Bypassing pointer authentication: Understanding the 2024 iPhone attack
When it comes to computers and phones, a small problem can mean a major data breach. And if that small problem doesn't get fixed quickly, the breach only gets bigger. In January 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about a security flaw affecting Apple devices. The breach was so serious that CISA gave Apple 21 days to resolve the underlying issue. In fact, the CISA strongly urges all organizations to fix this flaw immediately.
In this article, we break down the nature of the security flaw, how it can impact Apple devices and how to protect your organization and devices from these kinds of attacks.
In this episode of Hacker Headlines, Keatron Evans, VP of Portfolio Product and AI Strategy for Infosec, breaks down the dangerous vulnerability that affected iPhones.
Learn Vulnerability Management
What is the security flaw impacting Apple devices?
So, what is the flaw? The iPhone vulnerability, labeled CVE-2022-48618, is a pointer authentication vulnerability. In computing, a pointer is a variable that indicates the location of something else. You can think of it as the "You are here" sign you see on a map. Its job is to help a program locate a section of memory in the computer.
How computers use memory
Computers use memory to store and provide information that software programs use as they run. You can think of a computer's memory system as a huge bookshelf, and each unit of data is like a tiny book on the shelf. When a software program needs a piece of data, it grabs it from the computer's memory.
For instance, if you type the word "shelf," the data that produces each letter on your screen gets stored in a specific location in your computer's memory. If you then put the word "shelf" in italics, your word processor would go to those sections of your memory, pull the "s," "h," "e," "l," and "f," and then apply the italics function to them.
What are pointers?
Pointers indicate where in your memory your computer stores each piece of data its software needs. In effect, a pointer says, "Hey, the 's' is here, and the 'h' is over here, and the 'e' is here," and so on.
What is pointer authentication?
Pointer authentication is a security operation in which the pointer's value is hashed and stored in unused parts of the pointer. A hash encrypts the data the pointer has about where the software needs to go to access data in the memory. Therefore, the hash-based authentication process acts as a check, preventing the pointer from being replaced with a different one.
Why would bypassing pointer authentication lead to serious vulnerabilities?
This vulnerability may allow attackers to bypass pointer authentication to launch attacks. For example, suppose an attacker were to design malware with the data for spyware code inside your computer's short-term memory. They could then use a pointer authentication attack to force another piece of software to access the parts of your memory containing the spyware's code data.
Learn Vulnerability Management
How hackers can exploit pointer authentication codes
To boost speed and enable smoother operation, modern computer processors can predict instructions — and execute them — before the system finishes processing them. While engaging in this speculation, the processor doesn't immediately check the pointer authentication codes (PAC).
This means a hacker can try to guess the hash used in the encryption, similar to guessing the combination on a complex lock. But even if the hacker gets it wrong, the code they're trying to run still executes. In other words, they can run malware even if its data provides the wrong PAC.
Further, hackers can use the guesses that didn't work to figure out, by process of elimination, what the actual PAC is. That enables them to execute attacks like the hypothetical situation described above. In addition to executing malicious code, they could also modify areas to do whatever they want with their memory.
The impact of the pointer authentication vulnerability
The bug may already have been used against older versions of iOS, and it's widespread. Devices affected include the iPhone 8 and later, the Apple TV 4K and all standard iPads from the fifth generation on.
In fact, the vulnerability also impacts other systems that use pointer authentication codes, such as some ARM CPUs and Linux systems. If you're unsure whether the vulnerability impacts one of your systems, you can contact the manufacturer to check.
How to avoid pointer authentication attacks
How can you protect your digital ecosystem from pointer authentication attacks? Well, this is a well-known, well-publicized vulnerability, and that's great news. The popularity of the vulnerability puts it on the radar of device manufacturers that use pointer authentication codes in their products. With that in mind, here are the steps you can take to safeguard your organization.
Always patch your devices
This serves as a sobering reminder to always patch your devices. Older devices may be outdated and vulnerable to exploits like these, so it's essential to download the necessary updates as soon as they become available.
Even better, you should enable automatic updates if your operational workflow allows. Depending on the devices your IT system depends on, it may be prudent to prioritize automatic updates — even if this means some operations may have to pause as computers install updated software.
Install updates across your ecosystem
You should also update all your devices, not just laptops and phones. This may include your router, smart TV, tablets and more. All of these need regular updates to keep them as safe as possible.
Learn Vulnerability Management
Leverage the power of education
Your employees are on the front lines. You can transform them from victims to victors by making sure they understand:
- What a malware attack looks like
- How cyberattacks affect the speed or functionality of computers and other devices
- Which kinds of sites to avoid, such as torrents that offer free software, because hackers may use them to distribute malware
Your most powerful weapon against attackers is knowledge. This is why we've created our Hacker Headlines videos, which give you succinct yet informative intel on the most recent attack vectors. To learn more about cybersecurity awareness training resources and tools, connect with someone at Infosec today.
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Bypassing pointer authentication: Understanding the 2024 iPhone attack
- AT&T data breach: What happened and how to protect your organization
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
Get certified and advance your career!
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities