Phantom: Deadly Proxy Manipulating on iOS

FireEye mobile researchers discovered a security vulnerability affecting nearly all the apps using network on iOS, including the system itself. Configuring HTTP proxy to abnormal values triggers multiple use-after-free (UAF) issues in libsystem_network.dylib. This vulnerability can lead to several undesired security consequences, e.g. most of networking apps will crash immediately, including system components; the system will respond sluggishly, and it is even not able to reboot successfully. We name this vulnerability as Phantom, saluting to the Ghost vulnerability in GNU C library.

Apple security team confirmed this vulnerability in CVE-2015-1118 as a memory corruption issue in libnetcore, and fixed it in the latest release 8.3. We suggest that users upgrade their systems at the earliest convenience. In this blog, we will discuss potential exploitation scenarios, and provide protection suggestions.

A proxy is a popular network infrastructure for users to access the Internet or specific network resources. Like any network devices/services sitting in the middle between the user and the Internet, a proxy plays an important role in terms of security. Apple has taken efforts to prevent users from being tricked into using malicious proxies. However, there are still opportunities left for exploits.

Profile Phishing

One way to configure iOS proxy setting is to install a “configuration profile” [3]. An attacker may distribute a malicious profile containing proxy settings to users connected to a given WIFI hotspot. If the attacker has convincing social-engineering skills, a user who doesn’t understand the security risks might proceed to install a malicious profile. The attacker can then modify the victim’s proxy settings to launch Phantom attacks.

Fortunately, iOS has explicitly warned users about the potential risk about changing proxy through a profile: “The network traffic of your iPhone may be filtered or monitored by a Wi-Fi proxy”, as shown in Fig.1. This stops users who are knowledgeable about the underlying security risks from installing such a suspicious profile.

Fig.1 Warning to change proxy settings

Proxy Manipulation through PAC

Another way to configure the iOS proxy setting is to use a proxy auto configuration (PAC) file [1]. Though widely used by public WIFI providers such as school libraries, a PAC file may be vulnerable to hijacking attacks when deployed through insecure channels such as HTTP. An attacker may hijack the HTTP traffic and modify the PAC file to launch a Phantom attack.

As shown in the video, at the beginning, all the apps work normally on the iOS 8.2 system. The user follows school library instructions to set the PAC configuration. The user has done nothing wrong, but the attacker now is able to change the proxy by hijacking the legitimate PAC and to perform the Phantom attack. After being attacked, the user cannot use any networking apps which all terminate immediately. The system logs keep showing crash information from various processes. As an attempt to fix the issue, the victim reboots the phone. However, the situation turns out to be even worse, i.e. the phone comes into a coma state that keeps generating crash information and doesn’t respond to user inputs.

iCloud Activation Lock Bypassing

After we notified Apple of the Phantom vulnerability, we came across a video [2] utilizing Phantom to bypass iOS activation lock. Starting from 5’05”, Phantom vulnerability is used to force the system components to keep crashing so that the home screen can show up eventually and then bypass iOS activation lock.

How to Protect against Phantom?

Enterprise IT departments should educate employees to understand all the warnings and the potential cyber security risks.

Since auto proxy settings have important security impacts for users not limited to Phantom attacks, public WIFI providers should take additional measures to protect vulnerable devices by enforcing secure deployment of PAC files through HTTPS.

iOS users can protect themselves from Phantom by upgrading their devices to the latest release. Users should also be educated to never install any suspicious profiles.

If the system has already entered the abnormal state, enter the airplane mode ASAP, and then reset the proxy settings.

Conclusions

Phantom vulnerability (CVE-2015-1118) leads to multiple UAF issues in libsystem_network.dylib and puts the system into a coma state. In this blog, we describe the causes, the symptoms and the solutions of Phantom attacks to protect users from such a threat.

References

[1] http://en.wikipedia.org/wiki/Proxy_auto-config

[2] http://phonerebel.com/bypass-ios-8-icloud-activation-lock/

[3] https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html