An iOS security researcher has publicly disclosed three zero-day vulnerabilities in Apple’s mobile operating systems—and a fourth that is unmitigated in iOS 15.
The researcher, who went by the pseudonym “illusionofchaos” in their disclosure, stated that they had privately reported these vulnerabilities to Apple months ago. Since Apple has failed to fix the issues within a reasonable timeframe, the researcher decided to take the details public.
Full public disclosure is a two-edged sword. Although it potentially puts users at risk from malicious developers learning about and implementing these techniques, it also pushes Apple to quickly patch the issues. Given the possibility that malicious developers might have already discovered and used these techniques without anyone’s awareness, one can begin to understand why public disclosure might seem like a practical option after Apple seemingly ignored the vulnerabilities for months.
So just how bad are these vulnerabilities? All four are “information disclosure” issues, meaning that a malicious developer could potentially leverage them to obtain sensitive information about a user without their knowledge or permission. Following is a brief summary of each of the four issues, which affect both iOS devices (iPhone and iPod touch) as well as iPadOS devices (iPad).
The “gamed” zero-day
The Game Center process—formally known as
com.apple.gamed or just gamed—can be exploited by any App Store app to obtain the following information about the user:
- The user’s full name associated with their Apple ID
- The user’s Apple ID e-mail address
- An Apple ID authentication token “which allows to access at least one of the endpoints on *.apple.com on behalf of the user”
- Full access to read the contents of the “Core Duet” database, which “contains a list of contacts from Mail, SMS, iMessage, third-party messaging apps and metadata about all user’s interaction with these contacts (including timestamps and statistics),” and “also some attachments (like URLs and texts)”
- Full access to read the contents of the Speed Dial database and the Address Book database, including photos of contacts
The researcher notes that access to the Speed Dial and Address Book databases were evidently revoked silently in iOS 15. However, the other issues remain.
The “nehelper enumerate installed apps” zero-day
The Network Extension helper XPC service—
com.apple.nehelper or nehelper—contains a vulnerability that allows any app to identify which other apps are installed on the device, determined by the apps’ bundle ID.
Although this vulnerability may not sound like a big deal, it could actually reveal plenty of things about users that they would not knowingly reveal about themselves to app developers. For example, simply knowing which apps you have installed could reveal your sexual preferences (based on dating apps you have installed), your political or religious views, which bank or credit union you use, where you work or go to school, where you shop or travel, and much more.
The “nehelper Wi-Fi info” zero-day
The same service also has a vulnerability that could reveal information about the Wi-Fi network to which you are connected. This can include both the name of the network (SSID) as well as the unique BSSID MAC address of your Wi-Fi router.
Searchable databases of BSSIDs are easy to find online. If someone can find out your BSSID, they can pinpoint precisely where you are on earth (within the radius of that particular Wi-Fi network’s range).
The analyticsd vulnerability (unmitigated in iOS 15)
The fourth vulnerability was fixed back in iOS 14.7, but Apple never publicly acknowledged this.
However, illusionofchaos says that the vulnerability has returned in iOS 15. (Intego reported earlier this week that iOS 15 seems to be missing patches for two in-the-wild vulnerabilities that were addressed a week earlier in iOS 14.8. It may be advisable to stay on the latest iOS 14 update until Apple addresses these issues in a future release of iOS 15.)
The vulnerability is that any app can access all of the Analytics Data that Apple collects about you on your device. Apple stores these analytics logs even if you have “Share iPhone & Watch Analytics” disabled. You can see the very long list of Analytics Data files on your own iOS or iPadOS device by going to Settings > Privacy > Analytics & Improvements > Analytics Data.
The researcher notes that this Analytics Data can include sensitive information about the user, including but not limited to:
- Medical information (heart rate, count of detected afib and irregular heart rhythm events, menstrual cycle length, cervical mucus quality, etc.)
- The user’s age, biological gender, and known languages
- Whether the user is logging sexual activity
- The manufacturer, model, firmware version, and user-assigned names of any accessory devices
- App crash logs (which might reveal additional sensitive information)
Again, since this particular issue is fixed in iPadOS and iOS 14.8, it may be best to wait to upgrade to iPadOS or iOS 15 until Apple fixes this for the latest operating system as well.
The other three vulnerabilities, however, remain zero-day issues—unpatched regardless of which iOS or iPadOS version you have installed.
How can I learn more?
We’ll discuss these vulnerabilities on an upcoming episode of the Intego Mac Podcast. Be sure to follow the podcast to make sure you don’t miss any episodes! You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.
About Joshua Long
Joshua Long (@theJoshMeister), Intego’s Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master’s degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 20 years, which has often been featured by major news outlets worldwide. Look for more of Josh’s articles at security.thejoshmeister.com and follow him on Twitter.
View all posts by Joshua Long →