At a security conference this weekend in Las Vegas, security researchers at Check Point Software Technologies, LTD., revealed a major flaw in SQLite, the database code that runs components of a variety of services you probably use everyday. Dropbox. Firefox. Chrome. Oh, and iOS-- which means that 1.4 billion iOS devices are at risk. That's the number of iPhones and iPads that Apple are currently in use. says
According to the report, the researchers were able to exploit a memory-corruption flaw in the way the database software that manages Contacts on your iPhone, and gain privileges that allowed them to take control of a device running iOS.
Specifically, Check Point says "In short, we can gain administrative control of the device through the database engine iOS uses called SQLite. iPhone's contacts are stored in SQLite databases and that is how a hacker gains entry"
And it isn't just your contacts. iOS' password manager uses SQLite, meaning that all of your stored passwords could be at risk in an attack that exploits this vulnerability.
Check Point explains they "experimented with the exploitation of memory corruption issues within SQLite without relying on any environment other than the SQL language. Using our innovative techniques of Query Hijacking and Query Oriented Programming, we proved it is possible to reliably exploit memory corruptions issues in the SQLite engine."
Or, for anyone not up to speed on database code terminology, by taking control of the database that runs much of the software we use, the researchers were able to also gain access to whatever device is running that software-- like your iPhone.
That means simply searching your contacts could trigger malicious code in the background, without you ever knowing. That code could be used to send personal information back to the attackers, or to take over a device completely.
I also reached out to Apple, but did not immediately receive a response.
And if 1.4 billion iOS devices wasn't bad enough, it turns out the news gets worse. SQLite also powers other major software like Android, the Chrome, Firefox, and Safari web browsers, and Dropbox.
That means that all of those databases are potentially vulnerable to this type of attack. Fortunately, when I asked a spokesperson for Check Point, I was told that to date they haven't seen any instance of this type of exploit in the wild, but due to the wide use of SQLite, it is likely only a matter of time.
The researchers also notified Apple immediately and have presented their findings at the Def Con 2019 conference in hopes that the companies behind those services will find a fix and prevent their users from such an exploitation.
While an attack such as the researchers demonstrated is not extremely likely since it requires access to a device in order to manipulate the code that would allow for an attack to be triggered, there are still two things that are worth paying attention to here.
The first is that most of what we think of in terms of security for our devices and personal information is more theater than actual protection. In fact, the vulnerability in the SQLite that allows for this type of malicious code is actually four-years-old, but was never considered a risk in this context.
Most of the time our data is a lot more vulnerable than we realize, and stays safe more by luck than anything else.
The other thing to consider is that companies like Apple, Google, and others, can use all the help they can get. In fact, Apple is now offers $1 million to researchers and hackers that are able to hack an iPhone. The goal is to prod and poke at any possible vulnerability and bring it to light so it can be fixed before it's ever exploited.
The needing help part isn't unique-- it's probably also true for your company even if it isn't so high-profile that it needs to spend a million dollars to find its weaknesses.