For those curious, I was on the latest 17.4 at the time and Signal 7.2. 17.4.1 and 7.3 were released the next day.
You're still welcome to contact me on WhatsApp or Twitter.
1/N Apple has finally acknowledged my kernel heap overflow and fixed it on 11.2.5 (CVE-2018-4109). While I didn't write an exploit, it's one of the most hidden vulnerabilities I've ever found, and it took me a couple of days to trigger it once I found it!
Well, that should help get you started on the latest ones:
iCrypto -f iBoot.d11.RELEASE.im4p -k 53c616cddb7c0ca65b216643d2c35f3a0b5223de14e82af376ee440973d1148e0fc4a46595b88292ee0c4adee3587298 -o iBoot.d11.RELEASE.4513.230.10
I'm not sure if a coincidence or not, but on iOS 10.3.1, my sysctl trick to bypass SMAP was "challenged". Apple switched the order of l1dcache and l1icache... so now the whole exploit is a little bit more messed up. Anyway... ZiVA runs on 10.3.1 :)
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
I must say, this is one of the only few times I feel like my work is actually reviewed based on its content and not based on the amount of money the company I represent pay :)
While iOS 14 introduced a lot of mitigations, it seems like iOS 14.2 is very "recent exploits" oriented (rather than general mitigations like sandboxing, heap isolation, etc). Lots of exciting features! My only question is how come we've had to wait for so long to see this.
3/N if it makes it better in any case, this is accessible from the sandbox (so theoretically if someone plans to write an exploit,
@Morpheus______
's jailbreak framework can be used with that).
So in 2017 I managed, among dozens of other things, to switch to a new company, start working on iOS, getting a EU passport and in a 20 days notice emigrate to Europe. It has been the best year of my life, but 2018 is going to be even better!! 🎉🎊🎆
I usually don't play CTFs but this year
#35C3CTF
gives so many "real life" challenges and I think that's how CTFs should be done. Kudos to
@EatSleepPwnRpt
! Best CTF I've seen so far.
Here's a video of an unusual behavior I captured on my device Thursday last week. Note the number of "Signal Connection" (=verified) contacts I have never seen before, along with two VoIP call attempts.
The last iOS major update was almost 3 months ago! Since the release of iOS 14, it was usually a month for each major version. Tons of security patches including new mitigations are on 14.5, probably the vastest major update in regards to security since I got into iOS research
So one of my guesses about Apple trying to sue
@CorelliumHQ
is that their new research devices gonna suck and therefore everyone will try getting a corellium license instead. I still have no idea why somebody would beg for a device from Apple when fused ones are still easy to get
I'm still overwhelmed by how great
@0x41con
was. I could never have done something like that without
@xerub
. I'd like to thank all the attendees and speakers as well for showing up. See you next year in (probably) Greece!
@0x41con
is on the map 😎🤟
IMO, iOS kernel exploitation was recently the easiest platform out there... With great spraying, vtables in the kernel and simple memory allocator I couldn't ask for more. PAC makes it however more complicated than any other platform nowadays (or at least until Android gets it)
@tihmstar
If you really wanna take it far, you can always generate an IPA from your website and ask for a device UDID/other identifier, which will be used in the generated IPA so it will only work on a specific device... That's harsh, but nobody will mirror you this way
WhatsApp has (present tense) bugs in it, surprise. If you care more about IM security, I would download Signal (despite the existence of exploitable bugs in it as well) or something that doesn't become ads on Facebook later on.
I hope I'd get the opportunity to present in
#HITBGSEC
. And for what it worths, I don't think I ever saw that kind of bugs in iOS before. I'm grateful for your votes, hope to see you there!
Our house committee lost the certificate for the key in the main entrance. My flatmate Messi connected Arduino to the intercom and now we can remotely open up the door! I'm offering a 0$ bug bounty for the first guy who can open the building's door remotely ;)
We will continue to protect
#NetNeutrality
in Europe, ensuring that all traffic is treated equally:
→ Every European must be able to have access to the
#openinternet
→ No blocking or discrimination of online content, applications and services
@benhawkes
I think people underestimate the amount of bugs Apple fix which are actively exploited in the wild. These are not the first ones and most certainly not the last ones.
Seems like iOS 17 beta 1 puts crash dumps in /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/ instead of the usual /private/var/mobile/Library/Logs/CrashReporter/.
As a result, afcd -r won't completely delete the logs after they're
#34c3
is by far the best conference I’ve attended so far. But I can’t hide my disappointment with Leipzig. The venue is in the middle of nowhere and each time you wanna go somewhere (eat, do something, etc) you must take a cab and can’t walk... :(
If you know and like my other free tools - then you totally need to know this one. Not free this time, but indubitably my finest creation yet. Took a *VERY* long time to get this tool be totally rock solid, dynamically object aware, and just plain awesome.
iOS 14 is a massive update for privacy:
- limited photo library
- approximate location access
- clipboard access warning
- LAN access permission
- camera indicator
- Safari tracker report
- app data use info & tracking prompt
- encrypted DNS
- random MAC address
I love it ❤️
It's like every new XNU release out there, Apple add new stages where compilation fails. (libdispatch, src/shims/atomic.h -> internal/atomic.h, if anyone had the same problem).
@pninch
פשוט לא שאלת מעולם מישהו לא ישראלי (גם אם הוא יהודי) כמה שיט הם עוברים בישראל בבידוק. במקרה הטוב שאלות משפילות שלא מבישות תחקיר בטחוני סגול צמצם של צה״ל, במקרה היותר סטנדרטי כל המזוודה מבולגנת בטירוף + השאלות. במקרה הפחות סטנדרטי עיכוב של כמה שעות.
When I get home I'll release a PoC source code. According to rumors if your video is cool enough AppleD5500 will still be generous in terms of exploitation 🙄
JPEG-XL (a freshly-standardized proposed successor to JPEG) has a tiny language in it to encode a prediction function (guess next pixel from previous). Images that are _exactly_ this prediction are super small, and can be pretty artsy.
This one is amazing.
Most iOS/Android updates bring pretty much nothing interesting to the table. But I must say, as a frequent traveler, Sidecar is the best feature I've yet to see in the last couple of years. Having 2 monitors while traveling? Apple really nailed it this time
Good read as always, and also highlights how the recent XNU mitigations greatly required stepping up the game. Such vulns were a 1 week project or less up until 1-2 years ago.
Not the first time someone I've never talked or reacted to from infosec is blocking me. And although I've never pressed follow, ngl - it was amusing watching this bullshit (especially the videos).
If you use 0days and they get burnt, that's the circle of life. Don't whine about it, whether you're a blackhat or government "counterterrorism" operation.
Downgrading an iPhone has progressively become such a pain in the ass. It's like I can't even downgrade normally anymore, and the errors are less and less indicative. Is this a new mitigation?
@0x41con
was awesome! It's the first time I attend such an event and I really enjoyed it! Looking forward for the next one which will take place in Amsterdam!!