iPhone hacks developed by Italian company RCS Lab have been used by law enforcement agencies in Europe, according to a new Google report. The hacking tool used a variety of exploits to allow the firm’s customers to spy on private messages, contacts, and passwords.
However, Apple has patched all six of the exploits used in different versions of iOS (see below), so keeping your iPhone up to date will protect it from the hacking tools …
Details of the spyware were revealed by security researchers in Google’s Threat Analysis Group (TAG), whose mission is to detect and counter “targeted and government-backed hacking.”
Google said that it has for years been tracking the activities of commercial spyware vendors, with RCS Lab among them.
RCS Lab’s iPhone hacks
The attacks are not as dangerous as those used by NSO’s Pegasus, as the RCS ones require iPhone owners to be tricked into clicking a link. However, the company did come up with a reasonably clever way to do this.
Seven of the nine zero-day vulnerabilities [across iOS and Android] our Threat Analysis Group discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.
Today, alongside Google’s Project Zero, we are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android.
The apps use an official Apple method intended for companies to install internal apps on iPhones used by employees.
In some cases, we believe the actors worked with the target’s ISP to disable the target’s mobile data connectivity. Once disabled, the attacker would send a malicious link via SMS asking the target to install an application to recover their data connectivity. We believe this is the reason why most of the applications masqueraded as mobile carrier applications. When ISP involvement is not possible, applications are masqueraded as messaging applications.
Google says that it has found live examples of compromised phones in Italy and Kazakhstan, but CNN notes that RCS claims multiple European law enforcement agencies as clients, making it likely that iPhones in other countries have also been hacked.
To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with the following manifest file and using com.ios.Carrier as the identifier.
The resulting application is signed with a certificate from a company named 3-1 Mobile SRL (Developer ID: 58UP7GFWAA). The certificate satisfies all of the iOS code signing requirements on any iOS devices because the company was enrolled in the Apple Developer Enterprise Program […]
The app is broken up into multiple parts. It contains a generic privilege escalation exploit wrapper which is used by six different exploits. It also contains a minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database.
Apple patches
Macworld notes that Apple has patched each of the iOS exploits used, so your phone is safe from all of them provided that you have updated to at least iOS 15.2.
- CVE-2018-4344 (a.k.a LightSpeed): iOS 12
- CVE-2019-8605 (a.k.a SockPuppet): iOS 12.3
- CVE-2020-3837 (a.k.a TimeWaste): iOS 13.3.1
- CVE-2020-9907 (a.k.a AveCesare): iOS 13.6
- CVE-2021-30883 (a.k.a Clicked2): iOS 15.0.2
- CVE-2021-30983 (a.k.a Clicked3): iOS 15.2
If you need to check which iOS version you’re using, you can do so in Settings > General > About. To update, go to Settings > General > Software Update.
Photo: Mahdi Bafande/Unsplash