info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Yet again (it never ends) hackers exploit iOS insecurities with zero-day remote access to the entire device over Wi-Fi, with no user interaction required at all
22 views
Skip to first unread message
Arlen Holder
Dec 3, 2020, 12:58:39 AM12/3/20
to
The security holes never end, as Apple has _never_ sufficiently tested iOS.
"Of course, an iPhone isn't designed to allow people to build
capabilities like this. So what went so wrong that it was possible?
Unfortunately, it's the same old story. A fairly trivial buffer overflow
programming error in C++ code in the kernel parsing untrusted data,
exposed to remote attackers.
In fact, this entire exploit uses just a single memory corruption
vulnerability to compromise the flagship iPhone 11 Pro device.
With just this one issue I was able to defeat all the mitigations in
order to remotely gain native code execution and kernel memory read and
write."
o An iOS zero-click radio proximity exploit odyssey
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>
The only place iOS is _ever_ sufficiently tested, is in MARKETING brochures.
o The lack of security in iPhones is petrifying to those comprehending fact
"In this demo I remotely trigger an unauthenticated kernel memory
corruption vulnerability which causes all iOS devices in radio-proximity
to reboot, with no user interaction... in order to run arbitrary code
on any nearby iOS device and steal all the user data"
And get this: It's even wormable!
--
The utter lack of R&D (in favor of MARKETING) is why iOS is so insecure.
"Of course, an iPhone isn't designed to allow people to build
capabilities like this. So what went so wrong that it was possible?
Unfortunately, it's the same old story. A fairly trivial buffer overflow
programming error in C++ code in the kernel parsing untrusted data,
exposed to remote attackers.
In fact, this entire exploit uses just a single memory corruption
vulnerability to compromise the flagship iPhone 11 Pro device.
With just this one issue I was able to defeat all the mitigations in
order to remotely gain native code execution and kernel memory read and
write."
o An iOS zero-click radio proximity exploit odyssey
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>
The only place iOS is _ever_ sufficiently tested, is in MARKETING brochures.
o The lack of security in iPhones is petrifying to those comprehending fact
"In this demo I remotely trigger an unauthenticated kernel memory
corruption vulnerability which causes all iOS devices in radio-proximity
to reboot, with no user interaction... in order to run arbitrary code
on any nearby iOS device and steal all the user data"
And get this: It's even wormable!
--
The utter lack of R&D (in favor of MARKETING) is why iOS is so insecure.
Arlen Holder
Dec 3, 2020, 1:09:13 AM12/3/20
to
How iOS is horribly untested for holes is underscored in this article:
"Imagine the sense of power an attacker with such a capability must feel"
Note: Everything below is verbatim because Apologists _hate_ what Apple is,
so they brazenly deny all facts about Apple they simply don't like, and
they blame everyone but Google for Apple never having tested iOS
sufficiently, and when asked for facts, they act like small children do.
"a memory corruption bug in the iOS kernel that gave attackers remote
access to the entire deviceĄXover Wi-Fi, with no user interaction
required at all. Oh, and exploits were wormableĄXmeaning radio-proximity
exploits could spread from one nearby device to another, once again,
with no user interaction needed."
o iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever
<https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/>
"The fact you don't have to really interact with your phone for this to
be set off on you is really quite scary. This attack is just you're
walking along, the phone is in your pocket, and over Wi-Fi someone
just worms in"
--
Apologists deny and blame and act like children when confronted with facts.
"Imagine the sense of power an attacker with such a capability must feel"
Note: Everything below is verbatim because Apologists _hate_ what Apple is,
so they brazenly deny all facts about Apple they simply don't like, and
they blame everyone but Google for Apple never having tested iOS
sufficiently, and when asked for facts, they act like small children do.
"a memory corruption bug in the iOS kernel that gave attackers remote
access to the entire deviceĄXover Wi-Fi, with no user interaction
required at all. Oh, and exploits were wormableĄXmeaning radio-proximity
exploits could spread from one nearby device to another, once again,
with no user interaction needed."
o iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever
<https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/>
"The fact you don't have to really interact with your phone for this to
be set off on you is really quite scary. This attack is just you're
walking along, the phone is in your pocket, and over Wi-Fi someone
just worms in"
--
Apologists deny and blame and act like children when confronted with facts.
Arlen Holder
Dec 3, 2020, 1:15:07 AM12/3/20
to
Again, verbatim, simply because *Apologists _hate_ Apple* so much that the
only way Apologists can maintain their imaginary belief systems is to deny
all facts they don't like, blame everyone but Apple for Apple's lack of iOS
testing, and when asked for facts, Apologists turn into instant children.
"a wormable radio-proximity exploit which allows me to gain complete
control over any iPhone in my vicinity. View all the photos, read all the
email, copy all the private messages and monitor everything which happens
on there in real-time."
o Watch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death'
<https://www.vice.com/en/article/4ad3jm/watch-google-hacker-ha-26-iphones-with-zero-day-exploit>
"if your iPhone was in range of someone with this capability, they could
take it over without requiring you to click on a dodgy link or anything
like that. What's worse, Beer's exploit could have been made into a worm,
meaning it could propagate to nearby iPhones automatically, spreading
exponentially, kind of like—if you'll allow me the cringey metaphor,
a cyber coronavirus."
--
The only people who believe iOS is sufficiently tested are utter fools.
only way Apologists can maintain their imaginary belief systems is to deny
all facts they don't like, blame everyone but Apple for Apple's lack of iOS
testing, and when asked for facts, Apologists turn into instant children.
"a wormable radio-proximity exploit which allows me to gain complete
control over any iPhone in my vicinity. View all the photos, read all the
email, copy all the private messages and monitor everything which happens
on there in real-time."
o Watch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death'
<https://www.vice.com/en/article/4ad3jm/watch-google-hacker-ha-26-iphones-with-zero-day-exploit>
"if your iPhone was in range of someone with this capability, they could
take it over without requiring you to click on a dodgy link or anything
like that. What's worse, Beer's exploit could have been made into a worm,
meaning it could propagate to nearby iPhones automatically, spreading
exponentially, kind of like—if you'll allow me the cringey metaphor,
a cyber coronavirus."
--
The only people who believe iOS is sufficiently tested are utter fools.
Arlen Holder
Dec 4, 2020, 1:51:04 AM12/4/20
to
Update (for the permanent record)...
o An iOS zero-click radio proximity exploit odyssey, by Ant
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>
This is further evidence that iOS has, essentially, no security (IMHO)
o The reason, IMHO, is simple: *Apple simply never tests iOS sufficiently*.
It's apparently sufficient for Apple MARKETING to loudly tout that which is
imaginary security; where, it seems, most Apple owners simply believe the
bullshit about security because, well, you don't want to know what I think
about people who can't comprehend basic obvious well-cited clear facts.
--
Nobody in high tech spends _less_ than does Apple on R&D percentage spend.
o An iOS zero-click radio proximity exploit odyssey, by Ant
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>
This is further evidence that iOS has, essentially, no security (IMHO)
o The reason, IMHO, is simple: *Apple simply never tests iOS sufficiently*.
It's apparently sufficient for Apple MARKETING to loudly tout that which is
imaginary security; where, it seems, most Apple owners simply believe the
bullshit about security because, well, you don't want to know what I think
about people who can't comprehend basic obvious well-cited clear facts.
--
Nobody in high tech spends _less_ than does Apple on R&D percentage spend.
Arlen Holder
Dec 4, 2020, 7:38:28 PM12/4/20
to
On Fri, 4 Dec 2020 19:02:52 -0500, JF Mezei wrote:
> (the kernel, no matter how privileged it might be, has no privilges wen
> talking to secure enclave)
Hi JF Mezei,
Regarding Ant's recent doublepost of my news-breaking thread (as always)
"AWDL can be remotely enabled on a locked device using the same attack,
as long as it's been unlocked at least once after the phone is powered
on. The vulnerability is also wormable; a device which has been
successfully exploited could then itself be used to exploit further
devices it comes into contact with."
You're not an apologist, so your question is the first adult post to Ant's
thread, where the apologistic morons who posted each proved instantly that
they can't even comprehend the news articles at an adult level.
I trust you comprehend the adult content in this quote from the blog:
"As things stand now in November 2020, I believe it's still quite possible
for a motivated attacker with just one vulnerability to build a
sufficiently powerful weird machine to completely, remotely compromise
top-of-the-range iPhones."
Given Google proved iOS has never been sufficiently tested (since at least
iOS 4), it shouldn't even be hard for a well-funded player to pwn iOS.
A VICE article from 2018 gives a good overview of Azimuth vulnerabilities:
o Inside the secretive industry that helps government hackers get around encryption.
<https://www.vice.com/en/article/8xdayg/iphone-zero-days-inside-azimuth-security>
Keep in mind it was a _single_ bug that allowed full & complete access!
"a single buffer overflow programming error in C++ code in the kernel
parsing untrusted data"
The Google researcher exploited Apple's own snafus and fuckups, in fact,
because in 2018, Apple published (by accident, the morons) an iOS beta
without stripping out the function name symbols).
o <https://twitter.com/s1guza/status/1093424833088622592>
Hence, the researcher (and all hackers on the planet) knew about this:
o IO80211AWDLPeer::parseAwdlSyncTreeTLV
The bored engineer surmised this related to the Wi-Fi Apple Wireless Direct
Link which is most likely used by AirDrop amongst other things.
Then, this bored engineer looked at the error message string:
o "Peer %02X:%02X:%02X:%02X:%02X:%02X: PATH LENGTH error hc %u calc %u\n"
Please notice the "LENGTH" error!!!!!!!!!!
o Then note, it didn't work (the checks weren't even written, it seems!).
Literally, the Google coder said "bugs this shallow tend to not work out"
And then, when was shocked to find out that they did, he exclaimed:
o "Can it really be this easy?"
Since you're not an apologist, JF Mezei, you won't simply deny out of hand
all facts you simply don't like about Apple's lack of iOS testing, nor will
you blame Google for Apple's bugs, nor, we hope, as a final defense to
facts, resort to the typical Type III apologists' ad hominem attacks
against anyone bearing facts about Apple products they simply don't like.
The bored engineer patiently explained why the apologists missed the point:
"As things currently stand, there are probably just too many good
vulnerabilities for any of these mitigations to pose much of a challenge
to a motivated attacker. And, of course, mitigations only present in
future hardware don't benefit the billions of devices already shipped
and currently in use."
BTW, what do you think the bored Google engineer suggested Apple do?
1. Clean up it's iOS _core_ code which he said dates to 1985!
2. Invest in modern best practices (Apple is all marketing & low R&D)!
3. Actually _test_ the code for God's sake, instead of just "fuzzing"!
If there are _any_ adults on this newsgroup, those three recommendations
are clearly stated at the bottom of the guy's 30K word blog as his
recommendation to Apple to invest at least _something_ in iOS testing!
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>
All quotes are verbatim from referenced articles in this canonical thread:
o Yet again (it never ends) hackers exploit untested iOS insecurities
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--
The shocking thing is not that it was so easy, but that more clearly exist.
> (the kernel, no matter how privileged it might be, has no privilges wen
> talking to secure enclave)
Hi JF Mezei,
Regarding Ant's recent doublepost of my news-breaking thread (as always)
o An iOS zero-click radio proximity exploit odyssey, by Ant
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>
Adults will comprehend the significance of this direct quote:
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>
"AWDL can be remotely enabled on a locked device using the same attack,
as long as it's been unlocked at least once after the phone is powered
on. The vulnerability is also wormable; a device which has been
successfully exploited could then itself be used to exploit further
devices it comes into contact with."
You're not an apologist, so your question is the first adult post to Ant's
thread, where the apologistic morons who posted each proved instantly that
they can't even comprehend the news articles at an adult level.
I trust you comprehend the adult content in this quote from the blog:
"As things stand now in November 2020, I believe it's still quite possible
for a motivated attacker with just one vulnerability to build a
sufficiently powerful weird machine to completely, remotely compromise
top-of-the-range iPhones."
Given Google proved iOS has never been sufficiently tested (since at least
iOS 4), it shouldn't even be hard for a well-funded player to pwn iOS.
A VICE article from 2018 gives a good overview of Azimuth vulnerabilities:
o Inside the secretive industry that helps government hackers get around encryption.
<https://www.vice.com/en/article/8xdayg/iphone-zero-days-inside-azimuth-security>
Keep in mind it was a _single_ bug that allowed full & complete access!
"a single buffer overflow programming error in C++ code in the kernel
parsing untrusted data"
The Google researcher exploited Apple's own snafus and fuckups, in fact,
because in 2018, Apple published (by accident, the morons) an iOS beta
without stripping out the function name symbols).
o <https://twitter.com/s1guza/status/1093424833088622592>
Hence, the researcher (and all hackers on the planet) knew about this:
o IO80211AWDLPeer::parseAwdlSyncTreeTLV
The bored engineer surmised this related to the Wi-Fi Apple Wireless Direct
Link which is most likely used by AirDrop amongst other things.
Then, this bored engineer looked at the error message string:
o "Peer %02X:%02X:%02X:%02X:%02X:%02X: PATH LENGTH error hc %u calc %u\n"
Please notice the "LENGTH" error!!!!!!!!!!
o Then note, it didn't work (the checks weren't even written, it seems!).
Literally, the Google coder said "bugs this shallow tend to not work out"
And then, when was shocked to find out that they did, he exclaimed:
o "Can it really be this easy?"
Since you're not an apologist, JF Mezei, you won't simply deny out of hand
all facts you simply don't like about Apple's lack of iOS testing, nor will
you blame Google for Apple's bugs, nor, we hope, as a final defense to
facts, resort to the typical Type III apologists' ad hominem attacks
against anyone bearing facts about Apple products they simply don't like.
The bored engineer patiently explained why the apologists missed the point:
"As things currently stand, there are probably just too many good
vulnerabilities for any of these mitigations to pose much of a challenge
to a motivated attacker. And, of course, mitigations only present in
future hardware don't benefit the billions of devices already shipped
and currently in use."
BTW, what do you think the bored Google engineer suggested Apple do?
1. Clean up it's iOS _core_ code which he said dates to 1985!
2. Invest in modern best practices (Apple is all marketing & low R&D)!
3. Actually _test_ the code for God's sake, instead of just "fuzzing"!
If there are _any_ adults on this newsgroup, those three recommendations
are clearly stated at the bottom of the guy's 30K word blog as his
recommendation to Apple to invest at least _something_ in iOS testing!
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>
All quotes are verbatim from referenced articles in this canonical thread:
o Yet again (it never ends) hackers exploit untested iOS insecurities
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--
The shocking thing is not that it was so easy, but that more clearly exist.
0 new messages