just imagine sitting in a Software Engineering class, and just 2 people there having macs, then you say 'Your laptops will crash in 10 seconds', and then you do something like this: 31:00 xD
Joan Montserrat so slow that I’m already bored from watching it. How many times can someone repeat what they’re saying in a different way before you’re tired of hearing them? Less than 10 minutes in and I’m already over it.
Could have been half the length if he had a full presentation ready, instead of long periods of silence and “um” being used almost every other phrase. He spent more time on his slides than figuring out what to say with the slides. Very disappointed with this speaker, and I hope that Black Hat refuses any of his future talks unless he is actually prepared.
This is a very interesting project. Thing is, however, he/they didn't ever compromise Android, nor iOS, thus the title is absolutely misleading. The content is still very worthy and thought-inducing IMHO, but indeed doesn't justify the full hour presentation time people are complaining about.
Didn't really delve more into it than what is already presented here, but as far as my understanding goes, the code you get to run here runs on a dedicated ARM unit, in dedicated memory, belonging exclusively to the WiFi chipset. That is, you'll need at least one other vulnerability concerning the interface between this chipset and the OS in order to get the main CPU running the system to execute your payload in the context of the OS. It's a really interesting possibility, but apparently it is just as far from compromising Android/iOS as is an SQL injection from hijacking the whole system the website is hosted on. Nevertheless it opens up some new perspectives...
i can definitely see a firmware attack used out of this if its even possible... like the hdd firmware patching modules that were unfinished in stuxnet back when it was running around with 0-days and who knows what is in intel amt/me or amd psp/secure processor to flash.. the intel amt memory region on motherboard is the same as smm code the ultimate persistence would be hardware or firmware..
Sure. If you can find something important you can overwrite, a flash or a serial eeprom maybe. It probably won't work without a proper config. That said, why would you? There's nothing to be gained from this, all it means is they will ditch the phone they're using and get a new one. Maybe one where this doesn't work.
I am just wondering why he didn't inject any system calls to compromise the android/ios system itself.. All I'm seeing is just taking over the wireless chip but not the application system itself. I think it is very possible to use the trust-relationship between the wifi software and other system resources to hack the application software.. so this seems like an incomplete project or maybe he has already sold such attack privately to a company or possibly a government!
Probalby 24 bytes are not enough and you need to at least dupicate potential system calls to cover both iOS and Android. Rule2: No assumptions of the system.
Save yourself the 40 minutes and jog straight to 40m00s. Unless you want a lecture on what a "remote exploit" is (which I always thought was inherent) and in case you missed out on the past 20 years, a 30 minute tutorial on how WiFi works. It's literally a 10 minute demo stretched out to an hour of mostly yawnzzzzz.
Probably. A lot of these exploits that are released at Blackhat after the time of reasonable disclosure has past, which gives plenty of time for developers to patch the exploits. If you're dragging your heels on patching the exploit, that's their problem, not his.
Pretty cool. But one suggestion: watch on 1.5 or 1.25 speed.
sent4dc not only was it way better to watch that way, but I had no idea until now that you could increase playback speed in the TH-cam app! Thanks!!
SHIT MAN YES ITS SO SLOW
The worst thing cannot see on 1.25
now he rapping hahaha
thanks much appreciated
And NSA and China's 'Cyber warefare' divisions have used this and not notified Broadcom as it is very useful for them.
just imagine sitting in a Software Engineering class, and just 2 people there having macs, then you say 'Your laptops will crash in 10 seconds', and then you do something like this: 31:00 xD
The only time I like to hear "Game Over" is at a black hat presentation.
Repository unavailable due to DMCA takedown.
Mark at: 28:58 (Auto-Join a new & untrusted Wifi) 46:00 (the Demo starts)
666666666
One of the slowest talks I've ever seen. Really interesting though.
Joan Montserrat so slow that I’m already bored from watching it. How many times can someone repeat what they’re saying in a different way before you’re tired of hearing them? Less than 10 minutes in and I’m already over it.
Colton B ummmm aarrrrrrmmmm ummmmmmmm ummmmmmm jesus
I just watch it with a 2x playback speed.
I keep my speed at least at 1.25, often at 1.5. Time is the most valuable commodity in the world.
Could have been half the length if he had a full presentation ready, instead of long periods of silence and “um” being used almost every other phrase. He spent more time on his slides than figuring out what to say with the slides. Very disappointed with this speaker, and I hope that Black Hat refuses any of his future talks unless he is actually prepared.
The OpenBSD Devs would LOVE this video..... (:
owesome attack really helpful
Good thing the firmware is closed source to prevent this sort of thing...
lol
Security by obscurity doesn't work.
Well you could argue if they stopped the source code from being leaked then this exploit wouldn't have been discovered
It wouldn't been discovered YET
Yuri Geinish - is joke
This is a very interesting project. Thing is, however, he/they didn't ever compromise Android, nor iOS, thus the title is absolutely misleading. The content is still very worthy and thought-inducing IMHO, but indeed doesn't justify the full hour presentation time people are complaining about.
It's not apparent to you that access in this memory could allow for code to be executed within the OS of the phone correct?
Didn't really delve more into it than what is already presented here, but as far as my understanding goes, the code you get to run here runs on a dedicated ARM unit, in dedicated memory, belonging exclusively to the WiFi chipset. That is, you'll need at least one other vulnerability concerning the interface between this chipset and the OS in order to get the main CPU running the system to execute your payload in the context of the OS.
It's a really interesting possibility, but apparently it is just as far from compromising Android/iOS as is an SQL injection from hijacking the whole system the website is hosted on. Nevertheless it opens up some new perspectives...
He talking about Pegasus
could this brick the broadcom chip if done wrong or purposely?
i can definitely see a firmware attack used out of this if its even possible... like the hdd firmware patching modules that were unfinished in stuxnet back when it was running around with 0-days
and who knows what is in intel amt/me or amd psp/secure processor to flash.. the intel amt memory region on motherboard is the same as smm code
the ultimate persistence would be hardware or firmware..
maybe. if you inject code in ram and call flashing facilities
Sure. If you can find
something important you can overwrite, a flash or a serial eeprom maybe. It probably won't work without a proper config. That said, why would you? There's nothing to be gained from this, all it means is they will ditch the phone they're using and get a new one. Maybe one where this doesn't work.
I am just wondering why he didn't inject any system calls to compromise the android/ios system itself.. All I'm seeing is just taking over the wireless chip but not the application system itself. I think it is very possible to use the trust-relationship between the wifi software and other system resources to hack the application software.. so this seems like an incomplete project or maybe he has already sold such attack privately to a company or possibly a government!
Truth Seeker I was wondering this as well.
Probalby 24 bytes are not enough and you need to at least dupicate potential system calls to cover both iOS and Android. Rule2: No assumptions of the system.
thanks for speaking this way , so people who do not speak English can easily understand .
Lovely #PWNAGE !
Glad I use flip phone
So they are spooks basically. And they play by old-school rules.
I had to grin when I saw the whoami at the beginning 00:30 :)
It's not even 3 minutes in and he said "remote exploit" at least over 9000 times.
mükemmel
skip to the demo: th-cam.com/video/TDk2RId8LFo/w-d-xo.htmlm35s
Steve Lawrence 45:35 for anyone who doesnt want to reload
cool jacket
50000 against milions
Save yourself the 40 minutes and jog straight to 40m00s. Unless you want a lecture on what a "remote exploit" is (which I always thought was inherent) and in case you missed out on the past 20 years, a 30 minute tutorial on how WiFi works. It's literally a 10 minute demo stretched out to an hour of mostly yawnzzzzz.
ty
Wasn't this exploit already patched by apple?
Probably. A lot of these exploits that are released at Blackhat after the time of reasonable disclosure has past, which gives plenty of time for developers to patch the exploits. If you're dragging your heels on patching the exploit, that's their problem, not his.
No
exploit link............./
@ChillSakura yaa 😂😂he need the link?? how
Sad.
aaahhhh
Nice talk. Please stop sniffing and drink some water.