Pwning an iPhone over the radio

On my reading list, which… will be a long one, this is 30k words of even more deeply technical stuff than I normally write, but it’s an overview of the process of discovery and exploitation for a non-contact attack on modern iOS devices.

In this demo I remotely trigger an unauthenticated kernel memory corruption vulnerability which causes all iOS devices in radio-proximity to reboot, with no user interaction. Over the next 30’000 words I’ll cover the entire process to go from this basic demo to successfully exploiting this vulnerability in order to run arbitrary code on any nearby iOS device and steal all the user data

Let’s consider this when we put all the devices everywhere. :confused:

1 Like

That that really kills all of the unpatched machines out there. Apple’s had good support but I have some older ipod touches that the kids use that are no longer patched.

This broader problem isn’t Apple specific. All hardware with a radio is vulnerable to remote attacks at all levels of its stacks. Many an Android and Qualcomm radios and unupdatable hardware have fallen before this.

The disturbing thing here is that Apple, with a metric fortune of cash, isn’t on top of their own vulnerability bugs. If they’re not, who is?

Nobody. Computers are too complex for even the companies who make them to reason about anymore.

Look at Intel. At this point, there’s no question that they simply can’t reason about their chips. The various microarchitectural vulnerabilities that have cracked open SGX from within the attack sphere considered (L1TF, Pludervolt, SGAxe, Platypus, and I’m probably missing a few) mean that they don’t understand their chips - even with all the literal implementation details available to them.

We can hope for some more reason with ARM or RISC-V, but… the reality is that any modern, performant chip, is just staggeringly complex, and very clearly the companies involved have lost touch with the whole thing. People just know their stovepipe, not how they interact.

Well if its not some exploit its the backdoor in your mobile device’s baseband processor, or your CPUs management engine, or some layer of the OS, any app with an auto-updater, your browser’s telemetry, logging done by ISP, firmware of peripheral electronics that connect to privileged buses, or any other method or any organization that can coerce the operator of any one of these potential backdoors.

I still hope for more privacy and security one day but currently I’ve accepted its dead and gone so news like this exploit isn’t as impactful as it would otherwise be to me. A hacker would just be one more person with access to all my data, theres already probably thousands of people with access to it.

These “computer” things sound amazing. Let’s put them in everything!

1 Like

Reminds me of a very sarcastic Twitter account I came across once who’s motto is: ‘Screw it! Put a chip in it!’.

Maybe I’m still just clinging to a false hope about making technology work for me instead of the other way around, but I haven’t given up on privacy quite yet. ‘Decoupling’ from un-necessary and/or invasive technology isn’t an instant thing, but I think it comes from making more conscience choices about what we interact with. There are ways to at least minimize the breach of privacy.

Certainly I have no idea what to do about remote-scrambling-and-code-execution attacks on a phone though. Remote jamming of some kind against a processor that causes hangs or reboots makes some sense. Following that with remote code execution I never would have guessed.