Close this search box.

Bad ‘Karma’ exploit: lessons learned?


The backstory. Karma is a b@*%#.

In early 2016, former NSA intelligence staff, working as contractors for the UAE, facilitated a set of attacks that apparently used undisclosed flaws in Apple’s iMessage infrastructure to target victims. The attacker gained full control of the device with no action on the part of the recipient required.  Contacts, messages, and photos were retrievable by the attackers. The exploit is known as ‘Karma‘.
Although Apple claims to have patched the vulnerabilities, you will search in vain for technical details of how this attack worked. NIST does not allocate CVE numbers.
Certain messages caused iMessage to lock up or crash. Everyone knew this. In hindsight, this was clearly a potential attack vector, which was evidently secretly weaponized to escalate privileges on the target device and then ransack its contents.

Cyber-mercenaries for hire

The source of the exploit is unclear. We don’t know whether the former NSA staffers acquired it from their former employer or whether acting as ‘cyber-mercenaries’ they (or their employer) subsequently purchased it from a third party. Technical details on the attack vector(s) are very sparse. However, allegedly, Zero-day broker, Zeodium acquired links with vulnerabilities in 2015.
There are a number of disturbing aspects to this case. Firstly, the three-year delay that elapsed before reports of the attacks publicly emerged. Secondly, the involvement of former NSA staff in working for a potentially hostile foreign power. Thirdly, and perhaps most importantly, is the failure of key software vendors. In this case, Apple failed to disclose any technical information about the flaws once patches had been made available.
In the absence of any clear communication from Apple, customers – thinking that the worst that could happen was that iMessage could crash – may well not have prioritized upgrading to a fixed version of iOS, particularly with rumors swirling that Apple was deliberately downgrading the performance of older devices in newer versions of iOS.

Why can’t we be friends?

Cybersecurity relies on fundamental openness between hardware and software vendors and their customers. Organizations such as NIST strive to provide an open, publicly-available source of vulnerabilities, each tracked by a unique CVE reference. But vendors are becoming increasingly secretive about the issues they address with software patches and often don’t spell out the specific CVEs that the patch fixes. Indeed, there may be no public CVEs available at all. Hence, customers are often unable to make informed choices about risk.
The Spectre and Meltdown issues showed that it was possible for key industry players – often direct competitors – to sit down together and work out a coordinated solution that protected their customers. Even the notoriously secretive Apple joined the group. But this openness and cooperation is not the norm. Generally, vendors prefer to deal with vulnerabilities with as little publicity as possible.

Spies with screwdrivers

Some iOS vulnerabilities sell for as much as a million dollars each. Obviously, there’s a great incentive for time-rich, cash-poor attackers to search for cyber-plutonium. And there are plenty of unscrupulous actors willing to purchase the fruits of their labors. Attackers are focusing their attention on the hardware and firmware foundations on which that software is built. Spectre and Meltdown are just one such front in a broadening range of increasingly low-level cyber attacks.
Modern computer software and hardware systems are complex. The public documentation for a modern ‘SoC’ system-on-chip device can run into many hundreds of pages. But that’s only the tip of the iceberg. Typically the vendor will also have hundreds of more pages documenting non-public functionality in the device – the recent disclosure by researchers of the hitherto unknown Intel PCH ‘VISA’ subsystem is a good example.

As any security researcher will tell you, “security by obscurity” is no defense.

These secret vendor subsystems, both software and hardware, are increasingly being reverse-engineered as a potentially fruitful source of new attack vectors.High performance yet low-cost Chinese hardware is what facilitates these attacks. Historically, high-speed logic analyzers, oscilloscopes, and other test equipment didn’t come cheap. For some nation-states, test hardware was hard to obtain due to US export controls. That’s not the case anymore.
It’s fortunate that – so far – there are still a number of academic researchers openly sharing their security research and probing for vulnerabilities before the bad actors find them. But with salaries in higher education so risible compared to the rewards these folks could gain by – legally, if not ethically – going over to the ‘dark side’, how long can we expect to see public vulnerability disclosures continue?

The best offense is defense

As a customer, caught in the cross-fire, what can you do?.
Well, the message is simple. You really do have to be incredibly good at keeping everything patched. Vendors might be secretive about what, exactly, their security updates fix, but their patches are still your best defense. And with attack windows becoming ever-shorter, you need to really do move to real-time patch management.
With attacks moving ‘down the stack’, the ability of current intrusion detection tools to pick up an attack becomes increasingly compromised. The unpalatable truth is that you simply can’t rely on these tools any more as your primary protection. Too many low-level attacks such as compromised device firmware can now sneak completely under the radar. And, as these tools attempt to add yet more layers of defense, a new problem surfaces; they start compromising endpoint performance.

Why endpoint protection isn’t a panacea

Poorly-designed or inappropriately configured endpoint protection agents can introduce significant problems. These agents typically monitor low-level operations such as file accesses in order to protect unauthorized access by malware. They act like ‘resource amplifiers’ if they aren’t carefully configured. A legitimate process with high levels of file access can find itself competing for resources with an endpoint protection agent that is monitoring these accesses.  CPU, memory and disk resource is zapped from the very endpoint it is supposed to be protected by the endpoint agent itself! Consequently, endpoint performance can suffer, sometimes catastrophically.

Know what you own. Then patch it. Right this minute!

That’s why the foundations of good cybersecurity continue to be based on timely security patching and real-time asset control. Tackling both well sounds simple at first, but can often be surprisingly challenging. Fortunately, there are some excellent vendor solutions available. Many of these vendors have had decades of experience in systems management, OS migration and patch management. Endpoint protection agents can be helpful but don’t rely on them as your primary first line of defense. Patch first, and ask questions later. The bad guys are coming for you, and this time they have screwdrivers!


The FORRESTER WAVE™: End-User Experience Management, Q3 2022

The FORRESTER WAVE™: End-User Experience Management, Q3 2022