We ain’t no crash test dummies, grumble security researchers
UPDATED Crash analysis firm ZecOps has batted away criticism that a recently released iOS exploit presents a privacy risk for researchers that use it.
The proof-of-concept (PoC) exploit developed by the firm chains a number of bugs that allows its users to run code in the context of the iOS kernel.
Researchers can use the code in conjunction with WebKit vulnerabilities or other iOS security bugs in the course of probing the security of iOS devices such as iPhones and iPads.
What’s unusual, however, is that the software happens to also steal crash dumps from any system it’s run on, as ZecOps explains in a blog post:
The POC released today is just an initial version that will allow others to take it further. The POC shares basic analytics data with ZecOps to find additional vulnerabilities and help further secure iOS – this option can be disabled in the source.
Because of its behavior, the proof-of-concept code is likely to steal sensitive information belonging to those who run it.
Some security pros recoiled when this unusual behavior was highlighted by a researcher on Twitter.
“That’s a new one,” noted Google security researcher Tavis Ormandy.
ZecOps exploits harvest any crash dump on devices it runs on – not just those related to a particular test run.
The researcher who discovered the behavior said that it would be better if ZecOps requested explicit consent anytime people sent them logs.
In response to these criticisms, the company said it was open about what it was doing.
Zuk Avraham, Founder/CEO of ZecOps, told The Daily Swig: “We transparently communicated what is collected and its purpose in our blog and GitHub, in this open source research.
“We released an update within hours following this UX improvement request.”
Avraham subsequently clarified that this "UX improvement request involved a UI [user interface] option to disable telemetry sharing in a convenient way".
ZecOps specializes in technology that “automatically analyzes crashes in order to detect attackers’ mistakes and discover sophisticated attacks”.
The exploit at the center of the minor controversy was obtained as part of ZecOps Reverse Bounty, and donated to FreeTheSandbox initiative.
This story was updated toadd attribution of the quote from ZecOps