this post was submitted on 27 Dec 2023
356 points (98.9% liked)

Technology

57455 readers
4582 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
356
Kaspersky/Securelist researchers detail zero-click iPhone exploit involving four distinct zero-day vulnerabilities, including undocumented hardware features in iPhone chips (securelist.com)
submitted 7 months ago by [email protected] to c/[email protected]
23 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 7 months ago (1 children)

So you can think of security as being done in layers. iPhones have apps exist in a sort of “prison”, so a malicious app can’t go modify other apps or the OS. It exists solely in its own little room. It can pass notes under the door to the OS to ask for calculations, and receive the results of those calculations. But it can’t leave that room to modify things outside. And the OS can run verifications on the notes it gets passed, to ensure they’re not malicious before it tries to calculate them. Lastly, the OS uses a secure calculator called the kernel to actually make those calculations and get the results.

First, this attack exploited a PDF vulnerability, to attack iMessage. When the victim receives the message with the infected PDF, iMessage attempts to generate a preview of it; This initiates the attack. This happens automatically, and means the user doesn’t even need to interact with the message. This attack hijacks the Messages app, and essentially allows Messages to break out of the room it was sealed in. Now iMessage is able to modify other apps and interact with the OS directly

Next, it attempts to get outside of the OS, to the kernel. The kernel is essentially the hardware level of the phone, where everything is 1’s and 0’s. The user interacts with the app, the app interacts with the OS, and the OS interacts with the kernel to do the actual processing. But even inside of the OS, the kernel has protections; That calculator is secure, and can’t be modified. The OS has large parts of the kernel marked as “read only” so it can’t be changed. The OS only allows itself to push the specific buttons on the calculator that it knows will work correctly. This is intentional, to prevent accidental or malicious kernel modifications. If an app asks the OS to push any insecure buttons or change the calculator, the OS will normally refuse.

But this attack uses another zero-day vector to break out of the OS and interact with the kernel directly. Now the app is able to type on the calculator without talking to the OS first. But this still isn’t enough, because the kernel is still marked as read-only. Lastly, the attack uses another zero-day exploit to attack a hardware vulnerability, and flip those sections of the kernel from read-only to lol-yeah-you-can-write-whatever-you-want. This allows the compromised app to modify the calculator to produce whatever results they want. They can change the calculator to have 1+1=3.

And once the kernel has been rewritten, the entire phone is compromised. Even an OS update won’t fix things, because the OS is only interacting with the kernel (which is still compromised even after the OS update.) Even if you fix the OS to prevent another attack, the calculator still says 1+1=3. The hacker essentially owns the entire device at that point, because kernel-level access will allow them to supersede the OS.

[–] [email protected] 1 points 7 months ago (1 children)

Is this type of thing why BlackBerry used to reign supreme when it came to device security?

[–] [email protected] 1 points 7 months ago (1 children)

Thanks for your comment it gave me a lot of thoughts like: "Why did I think that my blackberry was secure (or more secure than other phones)?"

TLDR: I couldn't find the answer but I think it's because they were the first major smartphone and had a encrypted messaging app.

Here's a few sources for further reading.

Obligatory Wikipedia Overview: https://en.m.wikipedia.org/wiki/BlackBerry_Limited

Blackberry had early smartphones and went all in on keyboard phones:

https://d3.harvard.edu/platform-digit/submission/the-rise-and-fall-and-rise-again-of-blackberry/

Sorry I couldn't have been more helpful, but hopefully this gives you a good starting point.

[–] [email protected] 2 points 7 months ago

Here's the summary for the wikipedia article you mentioned in your comment:

BlackBerry Limited (formerly Research In Motion) is a Canadian software company specializing in cybersecurity. Founded in 1984, it originally developed the BlackBerry brand of interactive pagers, smartphones and tablets. In 2016, it transitioned to a cybersecurity enterprise software and services company under CEO John S. Chen. Its products are used by various businesses, car manufacturers, and government agencies to prevent hacking and ransomware attacks. They include the BlackBerry Cylance, the QNX real-time operating system; BlackBerry Enterprise Server (BlackBerry Unified Endpoint Manager), and a Unified Endpoint Management (UEM) platform.

^article^ ^|^ ^about^