An iOS zero-click radio proximity exploit odyssey

[Ant]

https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
from
https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
from
https://apple.slashdot.org/story/20/12/02/1933245/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever

:O
--
Life's so loco! ..!.. *isms, sins, hates, (d)evil, z, tiredness, my old body, (sick/ill)ness (e.g., COVID-19 & SARS-CoV-2), deaths (RIP), interruptions, issues, conflicts, obstacles, stresses, fires, out(r)ages, dramas, unlucky #4, 2020, greeds, bugs (e.g., crashes & female mosquitoes), etc. D: Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
/ /\ /\ \ Please nuke ANT if replying by e-mail.
| |o o| |
\ _ /
( )

[Your Name]

On 2020-12-04 04:29:44 +0000, Ant said:

> https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
>
> from
> https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
>
> from
> https://apple.slashdot.org/story/20/12/02/1933245/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever
>
>
> :O

Already been patched by Apple, as long as you keep your device updated.

[Arlen Holder]

On Fri, 4 Dec 2020 19:00:12 +1300, Your Name wrote:

> Already been patched by Apple, as long as you keep your device updated.

You do realize that's not the point, right?
o At least, from an _adult_ perspective, it's not.

What you say is like a parent telling another parent that it's OK now that
his kid was caught, for the umpteenth time (which is the point) stealing
kids' lunches... because, in your palliative soothing words:
o It's ok now as he gave them their stolen food back after getting caught.

The problem for _adults_ (if any exist on this ng) to ponder is:
a. Why doesn't Apple _ever_ sufficiently test iOS for security flaws?
b. If it was this easy for one bored guy, then every iPhone is compromised
(because plenty of far nastier & far better funded adversaries exist)

*This is further proof that the iPhone has, basically, no security (IMHO).*

The news articles I quoted in a thread on this topic said, rightly so, that
if one bored home-shuttered guy can, with a hundred dollar investment, pwn
every iPhone on the planet with a zero-click wormable exploit...

Can you imagine that a well funded adversary doesn't have thousands of
these flaws being used, every day, all day, on any iPhone they want to?

Apple's track record on iOS security is so shockingly sordid that even
pre-teen kids have easily pwned the device... that's how shockingly lax
Apple iOS testing always proves to be.

Worse, Google _proved_ beyond any doubt last year (which I reported on
extensively, so if you deny the facts, you're just sticking your head in
the sand) that iOS could not possibly _ever_ have been tested.

Note what I said. I didn't even say "sufficiently tested".
o Portions of iOS that Google hacked into were _never_ ever tested!

The only place Apple does not have a shockingly appalling record on
security is in those glossy MARKETING brochures you and Alan Baker, Lewis,
Jolly Roger, and nospam love to quote (so to speak).

See further details in this prior thread:
o Yet again (it never ends) hackers exploit iOS insecurities with zero-day remote access to the entire device over Wi-Fi, with no user interaction required at all
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--
Apple iOS security is lax, IMHO, because all they need to do is spend the
money on MARKETING to make (gullible) people _believe_ that it's ok.

[Arlen Holder]

Hi Ant,

I'm glad you, at least, understand the immense gravity of this situation.

This one is a shocker, because it took one guy some of his spare time and
about a hundred bucks, where some of the news articles I referenced said,
rightly so, that if it's that easy for an individual who simply is bored
have complete and total control of (basically everything) on your iPhone...

... how easy must it be for a well-funded adversary to have similar
complete and total zero-click control of every single iPhone out there.

Given Apple's shockingly sordid track record on security, the chance of
_any_ iPhone on the planet being secure is, IMHO, basically zero, as we
already reported hackers have so many zero-day flaws for iPhones that they
stopped accepting them.

See also this prior thread on the same topic, but with more detail:

o Yet again (it never ends) hackers exploit iOS insecurities with zero-day remote access to the entire device over Wi-Fi, with no user interaction required at all
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--

Only in glossy MARKETING messages are Apple products ever "secure".
(The reason is simple: Apple spends less in R&D than anyone in tech.)

[Joerg Lorenz]

Am 04.12.20 um 05:29 schrieb Ant:

> https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
> from
> https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
> from
> https://apple.slashdot.org/story/20/12/02/1933245/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever
>
> :O

Fairly old news.
Was already patched in the last major release version iOS 13.

[Arlen Holder]

On 4 Dec 2020 18:19:30 GMT, Jolly Roger wrote:

> It was patched way back in May, and 92% of all devices introduced in the
> last four years use iOS 13, which makes this a non-issue for most people.
> Ant lives in a perpetual time warp. So you'll have to excuse him.

Apple has _never_ even once ever sufficiently tested any iOS for security.

Adults will notice the apologists attack the mere bearer of bad news.
o Apologists turn into "instant children" when confronted with facts they don't like.

Jolly Roger dismisses Ant's valid post by hurling ad hominem attacks.
o And yet, Jolly Roger completely whooshed on the significance of the fact.

What's shocking is that not a single apologists realizes what this means.

Basically, if a bored person can, with a hundred dollar investment, hack
into iOS with a zero-click wormable exploit that only needed a _single_ iOS
bug to work....

Holy Shit!
o *It's further proof Apple has _never_ even once tested iOS sufficiently!*

All this painting of entire building walls by MARKETING is pure bullshit.

Only an apologist could be _that_ stupid to not realize how bad this is.
o Apple has _never_ even once ever sufficiently tested iOS for security.

While apologists think this bored guy is the only guy on the planet hacking
into iPhones with $100, can you imagine what well funded actors can do?
--
Only someone as stupid as an apologists is would deny the significance.

[Arlen Holder]

On Fri, 4 Dec 2020 10:37:22 +0100, Joerg Lorenz wrote:

> Fairly old news.
> Was already patched in the last major release version iOS 13.

What's interesting is how the apologists don't get why it matters.
o The seriousness of this utter lack of security in iPhones is paramount.

It's as if apologists are parents of a child repeatedly caught stealing.

The parent (oh so confidently so) assures the principal of the school:
"It's no big deal my kid was caught stealing cellphones _because_
he gave back the specific stolen goods that he was _caught_ stealing".

The _adult_ seriousness of this utter lack of any security whatsoever in
iPhones is lost on these apologists.

FACT:
o He used a _single_ bug in iOS to create a zero-click wormable exploit.

ASSESSMENT:
o Holy God, this indicates Apple (yet again) forgot to test iOS sufficiently.
--
Can these apologists even imagine what well-funded bad actors can do?

[Ant]

Does v12.4.9 have this fix for the older iDevices?

[Your Name]

On 2020-12-04 22:25:39 +0000, Ant said:
> In comp.mobile.ipad Your Name <Your...@yourisp.com> wrote:
>> On 2020-12-04 04:29:44 +0000, Ant said:
>>>
>>> https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
>>>
>>>
>>> from
>>> https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
>>>
>>>
>>> from
>>> https://apple.slashdot.org/story/20/12/02/1933245/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever
>>>
>>>
>>>
>>> :O
>>
>> Already been patched by Apple, as long as you keep your device updated.
>
> Does v12.4.9 have this fix for the older iDevices?

I don't know which particular update patches it, just that the more
reliable news websites do say it has been patched.

[Arlen Holder]

On Sat, 5 Dec 2020 12:29:08 +1300, Your Name wrote:

>> Does v12.4.9 have this fix for the older iDevices?
>
> I don't know which particular update patches it, just that the more
> reliable news websites do say it has been patched.

Why is it that all you apologists can't comprehend the simplest things?
o Every time you morons post... I cry for mankind... you're that stupid.

No wonder Apple makes ungodly profits off of you utter Apple morons...
o Not one of you who posted comprehended _anything_ in the articles!

Given Google finds these Apple bugs, and given Google is a responsible
netizen, do you think they publicized it _before_ they patched it?

Does even a _single_ one of you own _any_ adult comprehensive skills?
o Yet again (it never ends) hackers exploit untested iOS insecurities
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--
What shocks me isn't that Apple is all MARKETING and no R&D, but that they
found billions of morons who can't even read a news article correctly.

o An iOS zero-click radio proximity exploit odyssey
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>

o iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks
<https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/>

o Watch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death'
<https://www.vice.com/en/article/4ad3jm/watch-google-hacker-ha-26-iphones-with-zero-day-exploit>

o An iOS zero-click radio proximity exploit odyssey, by Ant
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>

[JF Mezei]

On 2020-12-03 23:29, Ant wrote:
>
> https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/

From the point of view of secure enclare and need to autnenticate to
access drive, my understanding was that it would close off access after
X minutes of being asleep such tha any access would then require
authentication before secure enclave would accept disk/IO requests.

But this doesn't jive with the music application being able to play
music while phone has been asleep for ages.

I ask this in a context of what would the kernel have access to while
phone is asleep if secure enclave says "no, much authenticate" ?

(the kernel, no matter how privileged it might be, has no privilges wen
talking to secure enclave)


or does the "must authenticate bit" only get triggered for certain types
of accesses (USB data, and waking interactive use of phone) and secure
enclare happily continues to grant disk access (encrypts/decryps) for
background processing?

[Arlen Holder]

On Fri, 4 Dec 2020 19:02:52 -0500, JF Mezei wrote:

> (the kernel, no matter how privileged it might be, has no privilges wen
> talking to secure enclave)

Hi JF Mezei,

Regarding Ant's recent doublepost of my news-breaking thread (as always)

o An iOS zero-click radio proximity exploit odyssey, by Ant
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>

Adults will comprehend the significance of this direct quote:
"AWDL can be remotely enabled on a locked device using the same attack,
as long as it's been unlocked at least once after the phone is powered
on. The vulnerability is also wormable; a device which has been
successfully exploited could then itself be used to exploit further
devices it comes into contact with."

You're not an apologist, so your question is the first adult post to Ant's
thread, where the apologistic morons who posted each proved instantly that
they can't even comprehend the news articles at an adult level.

I trust you comprehend the adult content in this quote from the blog:
"As things stand now in November 2020, I believe it's still quite possible
for a motivated attacker with just one vulnerability to build a
sufficiently powerful weird machine to completely, remotely compromise
top-of-the-range iPhones."

Given Google proved iOS has never been sufficiently tested (since at least
iOS 4), it shouldn't even be hard for a well-funded player to pwn iOS.

A VICE article from 2018 gives a good overview of Azimuth vulnerabilities:
o Inside the secretive industry that helps government hackers get around encryption.
<https://www.vice.com/en/article/8xdayg/iphone-zero-days-inside-azimuth-security>

Keep in mind it was a _single_ bug that allowed full & complete access!
"a single buffer overflow programming error in C++ code in the kernel
parsing untrusted data"

The Google researcher exploited Apple's own snafus and fuckups, in fact,
because in 2018, Apple published (by accident, the morons) an iOS beta
without stripping out the function name symbols).
o <https://twitter.com/s1guza/status/1093424833088622592>

Hence, the researcher (and all hackers on the planet) knew about this:
o IO80211AWDLPeer::parseAwdlSyncTreeTLV

The bored engineer surmised this related to the Wi-Fi Apple Wireless Direct
Link which is most likely used by AirDrop amongst other things.

Then, this bored engineer looked at the error message string:
o "Peer %02X:%02X:%02X:%02X:%02X:%02X: PATH LENGTH error hc %u calc %u\n"

Please notice the "LENGTH" error!!!!!!!!!!
o Then note, it didn't work (the checks weren't even written, it seems!).

Literally, the Google coder said "bugs this shallow tend to not work out"

And then, when was shocked to find out that they did, he exclaimed:
o "Can it really be this easy?"

Since you're not an apologist, JF Mezei, you won't simply deny out of hand
all facts you simply don't like about Apple's lack of iOS testing, nor will
you blame Google for Apple's bugs, nor, we hope, as a final defense to
facts, resort to the typical Type III apologists' ad hominem attacks
against anyone bearing facts about Apple products they simply don't like.

The bored engineer patiently explained why the apologists missed the point:
"As things currently stand, there are probably just too many good
vulnerabilities for any of these mitigations to pose much of a challenge
to a motivated attacker. And, of course, mitigations only present in
future hardware don't benefit the billions of devices already shipped
and currently in use."

BTW, what do you think the bored Google engineer suggested Apple do?
1. Clean up it's iOS _core_ code which he said dates to 1985!
2. Invest in modern best practices (Apple is all marketing & low R&D)!
3. Actually _test_ the code for God's sake, instead of just "fuzzing"!

If there are _any_ adults on this newsgroup, those three recommendations
are clearly stated at the bottom of the guy's 30K word blog as his
recommendation to Apple to invest at least _something_ in iOS testing!
<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>

All quotes are verbatim from referenced articles in this canonical thread:

o Yet again (it never ends) hackers exploit untested iOS insecurities
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>
--

The shocking thing is not that it was so easy, but that more clearly exist.

[Lewis]

Was patched before information about the bugs discovery by someone paid
by apple to find bugs was disclosed at all, so this was never an issue.

--
Dinosaurs are attacking! Throw a barrel!

[Lewis]

In message <N6AyH.349545$gR8.2...@fx45.iad> JF Mezei <jfmezei...@vaxination.ca> wrote:
> On 2020-12-03 23:29, Ant wrote:
>>
>> https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/

> From the point of view of secure enclare and need to autnenticate to
> access drive, my understanding

Do you mean to say "FUD bullshit I made up"? Because otherwise, you will
need to cite something to back up your "understanding" because you have
a proven track record of making shit up.

> I ask this in a context of what would the kernel have access to while
> phone is asleep if secure enclave says "no, much authenticate" ?

Is that something anyone or anything is likely to say? Does it mean
anything?

--
"Are you pondering what I'm pondering?"
Yeah, but I thought Madonna already had a steady bloke!"

[Lewis]

In message <WsadnebcnJz-KlfC...@earthlink.com> Ant <a...@zimage.comANT> wrote:
> In comp.mobile.ipad Your Name <Your...@yourisp.com> wrote:
>> On 2020-12-04 04:29:44 +0000, Ant said:

>> > https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html
>> >
>> > from
>> > https://arstechnica.com/gadgets/2020/12/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever/
>> >
>> > from
>> > https://apple.slashdot.org/story/20/12/02/1933245/iphone-zero-click-wi-fi-exploit-is-one-of-the-most-breathtaking-hacks-ever
>> >
>> >
>> > :O

>> Already been patched by Apple, as long as you keep your device updated.

> Does v12.4.9 have this fix for the older iDevices?

No idea, did you check?

Did you also check 12.4.8 and 12.4.7 and so on back to May 2020? Did you
search for the CVE numbers from the project zero reports? Something like
"iOS 12 patch CVE-numpty-blah" in your search engine might be helpful.

Pretty sure you are the only person here running iOS 12, so you're going
to have to do this research yourself.

--
I DO NOT HAVE DIPLOMATIC IMMUNITY Bart chalkboard Ep. 9F20

[Arlen Holder]

On Sat, 5 Dec 2020 02:08:41 -0000 (UTC), Lewis wrote:

> Was patched before information about the bugs discovery by someone paid
> by apple to find bugs was disclosed at all, so this was never an issue.

To the few (probably like four or five in toto) adults on this ng,

Did _any_ of these moron apologists even read the Google blog?
o The guy essentially screamed out many of these bugs _must_ exist.

The code had a LENGTH call that wasn't even checked, for Christs sake
(AFAICT).

The guy basically said he's positive tons of these bugs exist today.
o He even said the three things causing Apple's lack of testing iOS.

Didn't any of you moron apologists even _read_ the Google blog?
--
What shocks me is how confident Lewis is in his utter ignorance.

[Alan Baker]

The one where you've carefully removed the link...

...or did the link to this "blog" ever exist in this thread?

[Arlen Holder]

On Sat, 5 Dec 2020 02:11:36 -0000 (UTC), Lewis wrote:

> Do you mean to say "FUD bullshit I made up"? Because otherwise, you will
> need to cite something to back up your "understanding" because you have
> a proven track record of making shit up.

To any adults on this newsgroup,

Notice the _only_ person who posted an _adult_ query was JF Mezei
o JF Mezei is, understandably, concerned at how easy this hack was

One bug, and the entire iOS device was open to the world.
o Worse, it's a common bug - which is a "buffer overflow"

Who knew it was so trivial to pwn any iPhone you want
o With a wormable zero click exploit, no less.

Remember, in the Google blog, the guy says, literally, & I quote:

o "Can it really be this easy?"

And yes, it was that easy.
o No wonder hackers _stopped_ accepting iOS zero-day flaws already

There are just too many of them in the wild already.

He basically said Apple has never tested this code
o Much of which is core iOS code dating back to 1985 (he said)

Didn't this Lewis moron even _read_ the Google blog before denying facts?
o Why are these Type III apologists all so consistently Quadrant 1 DK?

Alan Baker, Lewis, Jolly Roger, Joerg Lorenz, BK, Chris, et al.
o They're all shockingly confident in their own sordid sea of ignorance

Didn't _anyone_ in this entire newsgroup even _read_ the Google report?
o It basically assesses this was so simple - many similar flaws must exist.
--
Read the report before you claim that this is "no big deal" please.

[Arlen Holder]

Read the report before morons like Alan Baker claim it's a "lie by liars".

o An iOS zero-click radio proximity exploit odyssey

<https://googleprojectzero.blogspot.com/2020/12/an-ios-zero-click-radio-proximity.html>

[JF Mezei]

On 2020-12-04 21:11, Lewis wrote:

> Do you mean to say "FUD bullshit I made up"?

I asked a question to get clarification on kernel access to the disk via
secure enclave when phone is asleep. Please explain why this is FUD.

[Lewis]

Please restore the context you snipped where you made up shit starting
with "it's my understanding..."




--
I leave symbols to the symbol-minded - George Carlin

[Arlen Holder]

On Sun, 6 Dec 2020 00:32:54 -0000 (UTC), Lewis wrote:

>> I asked a question to get clarification on kernel access to the disk via
>> secure enclave when phone is asleep. Please explain why this is FUD.
>
> Please restore the context you snipped where you made up shit starting
> with "it's my understanding..."

Adults on this newsgroup will note, what appears to be obvious (to me).
o An iOS zero-click radio proximity exploit odyssey, by Ant [sic]
<https://groups.google.com/g/misc.phone.mobile.iphone/c/gJYr-XnRsr8>

1. Ant opened a thread informing people of the problem set
(which I, as usually, had previously informed folks, in gory detail)

o Yet again (it never ends) hackers exploit iOS insecurities with zero-day remote access to the entire device over Wi-Fi, with no user interaction required at all
<https://groups.google.com/g/misc.phone.mobile.iphone/c/7Mc1sX9XISA>

HINT: Unlike morons like Alan Baker, I do three things apologists can't:
(1) I _click_ on the links
(2) I read and more importantly, I _comprehend_ what they say
(3) Only then do I make my assessments

In contrast, apologists clearly deny _all_ facts about Apple they hate
o We've proved they can't even _find_ links in that which they refute!

2. Jolly Roger, Lewis, Joerg Lorenz, and I'm sure the moron Alan Baker
chimed in, as always, with brazen denials that a problem even exists.

All of them without ever even _clicking_ on the reports (let alone,
none of them _comprehended_ in the least what the Google blog said!).

They each, to a man, brazenly denied everything they _hate_ about Apple.

(All TYPE III apologists can only maintain imaginary belief systems by
brazenly denying all that they _hate_ about Apple, which is a lot!)

o What is wrong with the Apple Apologists that they deny even what Apple admitted?
<https://groups.google.com/g/misc.phone.mobile.iphone/c/fyL1cQUVCp0/m/_X0pbr1ZBgAJ>

3. Then JF Mezei, who is not an apologist, asked a perfectly valid question:
o Why was it so easy?

The response by these TYPE III apologists to JF Mezei's perfectly valid
question was a classic childish vitriolic hate-filled ad hominem attack.

It's always the same story:
a. Apple does something the apologists hate
b. Apologists brazenly deny all facts they hate about Apple products
c. If anyone asks an adult question, apologists attack the bearer of facts

This thread alone is proof posisitve it's the apologists who ruin this ng.
o Two or three posts out of more than a score are adult

See also:
o Clear evidence that the real factual problem on Apple Usenet newsgroups - is simply that apologists exist
<https://groups.google.com/g/misc.phone.mobile.iphone/c/mQsBECSbICw/m/lgI46TXtBwAJ>
--
Apologists brazenly deny facts because they _hate_ what Apple actually is;
(they vastly prefer Apple to be what MARKETING fed them to believe it was).