• @[email protected]
    link
    fedilink
    English
    54
    edit-2
    11 months ago

    I wonder if that backdo… ermmm… i mean… undocumented feature… will be useful for ios jailbreaking.

  • Brad
    link
    fedilink
    English
    3811 months ago

    It’s gonna be a “yikes” from me, dawg

  • @ClopClopMcFuckwad
    link
    English
    2511 months ago

    Can someone much smarter than I am, explain like I’m a toddler?

    • @[email protected]
      link
      fedilink
      English
      57
      edit-2
      11 months ago

      Basically they found out that anyone who knows how this work can send you an iMessage with an attachment that won’t show up on your end without the need of your interaction and do whatever they want on your iphone.

      P.S. I’m not smart nor I’m an expert.

    • @specseaweed
      link
      English
      53
      edit-2
      11 months ago

      What the other dude said, but the level of sophistication was miles beyond what you typically see from even nation states. The takeaway is you cannot defend yourself from a nation that wants your information.

      • @[email protected]
        link
        fedilink
        English
        1211 months ago

        Well, it certainly helps when that nation gets to build hardware backdoors into the stuff you buy.

      • Nix
        link
        fedilink
        English
        411 months ago

        Iirc lockdown mode would prevent this exploit from working

        • @GamingChairModelOP
          link
          English
          511 months ago

          Lockdown mode was released by Apple after these devices had already been infected for 3+ years, and was a response to evidence that iMessage preview functionality was already actively being exploited to spy on people.

    • @GamingChairModelOP
      link
      English
      2611 months ago

      Someone figured out a way that could hijack iMessage through sending a special malicious PDF that took advantage of a flaw in some legacy font rendering code unique to Apple, that even Apple hadn’t used in decades.

      Then, that PDF launched a JavaScript debugger that is built into iPhones, and took advantage of a flaw in that to jump into putting some code into the parts of user memory, that the system doesn’t fully trust.

      Then, that code takes advantage of another flaw to bypass the system’s protections for not fully trusting that code, to secretly launch a web browser and navigate to a secret webpage that runs a much bigger piece of malware.

      That malware can read and modify basically anything on the system, and was used to read all sorts of sensitive data: message history, location information, app data, etc.

      Because the whole exploit chain was so advanced and involved so many different previously unknown vulnerabilities, basically the list of possible suspects is very, very short: some kind of nation state with advanced hacking capabilities.

    • @PM_Your_Nudes_Please
      link
      English
      411 months ago

      So you can think of security as being done in layers. iPhones have apps exist in a sort of “prison”, so a malicious app can’t go modify other apps or the OS. It exists solely in its own little room. It can pass notes under the door to the OS to ask for calculations, and receive the results of those calculations. But it can’t leave that room to modify things outside. And the OS can run verifications on the notes it gets passed, to ensure they’re not malicious before it tries to calculate them. Lastly, the OS uses a secure calculator called the kernel to actually make those calculations and get the results.

      First, this attack exploited a PDF vulnerability, to attack iMessage. When the victim receives the message with the infected PDF, iMessage attempts to generate a preview of it; This initiates the attack. This happens automatically, and means the user doesn’t even need to interact with the message. This attack hijacks the Messages app, and essentially allows Messages to break out of the room it was sealed in. Now iMessage is able to modify other apps and interact with the OS directly

      Next, it attempts to get outside of the OS, to the kernel. The kernel is essentially the hardware level of the phone, where everything is 1’s and 0’s. The user interacts with the app, the app interacts with the OS, and the OS interacts with the kernel to do the actual processing. But even inside of the OS, the kernel has protections; That calculator is secure, and can’t be modified. The OS has large parts of the kernel marked as “read only” so it can’t be changed. The OS only allows itself to push the specific buttons on the calculator that it knows will work correctly. This is intentional, to prevent accidental or malicious kernel modifications. If an app asks the OS to push any insecure buttons or change the calculator, the OS will normally refuse.

      But this attack uses another zero-day vector to break out of the OS and interact with the kernel directly. Now the app is able to type on the calculator without talking to the OS first. But this still isn’t enough, because the kernel is still marked as read-only. Lastly, the attack uses another zero-day exploit to attack a hardware vulnerability, and flip those sections of the kernel from read-only to lol-yeah-you-can-write-whatever-you-want. This allows the compromised app to modify the calculator to produce whatever results they want. They can change the calculator to have 1+1=3.

      And once the kernel has been rewritten, the entire phone is compromised. Even an OS update won’t fix things, because the OS is only interacting with the kernel (which is still compromised even after the OS update.) Even if you fix the OS to prevent another attack, the calculator still says 1+1=3. The hacker essentially owns the entire device at that point, because kernel-level access will allow them to supersede the OS.

      • @ClopClopMcFuckwad
        link
        English
        111 months ago

        Is this type of thing why BlackBerry used to reign supreme when it came to device security?

        • @[email protected]
          link
          fedilink
          English
          111 months ago

          Thanks for your comment it gave me a lot of thoughts like: “Why did I think that my blackberry was secure (or more secure than other phones)?”

          TLDR: I couldn’t find the answer but I think it’s because they were the first major smartphone and had a encrypted messaging app.

          Here’s a few sources for further reading.

          Obligatory Wikipedia Overview: https://en.m.wikipedia.org/wiki/BlackBerry_Limited

          Blackberry had early smartphones and went all in on keyboard phones:

          https://d3.harvard.edu/platform-digit/submission/the-rise-and-fall-and-rise-again-of-blackberry/

          Sorry I couldn’t have been more helpful, but hopefully this gives you a good starting point.

          • @wikibotB
            link
            English
            211 months ago

            Here’s the summary for the wikipedia article you mentioned in your comment:

            BlackBerry Limited (formerly Research In Motion) is a Canadian software company specializing in cybersecurity. Founded in 1984, it originally developed the BlackBerry brand of interactive pagers, smartphones and tablets. In 2016, it transitioned to a cybersecurity enterprise software and services company under CEO John S. Chen. Its products are used by various businesses, car manufacturers, and government agencies to prevent hacking and ransomware attacks. They include the BlackBerry Cylance, the QNX real-time operating system; BlackBerry Enterprise Server (BlackBerry Unified Endpoint Manager), and a Unified Endpoint Management (UEM) platform.

            article | about

  • JATth
    link
    English
    2111 months ago

    Shorter version: Operating systems set up hardware locks and protections to confine processes, and once set up, they cannot be undone. (the hardware + OS denies modifications to the security policy)

    • Attacker broke out from the app sandbox. (attacker can run code in the infected process)
    • Broke out of the process. (gained root access; attacker can run anything)
    • Broke into the kernel space (gained 100% control over the hardware)
    • Corrupted some kernel memory via a damm magic MMIO accesses nobody knows (hardware vulnerable)
    • Bypassed protections that kernel set up earlier such that it cannot accidentally modify itself.
    • Finally broke the kernel via hardware exploit thus the attacker got rootkit level access.

    Getting arbitrary code execution and root access is one thing, but breaking out from the damm kernel configured hardware protections is insane.

    They basically managed to flip a “read-only” switch to “modify-as-much-as-you-like”. The infected device at this point is broken beyond repair, as the firmware(s) may have been tampered with. End result is a terrestrial spy brick.

    • @[email protected]
      link
      fedilink
      English
      911 months ago

      Not only that, but using an initial exploit which could be remotely triggered with NO user interaction or visibility. That’s scary shit

    • archomrade [he/him]
      link
      fedilink
      English
      7
      edit-2
      11 months ago

      This is a nightmare, but thank you for detailing this. Having only read a little bit of this and not understanding it, it seems like the exploit works even if the recipient does not open or interact with the malicious message? Is that what i’m understanding?

      If so, i’m officially stapling my tin-foil hat to my head and never using a cell phone again.

      • JATth
        link
        English
        711 months ago

        The attack is spread via iMessage. A vulnerable device merely needs to receive a bad message with PDF attachment. --> A Remote code execution. No user interaction.

        Yikes. Indeed.

        The attack entry point is via bad TrueType font + PDF attachment that only needs to processed once. Once a process touches that, the attack vector begins and exploits are chained until they get kernel mode access. After getting kernel mode access all hope is lost, the attacker owns the device.

        Only sliver of hope is that fixing the attack entry point blocks the current attack. And that bug is:

        This attachment exploits the remote code execution vulnerability CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font instruction. This instruction had existed since the early nineties before a patch removed it.

        But unless all the CVEs are patched, it is just matter of time a new attack entry point is found.

  • @systemglitch
    link
    English
    2
    edit-2
    11 months ago

    Makes me laugh because of how cultishly people claim iphone is secur, yet we keep hearing how susceptible it really is to attacks. There is a real disconnect there.

    I would feel foolish making these claims, and paying more for a device that’s only real achievement is a walled garden.

    • @sirfancy
      link
      English
      2811 months ago

      This is kind of a ridiculous take. I hate iPhones, but this is not a “hurr durr iPhones bad and insecure” moment. I implore you to look at the sophistication of this attack. The attack chain is so ridiculously long and complex, and only because of the security of the iPhone. This is not a script kiddie attack, and could only be executed by a very determined party.

      No device is secure, and any and all computers could potentially fall victim to an attack like this, but it is absolutely ignorant to say that iPhones don’t offer any more security than other devices.

      • @hansl
        link
        English
        611 months ago

        FYI: I don’t think you’re replying to someone acting in good faith.

      • Yeah absolutely. This line from the article summs it up pretty well… ““What we do know—and what this vulnerability demonstrates—is that advanced hardware-based protections are useless in the face of a sophisticated attacker as long as there are hardware features that can bypass those protections.””

        Edit: We also have no idea how many zero days there are in Android, either. 🤷‍♂️ But at least it’s a bit more open source than iOS 😂

        • @sirfancy
          link
          English
          4
          edit-2
          11 months ago

          Yeah. The moral is “every and all devices have an unknown number of zero-days inactive or actively being exploited at any given time”, not “iPhone is just as insecure as everything else”. There’s a difference, and credit is deserved where it’s due.