Credit: MichaelJayBerlin

Speaking at the Def Con 2019 security conference in Las Vegas this week, researchers from Check Point demonstrated a rare vulnerability in iOS that could allow attackers to run malicious code on Apple devices. Here’s what you should know.

The Exploit

The Check Point researchers discovered the vulnerability in SQLite, an industry-standard database format. Essentially, it’s a technique that takes advantage of memory corruption issues in the format.

“SQLite is the most widespread database engine in the world,” Check Point said in a statement. “It is available in every operating system, desktop and mobile.” That includes the iOS Contacts app.

To put it another way, if you search for a contact in the Contacts app, you’re actually just using the SQLite format. The researchers found that they were able to replace just one component of the iOS Contacts app to gain the ability to run malicious code on an iPhone or iPad.

In a blog post, Check Point also noted that the exploit can be used to gain persistence on iOS. Essentially, the ability to run code even after a device is rebooted.

Normally, that’s no easy feat because “all executable files must be signed as part of Apple’s Secure Boot.” But SQLite databases do not need to be signed.

Worryingly, the researchers stated that once they replaced one of the more common databases with their own malicious version, they were able to gain code execution privileges on an iOS device when it was rebooted.

As an example, the researchers demonstrated a simple attack that simply crashed the Contacts app. But they noted that the technique could also be used to “expand and elevate our privileges.”

That could include malicious processes, including stealing passwords from an iOS device.

Interestingly, the exploit actually relies on a bug that was first discovered four years ago — and still hasn’t been fixed. Reportedly, the bug seemed to be unimportant because it was believed that it could only be exploited by an unknown app. On a walled-garden system like iOS, there are no unknown apps.

But with a little additional effort, the researchers were able to make a trusted app send code to trigger the bug. Essentially, they found a way around iOS’s garden walls.

What Can You Do to Protect Yourself?

Fortunately, there’s a fairly simple mitigation tactic to stave off the exploit’s threat: just keep your device locked and by your side.

While the researchers found it fairly easy to install a malicious replacement database on iOS, the technique requires access to an unlocked device. If your device is protected by biometrics or a passcode, the exploit won’t work.

Similarly, while the security vulnerability has been around for several years, it’s likely to be patched due to the additional publicity. The white hat hackers said they have responsibly disclosed their research and methodology to Apple.