The Dark Side of Apple — Allowing a 10,000+ User Data Leak
Overview
As I was preparing material for a lecture I was to give on the ethics of mobile forensics, I ran forensics tools I have developed that extract URLS from large data sources.
I was going to demonstrate how urls in mobile firmware such as iOS and Android OS are often overlooked and can lead to larger vulnerabilities. I didn’t expect to find this massive of an issue in iOS.
A link embedded in an open source code comment turned out to be a backdoor into ISO.org, and further lead to a massive data exposure, of over 10,000 customers of ISO.org. These customers work for government agencies around the world, large fortune companies around the world, and likely have no idea that their First Name’s, Last Name’s, Username, and Emails are exposed to the world.
Who and What is ISO.org?
The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.
Founded on 23 February 1947, the organization develops and publishes worldwide technical, industrial and commercial standards. It is headquartered in Geneva, Switzerland and works in 165 countries.
Source: https://en.wikipedia.org/wiki/International_Organization_for_Standardization
ISO.org is also the Entity that sponsors world events with world leaders. For Example: The G7 Summit.
Tagline for the G7 Summit…Building Back Better With ISO Standards….
Where have we seen that tagline before? Ah yes, President Joe Biden…I’ll tie all this together in another post, but this sure does get interesting.
The Technicals
I decompressed the DMG inside of iOS 15.0.2 (018–78120–011.dmg) the build name is Sky19A404.D63OS
I ran my forensics tool and found the following as one of the direct url’s.
I found this url as a symbolic link and as an absolute path URL.
/usr/share/zoneinfo/iso3166.tabURL: https://isotc.iso.org/livelink/livelink/Open/16944257
What is iso3166.tab?
In short, when you setup your iPhone you are asked to select your country, and this giant list matches with 2 letter country codes, saves into a data file.
This is a really important part of the setup. If you choose a region or country that has licensing and distribution restrictions you won’t be able to download apps, stream songs, and download a lot of other content. Apple has to play by the rules of that region.
For this file specifically ISO 3166 alpha-2 is what we are focusing on, and this is defined as follows.
“ISO 3166–1 alpha-2 codes are two-letter country codes defined in ISO 3166–1, part of the ISO 3166 standard[1] published by the International Organization for Standardization (ISO), to represent countries, dependent territories, and special areas of geographical interest. They are the most widely used of the country codes published by ISO (the others being alpha-3 and numeric), and are used most prominently for the Internet’s country code top-level domains (with a few exceptions). They are also used as country identifiers extending the postal code when appropriate within the international postal system for paper mail, and has replaced the previous one consisting one-letter codes. They were first included as part of the ISO 3166 standard in its first edition in 1974.”
After opening iso3166.tab, I found some key things…
A
The iso3166.tab file was originally written 05/17/2009 by Arthur David Olson
I found an old email thread that had Arthur’s email address as olsona@elsie.nci.nih.gov. This is important to remember because it’s evident that Arthur works for NIH.gov. I’ll be referring back to (A) later on in this post
B
Paul Eggert Updated this iso3166.tab file 05/02/2015.
Paul Eggert is a professor of computer science at the Samueli School of Engineering UCLA.Source: https://samueli.ucla.edu/people/paul-eggert/
Github: https://github.com/eggert
Commit Diff — 05/02/2015: iso3166.tab
https://github.com/eggert/tz/commit/30a8c5406d3b8cdc17973628fe80ae1b63769829#diff-e5919fb2a195c61372529aa1b85af27218bd019942ea35bd1faf1fb746209560
C & D
We can see from the github commit that this is the original source of the file and it still does not contain the vulnerable url. https://isotc.iso.org/livelink/livelink/Open/16944257
The URL in 2015 was pointing to the following URL and citing ISO standards http://www.iso.org/iso/home/standards/country_codes/updates_on_iso_3166.htm
E
It is clear that iso3166.tab had a final update 11/06/2018, but before the 2018 update there is a critical update to this file that needs to be mentioned.
February 28th, 2017 Paul Eggert committed a change to the repo stating.
Fix dead ISO links
* iso3166.tab: The ISO 3166 maintenance agency changed its website
format. Problem reported by Derick Rethans in:
http://mm.icann.org/pipermail/tz/2017-February/024874.html
* tz-link.htm: Fix dead link to ISO 8601.The comment in the commit mentions that Derick Rethans reported an issue with http://www.iso.org/iso/home/standards/country_codes/updates_on_iso_3166.htm
This link is visible in C&D
Derick says the following:
Derick clearly states the data ISO once had available to the public is no longer available, and suggests using
https://www.iso.org/obp/ui/#searchWhen visiting the suggested URL and typing in iso3166 we can see clearly that the data we are looking up is behind a pay wall and must be purchased.
Similarly, Derick also suggest using the following URI, but this directs the user to a pay wall as well
https://www.iso.org/obp/ui/#iso:code:3166:GB
This is where we first see the commit from Paul Eggert that points to the vulnerable URL that is being used all around the world in thousands of applications.
The First Sighting of the ISO.org backdoor
Why include this backdoor?
In my opinion I think the intention was just to reference the ISO 3166 data, as see here:
The issue with referencing this URL is that it was not approved by ISO.org, and there is a more than just ISO 3166 data available when you start to traverse this backend.
Browsing around the ISO.org Backend
It’s evident that ISO.org has not done anything to secure this backend content server, and it’s unfortunate because it does not just contain public information, it contains private corporate data, admin restricted data, and more.
How can we access this? In the top right of the content server there is a search bar. If you select the drop down that says “Enterprise [All Versions]” and you start poking around, you’ll find some really interesting information when you type in a keyword such as “admin”
You will find thousands of emails sent to clients and a lot more.
I reported this to ISO.org and to Apple, and For months I was ignored, but I had media validate my findings, and I have video and screenshots of the data leak.
UPDATE: As of December 18th, 2021 ISO.org has fixed this data leak, coincidence? I retweeted an article written about this and now the Giant data list is fixed. Interesting.
This is what it looked like.
Apple denies responsibility for including this backdoor in their open source software. In an email to me they state.
“After examining your report we do not see any actual security implications with Apple products or services. This link is included in open source code as part of the ISO standard.”
As we know, this was never part of open source code provided by ISO. So why are they lying?
Wrapping Up
I’m glad the data is no longer leaking, but I’m disappointed that ISO.org never responded to my direct twitter messages or my emails alerting them of this situation, and yet again a vulnerability is fixed behind my back with no acknowledgment at all. This is very common as a security researcher, and this is one of the worst parts of the infosec industry.
I hope this serves as a lesson for everyone to check your open source code, and ISO.org if you’re reading this…you’ve only stopped 1 of thousands of vulnerabilities on your content server, you can thank Apple for still providing a backdoor to your private client data to this day December 18th, 2021.
