Anatomy of the Attack
To understand this vulnerability, you need to understand that one of the ways Apple protects its users is by controlling how third-party software interacts with iOS. An iOS application can only run in the background for a limited time before the application is suspended by iOS. Generally this time limit is three minutes. This limitation not only helps ensure predictable responsiveness in user interaction, it also prevents any app from eavesdropping in the background. For example, a music app may have legitimate reason to ask permission to access GPS location and microphone while working on the foreground, but few users would want the app to run in the background to continually monitor GPS locations and recording audio. The control by iOS is supposed to prevent such abuse of permissions.
The iOS task switcher is a user interface that shows the list of recently open apps. When a user closes an app by pressing the home button, the app goes into background, and is subject to some strict limitations imposed by iOS on background apps. Furthermore, a user can choose to completely shut down an app by removing it from the task switcher.
The Ins0mnia vulnerability allowed an app to circumvent these limitations. A malicious application could leverage the Ins0mnia vulnerability to run in the background and steal sensitive user information for an unlimited time without the user’s consent or knowledge. This sensitive information could then continuously be sent out to a remote server. This flaw could also be leveraged to drastically reduce device performance and system usability. It could even be used to drain the battery.
The attack consisted of fooling the idevice into believing that the iOS application was being debugged. This prevented the system from suspending the application when the permitted background duration expired.
To fool iOS, a malicious application could leverage ptrace, and utilize the ptrace code that handled the PT_TRACE_ME request to set the flag P_LTRACED and gracefully return 0. By setting the P_LTRACED flag, the application prevented the assertiond process from suspending the malicious application. Note that PT_TRACE_ME was a request made by the traced process to declare that it expected to be traced by its parent.
If an app exploited this vulnerability and the user removed the app from task switcher, the application would continue to run in the background, while the user believed the application had been completely shut down.
We also noticed that an application did not need the get-task-allow entitlement to be set to true, nor did it need any other special entitlements or background modes. Unlike other known iOS malware that runs only on jailbroken devices, or must be distributed with Apple Enterprise Certificates, a hypothetical Ins0mnia malware didn't require anything not allowed by Apple. We believe that such an application had a high probability of passing the Apple Store review, making it a rare loophole for an attacker to distribute malware within Apple’s walled garden.
Demo
This video demonstrates a malicious iOS application that the user believes they've terminated, but which keeps running without the user’s knowledge and sends victim location updates to an attacker.