malicious site does, admittedly, add some complexity to the threat, Wright concludes, “it is certainly a very viable form of attack.”
I approached Apple for a comment regarding this story, but none was forthcoming at the time of publication.