They Found The iPhone Backdoor
ฝัง
- เผยแพร่เมื่อ 28 ธ.ค. 2023
- In this video I discuss the TriangleDB attack chain that allowed hackers to completely compromise iPhones starting with a zero click exploit and ending with a bypass of Apples hardware based memory protection.
Read more about it from Kaspersky
securelist.com/triangledb-tri...
My merch is available at
based.win/
Subscribe to me on Odysee.com
odysee.com/@AlphaNerd:8
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF - วิทยาศาสตร์และเทคโนโลยี
Not saying it was a backdoor. But if I wanted to code a backdoor, this is what I would have done.
It’s really a feature and not a bug in this case.
You would have coded it to require a 10 stage chain of exploits , across multiple development teams and computer design engineers?
If it were your job, you would be very bad at it.
Now that Intel is ramping up manufacturing in that country, you can be assured that more hidden instructions will be put into the processors below level zero.
🤣
@@TheOfficialOriginalChad good backdoors aren't easy to find, the point is only you know about it
So the alleged backdoor is a set of registers in the processor that can directly write to and read from the memory while there is no other reason for these registers to exist. Sounds eerily similar to the Intel Management Engine or the AMD PSP.
Definitely a coincidence how every major chip manufacturer added the same type of vulnerability to their products, 3 letter agencies are most certainly not involved.
There is a vulnerable to hitting the like button on TH-cam... you did not hear that from me thou
@@Tycy2014 EXPLAIN GOOD SIR.
@catmanmliolunny anytime there is a handshack between 2 users it uploads that into TH-cams data if you have a payload hidden behind your comments like button (if you already ran a sql injection on your comment) you can than have your like button carry payloads to other users and use assembly root functions to brute force your way or key loggers your way into others systems or get there internet traffic. The way you determine your like buttons url is by using Google Dorks to find the exact location of your comment... this is a multi step process
Edit: I'm working on multiple cves right now using hidden payloads to find locations of people, all you need is the hand shack and a man in the middle function, and you can go crazy
Edit: it's like giving cookies but only if you don't have access to their system.... if I wanted I could find out where you live given enough time. Or I could use social engineering to get the same results.
@@Tycy2014 Worked like a charm, thanks homie
@@kphaxx oh no
Makes you wonder just how many of these "vulnerabilities" exist.
Enough that if you knew how many you’d want to never tap a phone again! But lets hope most of them are undiscovered (for now)
@@junyaiwaseyup I won’t own a mobile tracking device even a handheld one let alone the next generations , wearable , implantable , last but not least grown into your fucking brain !!!
@@junyaiwaseoh boy , it’s just the beginning I’m afraid
This is just the stuff we hear about.
Let's talk about how many iPhone exploits are the same as Mac computer exploits that still haven't been patched; find them, and you'll destroy Apple in a day. I wish I was joking, yet here we are..
hope the glow boys enjoyed watching me goon at 4am
kek
Based
Hahaha absolutely insane
Theyll probably save some of it for themselves no doubt. :)
Goon?
"Don't worry, as long as we keep the backdoor a secret nobody will ever find it"
Problem with that is that hackers and hostile states will from now on just assume there's a backdoor and look for it tirelessly.
this is the exact issue I hated in the earn it act, putting a back door for the government means everyone can get that backdoor
@atomicskull6405
They didn't stumble across anything.
Pegasus is Israeli.
They either have insiders at various American glow bro organizations or they bribe and blackmail their way into getting access to le secret spy codes.
There's always, and I mean always a back door.
@@gravyd316not true
Or have someone sell the secret to them. Which us probably what they did
Apple users: "Umm, actually, it's a feature to protect me."
"We're the resistance, this backdoor is only to stop the bad people from using iPhones."
Nah, f no. I dislike Apple because of their bs and lies.
"It's to make the battery work better on older phones."
@@X1ZRdo we even have something secure? I mean intel me work regardless of your os
@@user-gt2th3wz9cNo. Nothing is
Tim Cook: "Yeah, but sideloading is way more dangerous to our users security."
Image more than one thing being true at the same time.
@@Stone_624 except the sideloading part isn't true, you can always make it difficult for amateurs to sideload, they just want their 30% cut.
"sideloading" what a stupid name they made. Why is it allowed on Macs then?
I've been using Android for the past 6 years. And in that time, half of the apps I use are pirated, sideloaded apps. Never in this time have I ever been infected with malware, because well, I use my brains when sideloading. @@Stone_624
@@Stone_624 imagine you know nothing about sideloading and make a dumb comment.
Deniability by the US is harder when they have been caught doing so many other behind the scenes spying... such as on social media.
Who cares what the Russians think? They can whine all day, it’s not like they wouldn’t conduct similar tactics.
I mean, is there a government out there that doesn't do this crap?
Exactly
@@moonasha most are very primitive and all but a handfull don't have aceess to global firms with bilions of users . it's a matter of exposure scale
stuxnet
I remember working with assembly in school. Never thought I'd hear the term "unused registers" lol.
Undocumented bit combinations in the machine code might hint at undocumented registers in the hardware. But figuring out special functions for those registers would be tricky.
Unused space in the instruction set, on the other hand, is common.
Not like the general purpose registers on the CPU -- probably talking about registers in the SoC, written to with a special instruction or memory mapped at some hardware address. Writing to it controls certain aspects of the various things in the System on a Chip.
It exists in Intel and AMD. Undocumented instructions.
We normally call them "undocumented registers". And they would refer to registers in hardware devices, not the CPU registers. Though even in the 8-bit days there were undocumented registers or partially documented registers, and modern CPUs are orders of magnitude more complex, often with multiple CPU cores in them, so a lot more places to hide undocumented registers. Undocumented opcodes are extremely common.
@@Muhammad-sx7wr Always has.
At one time, I worked with a network engineer that used to be in the Military. He had access to MS Source Code, not OP code, but the uncompiled Source Code. He said the military would not allow any device or software into their secure areas unless they had full control of it. He also said that the only sure way to defend a device was to remove external access. This includes having shielded hardware so it cannot be accessed via a remote, directional device that utilizes it's own EM broadcast to reach into your Hardware. Sci-Fi stuff huh? This was 28 years ago. Imagine what they can do now....
That is so cool... too bad we are not presented this choice either, and have to deal with this bs
Whats OP code?
Didnt understand half of it but that sounds badass
28 years ago was the era of 14.4k baud modems, cd-roms were connected through soundcards and this new OS called Windows 95 had just been released.
There were no cell phones nor the concept of "devices" or "network engineers"
It would also make you at least 40 years old today and old enough to not be so gullible or make up fake stories.
What would having access to the source code do? Fork and compile their own version of win95 with the same undiscovered vulnerabilities as that is safer? 😂
@@sirtra it's not foolproof, but having source code to inspect makes it a lot harder to slip in a back door.
Saw the triangulation presentation last night.. it's very clearly a backdoor.. and what was interesting is that it's been used for 10 years .. also the fact you can write to your own memory address if you know a "secret code " is fucking bananas
Link?
Dang I wanna see.
@@LewyM7 below dude
#secret code
😂😂😂
No link showing up bruh
The Pegasus exploit was actually insane, they used the fact that the steps of the gif compression algorithm were Turing complete, along with an exploit that let them execute an arbitrary number of steps of that algorithm, to build a computer out of the compression algorithm. When combined with the overflow exploit giving them access to the devices memory they had full control of the phone.
Yeah that really doesn't sound like it was planned. And the unused registers probably were there for redundancy or they simply were left overs from the development.
Smart mfs doing stuff like this meanwhile I’m proud of my crud b2b saas. Feels bad.
@@zekiz774people here would rather attribute to malice something that can easily be explained as an oversight in an insanely complicated system. I’m really not apples biggest fan, but jumping to accusing them of conspiracy is unhinged.
@@sn00pysfonesmart people push the world forwards, were just along for the ride
Pegasus is actually pretty beautiful from a coding perspective.
Its pretty funny, considering several defence contractors and official defense departments around the world have contracts with apple to use iphones with IOS as their provided mobile devices, as well as Imessage as one of the primary comunication application.
I wonder if they get patched version of ios, that don't have these vulns
@@mycommentmyopinion imo unlikely. Someone within govt wanted total possible oversight over these contractors & defense depts by forcing then to use iphones & imessage they insured this happened. Imo this was an intentional backdoor sponsored by the US govt.
funny how the government actually trusts closed source software for critical and sensitive stuff.
Not that funny if you consider their versions are probably a lot different than the consumer models.
@@dangerous8333 I would believe it's only the hardware with specialized software, but if not it seems like a bigger problem.
It's about time. The walled garden is breached
Everything is breached
The walled garden was never one to begin with (at least to the alphabet bois and NSO 😂)
There has never been a wall, just a fence
Remeber guys, if they say its the most secure with no open source software,
Its not
People should look at Mattermost application open source for self-hosted end to end encrypted messaging. It's like Slack for developers, used for secure communications by Airforce, Samsung, and more.
And Hardware?
@@GrueneVanilleWaffel Truly difficult finding OS hardware because the scale of production it takes a hardware company to be profitable is a long time horizon and huge amounts of capital.
While you can find some OS hardware, you can do a surprising amount of interesting things running with Virtual Machines if you really know what you're doing.
Remember, the more convenient/usable the product, the more hackable it is.
OG cybersecure guys run many systems straight from the Command Line on an old Thinkpad laptop as a controller for a big server farm, but you have to know what you're doing.
If you don't need a specific app and it might have a security vulnerability and you can't remove it the only think you can really do is not use the entire thing.
No, they found *A* backdoor. Proprietary software is proprietary.
reverse engineering doesnt exist apparently
Not with Ghidra it's not.
@@thewhitefalcon8539 If you buy a device with the software instead of installing it yourself, not even Ghidra can help you. If (and the size of that if may vary) the device lets you download the software off of it in order to decompile it, you have to trust that the hardware gives you the same code as whats running.
i think its a jab at the fact iphones are considered "the most secure phone"
@@detecta100% this. Apple does an awesome job of keeping it's cult brainwashed and loyal.
Just like when they used to say "Macs don't get viruses." 😂
>a blackbox has horrible vulnerabilities?
Oh shucks matey i could not have possibly expected something like that
I mean an open box also has horrible vulnerabilities... A little harder to make them intentional like in blackbox, but Minnesota Linux kernel ban situation kinda proved it to be possible...
Unfortunately, there are plenty of horrible vulns even in open source. A couple of sudo vulns went undiscovered for over a decade, and these led to full privilege escalation.
@@surewhynot6259 The point was rather, all software has vulnerabilities, and making it closed source makes things worse.
Couldn't you bypass any Linux system by pressing backspace 20 something times?
@@chrisdawson1776 That really was not as big of a deal as people made it out to be, if someone got into the position to exploit that vulnerability you had already lost at every step because the person is literally standing in-front of your system.
Generally exploits that require physical access to the system are more of a joke than anything since at that point there are countless non exploit ways to get into the system.
But most importantly, that exploit is for GRUB2 if you encrypt your system (if you want password protection on your OS) getting past GRUB2 is going to be utterly worthless.
As is i'd bet 99% of users do not have a password set for GRUB2, same goes for corporations (at least those i worked for) because it's simply unnecessary and in a corporate environment you don't want to be locked out of your boot loader with a password.
TLDR: that exploit was overblown lwn.net/Articles/668695/
My face when closed source software isnt the most secure thing in the world
Hardware
@@GrueneVanilleWaffelhe means iOS but yea you’re both right
@@GrueneVanilleWaffel wdym by hardware? Not disagreeing just have no clue what you mean
@@CentreMetresoftware is any sort of application within the device. hardware is the actual device itself and all its parts.
a good way to remember it is, if the equipment can be touched it’s hardware, if it cannot it is software
@@DinahAO I know the difference between hardware and software. I just dont get why he meant by the word "hardware"
This isn't about software, you could run 100% free software, and yet your CPU would still be backdoored. And you know that AMD and Intel both have it too, likely other ARM manufacturers too, who knows which are safe if any
Chips within chips within chips 🪆
There seems to be some open source hardware development going on, maybe if we get a year of linux desktop one day we get a day of linux cpus.
@@fulconandroadcone9488 Even with open hardware we can't tell if the fab that makes the CPU didn't tamper with it
If the software is FOS, there are plenty enough geeks to find and patch those exploits in due time. If it's not, they will sit there until the for profit programmers who work on things that make them money (AKA not wasting time looking for potential security exploits in the most obscure corners of their source code) to fix it, or for a scandal like this to force their hand.
A hardware exploit is meaningless if there is no software path to activate it.
@@fulconandroadcone9488it’s almost impossible for a reasonably priced open source cpu to exist based on just how complicated it is
Can't get viruses. Just entire vulnerabilities. But they won't let you so much as install an app not authorized by them.
I love how everyone was in a big fuss about side loading apps being a huge risk while shit like this happens every few years. Just like those massive icloud breaches back in the 2010’s
Or remove apps that might be entry points.
Apple is the virus
Now I want them to say "oh, its just a conspiracy" again.
dont worry they will, they will keep doing it until our cities are run down with drug users injecting hard drugs on the streets with police refusing to respond while the goverment is openly dismantling even the illusion of democracy. Oh wait...
oh, its just a conspiracy
The apple people "we can't get hacked" also pegasus exist.
And also apple themselves are the biggest threat to apple users privacy, and i would like to brag ablut using android, but i don't even think google is less bad...
Well at least i use linux on my computer
@@no_name4796 - What we need is a law mandating that all hardware above a certain level of processing capability (IE, anything stronger than a smart phone from ten years ago) has to support an open source operating system - either freeBSD or Linux, where the penalty for a regulator not being able to install Linux or freeBSD on the device, is a full public-domain release of all hardware schematics, and any and all source code related to the device, along with a forfeiture of any copyrights and patents related to said device. We need to stop dancing around the bush on this shit - if it supports Linux then it'll support Windows, Android, and any other operating system in existence as well.
@@no_name4796To be very fair, I think mobile devices are easier to compromise then desktops. I think I saw a video about someone claiming the opposite and I sort of laughed at it, but I couldn’t tell ya if that is true or not.
Personally, I think it easier because phones are largely ‘simpler’ systems with more attack vectors since they are ‘smart’ devices. The chips are different from desktops, there is more features like the camera or the fingerprint detection that can make a hacker blush. Finally, I think the more closed source nature of the app stores could be used to maliciously distribute bad code easier then just browsing online.
I could be wrong, I am definitely not a security expert.
@@no_name4796depends on what phone and os you use, you can use lineageos and hell even grapheneos if you want!
as someone who doesnt like apple at all, and genuinely really believes that Pegasus and other mythical creatures exist, your comment has me really confused. i am not being sarcastic at all
At this point, Apple does not have vulnerabilities. They have full-blown goatses.
Why did you do this
please take my like and delete this naow
Full blown and goatse should NEVER be together in a sentence….. 🤢
This isn't a full blown goatse. It's actually a very typical escalation chain.
I just like the term goatse
5:08 They call the process "fuzzing". Essentially, throw arbitrary instructions at the chip and see what happens. Some you cab bruteforce like that really quickly. Others can take weeks.
because ARM is RISC
Yup. Fuzzing (and JTAG/test pads) is how a lot of this kinda stuff gets discovered.
@@user-dv6yo5bc4z They do it to x86 too. Easier and quicker on RISC chips though.
@@lucasthompson1650 then the question is, doesn't apple has better access to those same things, and could run it from you know start of development instead of having to buy some some and revers engineer all of the stuff?
yeah i've watched some of christopher domas defcon talks on youtube and this is exactly the sprt of stuff he does, And he is just one guy. An entire corporation can surely do the same sort of stuff
Apple users try to not bend over for the company challenge (impossible)
Googles not any better lol all big tech companies are a huge privacy concern example being the incognito recently
Look y’all once your device has Wifi, Bluetooth or any means of connecting with the outside world it’s vulnerable, theoretically if you actually wanted to be completely safe you’d need to download all apps and games that you want, then disconnect the Wifi and Bluetooth chip, plus other components that may have contact with the outside world. No system is 100% safe
anglophone try not to blame individuals for systemic issues challenge
(just read althusser)
How is this exclusively an Apple thing? Like yes this particular video is about an Apple exploit that is really dangerous and that’s bad, granted. But if you think there aren’t cyber weapons that are just as dangerous targeted around Windows and Linux you are deluding yourself. The US has already leaked some of the ones targeted around Windows accidentally, we know they have them.
Based on how convoluted the attack chain was obfuscated and yet how easy it is for an attacker, this was definitely intentionally implemented to make the attack method difficult to find and easy to carry out.
"china phone bad because backdoor"
America fone:
i feel like the reason for canada to ban Xiaomi was not because they cared about their citizens' privacy, but rather to monopolize on profiting from their data themselves
This. China doesnt need to collect data themselves, they already have an immense inhouse userbase. And they can just buy it@@myxobe
Sending this to my apple obsessed friend
Nooooo, he gonna defend Apple anyway😂
4 new zero day drop 🗣🗣🗣
🔥🔥🥶🥶
Security has always been a matter of ''are you bored enough to do it? '' as opposed to the fear based ''is it possible? ''
Hidden instructions and registers can be found by fuzzing the CPU. This is something that has been done in the past on custom CPUs based on well-known architectures. I think the main question is why these unused features got in the final product, or if is an undesired side effect in the architecture.
The reason why might be as simple as to cut the costs that would go into design and verification stages for a new version of the chip with the registers removed.
Fuzzing won't find everything
Yes, especially when you consider that they could make the exploit dependant on two special instructions in a row. The second won't do anything unless the first one is used directly before and using the first instruction will not produce any visible effect unless the second is used directly after.
How you gonna brute force fuzz your way through that? There's exponential possibilities.
@@rivershen8199 plus there could also be built in time depedancies - this adds another level of exponential possibilities.
@@ic7481 It can find A LOT. For example AMD's (formerly Xilinx) bitstream formats of their 7-series FPGAs have been reverse-engineered with fuzzing.
you mean to tell me closed source hardware/software is vulnerable? Shocker.
Fuck
But we only have closed source hardware
@@GrueneVanilleWaffel you don't run a [obscure piece of technology from 2014 that still uses proprietary parts anyways] big opsec fail...
NOT WITH THAT ATTITUDE WE DONT@@GrueneVanilleWaffel
@@lisam5802 sorry, I don't get it
using open source and foss is seen as socialism for some people
I remember hearing about some folks getting stalked with a similar exploit.
It was with this exact one
Going by the analysis of Marcan (the MacBook Linux guy), it seems like this vulnerability could have plausibly been found by just guessing. The memory addresses it uses lie right next to the GPU control area, so by poking here and there you could have found it does _something._
Still, the number of (0-day) exploits used here and the sophistication of the entire deployment chain is mind-boggling and comparable only to the likes of Stuxnet! Definitely from a state-sponsored hacking group.
And he also thinks they're hardware design debug registers, not an intended backdoor, per se.
@@silverdragonslair The best part these things are not exclusive.
5:50 I work in 3rd party repair fixing iPhones for a living. I once accidentally triggered the iPhone the blue screen (yes blue screen on iOS) with a strange code on the display. Apple support didn’t know what it was and google had no info. I accidentally triggered it by connecting a faulty screen with the pins for the display connection misaligned. My best guess is it was some sort of internal debugging or diagnostic mode.
So I’m not saying that you’re wrong I’m just saying it’s possible to Find these “back doors” in other ways.
This kind of thing, where the hardware itself is 'untrustworthy', has been a suspicion for years. I have some older IBM laptops which I use for a password database, that is never connected online, but also because it is one of the last laptops where the chipsets are 'known' to be what you think they are. Without any possible additional 'features'. Excellent video as always.
I wonder how long until fully open source chip designs hit the market, I have seen some RISC V but at very low powers, maybe in a few years it will only be a question can we trust the foundry to build actual designs,
What era/chipset is that out of interest?
@@contactjd i mean there is no proof even back then that they arent backdoored. I think in the K& R C boiok there is even a topic about rogue compilers. like the problem goes way back to the 70s/80s.
Shame it was abused by the glowies instead of given to the people for a jailbreak instead.
fr an ios 15.7 jailbreak on non checkm8 devices would be amazing
@@thewonderingape6383aka you currently have that setup right
i may or may not be hoping for something similar though lol
@@thewonderingape6383it’s coming
They attacked Kaspersky devs? Oh yeah this glows brightly.
that was a while back and he also covered the news
That was how they got caught, they attacked researchers @ Kaspersky and they managed to uncover the whole thing.
Too bad the gloweys have way more vulnerabilities.
Bro please inform people that simple mobile tools got sold to some sketchy corpo
@@kevinm45684to zipoapps, known to buy projects and then put ads and subscriptions on them
So, it was good while it lasted 🫡
@@kevinm45684zippoapps
@@kevinm45684some random chinese company that makes ad bloated apps :< But!! If you do NOT update you are fine!
@@kevinm45684zippoapps
@@kevinm45684 the same Israeli firm that everyone sells out to and is definitely only in the business of ads and crapware
5:45 How could anyone figure out how to use this undocumented feature?
There was an interesting presentation, on the Intel-AMD64 architecture, at one of the major programming conferences a couple years ago.
1) the presenter wrote very clever code to find undocumented instructions. This included executing bytes at the very end of a memory page to see if the instruction was "taken" before it fetched bytes from beyond the page. When discovering a new instruction, he would thus determine how many bytes it needed.
2) read patent applications. If they describe some feature of the SoC, maybe they're _doing_ something like that on some existing product now.
I'm sure the same principles apply to this platform.
Brilliant observation!
State level actors can also simply crack open an iPhone and run it under an SEM. Hell, @BreakingTaps does this as an individual. Not a long shot to find secret registers that way.
What's an SEM?
@@afinelad3673scanning electron microscope
Scanning electron microscope. They can detect much finer detail than light can.
When you design your own silicon it's almost impossible to accidentally add extra stuff.
It's a massive investment especially in this case, and everything gets checked thousands of times by hundreds of experts.
You say expert, I say coworker desperately trying to close the Jira ticket from hell to get his manager off his back.
@@theofficialjeff Isn't Jira for software development
@@Arek_R. project management in general ¯\_(ツ)_/¯
defo a glowie backdoor
'Backdoors' are in the original charter of the F.B.I. It started with phones and service providers being required to design the phone network so it can be spied on.
You do realize that the "original" FBI charter was written only 40 or so years ago, well after the FBI had been in existence, yes?
And no, that original charter makes no mention of requiring phone providers to design a network that can be spied on.
The nature of analog and digital are such that they can be spied on. No one forced anyone to make them that way.
Anyone who understands even the basics of how wires and circuits work can see that. It's not particularly complicated. 😂
In my opinion, this is clearly a backdoor planted by the manufacturer
I figured this had something to do with Pegasus. Crazy it took them this long to patch it.
One of the exploits used is from the 90's 😂
"Patch"...🤨
Hope everything is well with you. Cheers my friend.
Death knocking on door meme.
Intel door: 👽 dead
AMD door: 👽 dead
ARM door: knock knock 👽
Bogos binted energy 👽
Well, time for PowerPC to come back
RISC-V pls save us!
Rotten 🥧
Thats why i use GrapheneOS on my Google Pixel and you should too
Do you think Google doesn't include hardware backdoors in their pixel phones?
Nice bet
*unless there's a zero day for grapheme we don't know about despite all that open source*
@@kevinm45684 Hello, mr Glowwie 45684
I use a modified Android
@@kevinmiller5467 Still a better bet than the combo of backdoored OS+hardware. Even if the hardware itself is compromised, you have to find an (unintentional) 0 day exploit that escalates you from nothing to hardware level in order to exploit that backdoor anyway. And the grapheneos team has shown that they really dont play around and actively assume through each line they write that "if this piece of code were to be exploited, would the danger at least be contained?"
Also it is very difficult nowadays to find hardware that is (provably) not backdoored, or check the integrity of the claimed implementation, which is why even if they open sourced their titan m firmware you still would not be completely sure. This is why bothering with such details goes beyond tinfoil hat territory. I mean if someone else with backdoor access gets a physical hold of your phone you would be screwed but if your threat model is that large and you got in that situation you screwed up somewhere else entirely anyway...
Anyone remember the time when an organization had to get involved for a iphone where the really badly wanted to get the contents but one last failed password attempt wiped the iphone's contents? I wonder if anything related to this backdoor could be connected back to that whole thing that ended up being a huge non-story at the end of the day.
Exploit aside, your presentation was perfectly on the spot. No rambling, no bs, just spot on fax & technical breakdowns. 👍
So basically ACE from fucking Zelda speed running but even worse. Amazing.
Being able to mess with memory is unbelievable.
I wouldn’t be surprised if they put Pegasus on the phones before they come out at this point.
imagine using apple products at this point.
Do you really think android is safer?
@@Not_Airrack at this point anything is better than apple, and the best choice of all is to get off grid, cant hack what isn't digital. when real life comes knocking these hackers wont be safe.
Real Life catches up to everyone
It’s honestly mostly about the convenience of a simple device. I still have an android for work and more heavy duty stuff but an iphone is an easier daily driver for simple tasks.
@@firewhite Apple is not more convenient its OS is built so that normies cant do anything with it other than what apple allows....these people must like being in a playpen while everyone else goes outside to the real playground.
saying apple is an "easier daily driver for simple tasks" is like saying a children's learning computer from playschool is the best choice for people who need an "easier daily driver for simple tasks"
the problem is people refuse to adapt to technology and the companies are taking advantage of said ignorant customer who refused to move away from a locked system that they don't even truly own, therefore allowing the industry to corner people into thinking that a closed system is better than an open one
it happened to restaurants, it happened to cars, and now its happening to basic computer and phone....
@@Not_Airracklaughs in graphene os yes mate it is :P
Very interesting and certainly quite the take on this situation.
Its not uncommon to have redundancy in hardware.
We know the process primarily as "binning" but, redundant features and surfaces are built in and either deactivated (fused off) or just not utilized.
They're part of the fabrication process, as everything is incredibly tiny, most features (such as a group of transistors) are replicated a few times over, then wired into a given surface (such as an adder within the ALU). They're then wired together, tested, and whichever feature group performs according to spec (in this case the spec is based on Apple's wants) is chosen.
The unused features can be fused, or go unutilized, or even be programmed to kick in if the other features fail (though this is typically only done in memory ic).
But I will say this attack chain is a bit sus...
Tim Apple 🤣
Thank you for all your videos, of all genres. They’re always appreciated and at least somewhat entertaining. But someone referring to you as Vegan Gains is just about the funniest thing I’ve seen related to your context.
lmao 🤣🤣🤣
Bro is a doppelgänger
What a timing.
Just saw their C3-talk about them being targeted by this vulnerability.
Might want to check it out aswell.
Loving the flolding table setup in the back
Closed source, absolutely proprietary
The only reason to keep code closed source is because you have something to hide. Either its embarrassingly bad, or its malicious. Today, like every day you see closed source products, you have to ask yourself. Was this incompetence or malice?
In this case it took so many lucky coincidences and lucky hardware quirks, i think it was malicious.
its always malice, no company in the modern era hides info because of embarrassment to them embarrassments are just good coverage until the majority of people "forget" after 24hours.....these new age people might as well have the memory of a goldfish, if you don't maintain training fish just default back to base needs, like the fools who run a good country into the ground for "the greater good"
Or archaic licensing deals from 30+ years ago that are still in effect.
Or u don’t want an open source version to float around?
Lol so I can have anything in your bank account and retirement accounts right? You don’t have anything to hide and you don’t believe in private property rights, so why not send your life savings to me?
@@cat-.- This
"Spectre and Meltdown, which were like 5 years ago."
Yeah I feel old now.
the NSA forces US semiconductor manufacturers to leave physical backdoors in the architecture itself, TSMC doesnt escape it either
I've been suspecting this for years, suprised to hear pseudo confirmation
7:25 As someone who was in Russia, saying “avoid American products” is very difficult because the Russian versions were so underwhelming. Matter of fact, Putin has been trying to push Russians to use their version for years. Guess what though. Because of the Russian war, a large adoption of Russian products arose. Although it’s still not the majority because these products are still mediocre.
And in 90% of cases are re-brands made in china from used/bad binned chips. No wonders here, even if they have a tech, there is no way to make modern things, there are no factories capable of making them (even something of 2010`s level of architecture).
I'm not sure about the government jobs, but pretty much everyone here uses WhatsApp, no matter the age. Younger folk (especially females) uses Instagram (via VPN) - both belong to Meta.
I already knew about this about a month ago because Kaspersky sent me a message saying 'update all your ios devices' and linked to the securelist article (securelist is owned by Kaspersky for clarity)
i used to work at t-mobile around 2020 during lockdown, and a customer brought their iphone in saying somebody was listening and watching everything he does. They basically had 24/7 screenshare and can access root files.
Thanks for the news!
Thank you Jason Tatum for this information
I hate the Celtics but I love FOSS
iPhone mishaps make me lol. Pay 1 grand to have the glowies in your phone.
Great info, thanks!
You're probably right about the three letter agency being the ones that pressured for this, however, theres another possible explanation.
A couple of years ago I watched a TED talk about searching for undocumented op codes and functions in hardware (by requesting every possible op code hex address and seeing if it did something, then figuring out what that something was). This kind of brute force attack on the hardware would make stuff like backdoors "visible". So, Id imagine the back door was (as you said) for technicians and wasnt removed in the final design, but the op codes could be found without internal knowledge of the hardware.
If you develop a CPU you need to implement some basic "backdoor": you need to scan the CPU for errors in the production plant. Usually there should be fuses to permanently deactivate these debug functions. Some plants used to cut the part of the chip: but it is expensive to cut some silicon off after the final validation. You see many SOC's where the fuses aren't set because somebody forgot at the production phase and the pushed the last known good working development phase out through the door. It's often timelines where some undocumented function or firmware read/write fuses got forgotten, or every device uses the same master key. You need to sell some iPhones with the debug function enabled to development studios.
What kind of development studios need debug function enabled?
Reminds me of the AMD Athlon cpu, you could increase the clock speed with a small line of pencil between two points
Development studios, what? This isn't a console or something similar, there's no such a thing as an iPhone devkit. It's just the combo xcode and whatever runs ios.
Dude, you DON'T just "forget" at multi-BILLION ultra-high-tech production where every step is approved, monitored, checked and re-checked multiple times by different people and machines.
May I remind the Intel management engine? Which is a part of every Intel processor. It is suspected to be a hardwired backdoor. Same with AMD CPU's.
Your glowie thumbnails are always on point!
Great video. Commenting to boost visibility.
Just the other day there were news saying Apple phones were very secure..
Wondering if this whole thing will hit mainstream news too
When they get messages with links to blogs describing it they will most likely self destruct on arrival without trace.
I'm still not upgrading! I've been waiting years on IOS 16.0 for a jailbreak. Let's hope this exploit can be used to jailbreak my phone and then we can patch it ourselves. :)
Loved your video thumbnails.
That glow Nigerian got caught.
Oh I’ve exploited undocumented registers for some stuff on 70s hardware before (to give myself afew extra bytes of ram by having my kernel access the ones that didn’t interfere with anything like they were regular bytes of ram, 32 byes of ram is pain)
I don’t know the specifics of what’s going on here with Apple but it’s not as uncommon as you would think for there to be unused or undocumented registers in a cpu
I guess I’ll spend next week locating them on the silicon to see if I would be able to physically disable them like I did to the neural engine
Okay so some things to know, it is actually able to find on a device. I had a friend go to federal prison recently and my phone started acting up, I got a voicemessage with this payload ingrained. I actually still have the payload on my computer in a vm for testing. It was an interesting ass process to find, but even more interesting that just based off a friend going to jail a governmental body felt it opened the right to infect close people. I was on IOS 15.6.1 SO UPDATE UPDATE UPDATE!
Use it for root ) Seriosly, though, it's scary. I'd get rid of any apple shit long ago.
I've been doing what I've been doing long enough to believe that the NSA has almost certainly approached vendors to do this exact thing. The problem with making a backdoor for the three & four letter boys, is that it does so for everyone else. Give it enough time and it will be their backdoor too.
So McAfee was right? Who would have thought.
Absolutely wild, but not surprised, knew about this for a LONG TIME because many police depts were and are using a similar back door to gain root too users phones, by 3rd party companies that sell the devices too them,(for the right price of course)
I´d say, the ONLY benign explanation is silicon reverse engineering parts that were meant for debugging. That being said... I´m not naive either...
poking memory at random goes brrrrrrrrr
So basically if the cpu manufacturers have properly designed their products to be secure, none of this could have happened?
It appears that the problem lies in the very root of the tech system.
your not allowed to produce systems impervious to the nsa if you do they will literally kill you
That thumbnail is a work of art for this situation
please do an update soon that for 2 days tor exit nodes have been going to Virginia for >48 hours according to several persons
The only backdoor needed is the software update system on iOS. All apple has to do push a single malicious update to all devices to gain access to them and none of us would know about it.
Apple wouldn't be able to hide something like that for long.
@@JPS13Laptop if they're gonna do something like brick their devices, yeah that would be painfully obvious but something like taking screenshots and recording keyboard input, that's something that a user wouldn't be able to to identify much less detect using a network packet sniffer when that data is discretely sent back using encryption. It's even something that apple can write off as quality assurance telemetry used for improving the iOS ecosystem and users would have 0 evidence to prove the contrary since they wouldn't be able to read the data being sent back.
Keyboard inputs are already sent back for text prediction, the photos you take that automatically get uploaded to iCloud are reviewed by apple for regulatory compliance, your text messages are processed through Apple servers. Breaking end to end encryption is straightforward for apple and only requires a couple changes of code to grant themselves access and no one else. No one would even notice since the imessage's source code isn't visible to the public.
@@brandonn.1275 There is always a way to read the data coming out of a device. Even the encrypted stuff.
"But we didn't do it on purpose! It was just a vulnerability, we took immediate steps to resolve the issue blah blah"
@@georgek4416 and it can last only of an update cycle, at which point the switch it out and by the time someone figures it was a breach it will be "patched" for a very long time
I worked for small companies, I worked for large companies in software dev. The amount of carelessness, mess, lack of security, self-awareness is so through the roof that it doesn't take CIA || FSB || NSO || ISIS agent to implement a backdoor by kidnapping the CEO's family. You just wait for the laziness of devs or send your own dev to do the thing. Or just log in to their MySQL with root root and put some git and cat commands.
Yes ...
It's the same reason for solar winds
These are fully functional registers, this isn't an accidental design flaw like some examples FPU or branch prediction errors that can be used for exploits.
This was a good video. Thanks.
It is possible to fuzz CPUs for additional instructions or undocumented features. This has been done already for certain subsets of x86 CPUs for exploits. As a result, it is also possible Apple was not acting with malice.
wrong apple not acting with malice is literally against the laws of physics its not physically possible for anything apple does to not be malicious its malicious by default BECAUSE its apple
If Kaspersky is reporting on this it was the one for the Russian iPhone users at the start of the war, and now they started to use Chinese phones. This comes after the Push Notification server thing for all phones, the US Government and associates is grubbing on these.
Having an iphone is already a privacy concern 😂
Having a smart phone in general, is a privacy concern.
If you think android is safe, you’re fooling yourself.
If you think I’m saying this just to defend apple, you’re a wrong. I see the pros and cons of both devices.
@@Haunting_Shadow Google is similar i know
Ohh!! Is it time?! For The Fappening 2: Backdoor Boogaloo?
I was in Kaspersky's talk about the exploit at 37c3. Good job. But you failed to mention that the hack also used a kernel exploit written in JS 😂.
NOO THEY FOUND MY BACKDOOR!!
Russia is actually already moving all sensitive stuff on linux(Astra and Rosa OS). And very sensitive stuff on servers with russian CPUs
Unironically one of the only good thing about the invasion is the amount of boost software import substitution programmes got. I know even some school computers use Alt instead of Windows now
@@lmnk and might lead to a strong software community which in turn might be more capable of exploiting flaws in modern hardware whilst patching there own,
unused register isn't that unsual but what is unusual is somebody left a jtag port left open for a remote configuration and debugging a stack overflow. like, siemen, allen bradley, schneinder and ABB dont let thier automation have a particular jtag port open for glow bois to exploit.
If you're hitting a CPU, wouldn't it be easy enough to see which hashes data is going through? If you keep seeing the same hash come back while processing, it could be something exploitable right?