I wonder if that backdo… ermmm… i mean… undocumented feature… will be useful for ios jailbreaking.
It’s gonna be a “yikes” from me, dawg
Can someone much smarter than I am, explain like I’m a toddler?
Basically they found out that anyone who knows how this work can send you an iMessage with an attachment that won’t show up on your end without the need of your interaction and do whatever they want on your iphone.
P.S. I’m not smart nor I’m an expert.
What the other dude said, but the level of sophistication was miles beyond what you typically see from even nation states. The takeaway is you cannot defend yourself from a nation that wants your information.
Well, it certainly helps when that nation gets to build hardware backdoors into the stuff you buy.
Iirc lockdown mode would prevent this exploit from working
Someone figured out a way that could hijack iMessage through sending a special malicious PDF that took advantage of a flaw in some legacy font rendering code unique to Apple, that even Apple hadn’t used in decades.
Then, that PDF launched a JavaScript debugger that is built into iPhones, and took advantage of a flaw in that to jump into putting some code into the parts of user memory, that the system doesn’t fully trust.
Then, that code takes advantage of another flaw to bypass the system’s protections for not fully trusting that code, to secretly launch a web browser and navigate to a secret webpage that runs a much bigger piece of malware.
That malware can read and modify basically anything on the system, and was used to read all sorts of sensitive data: message history, location information, app data, etc.
Because the whole exploit chain was so advanced and involved so many different previously unknown vulnerabilities, basically the list of possible suspects is very, very short: some kind of nation state with advanced hacking capabilities.
Shorter version: Operating systems set up hardware locks and protections to confine processes, and once set up, they cannot be undone. (the hardware + OS denies modifications to the security policy)
- Attacker broke out from the app sandbox. (attacker can run code in the infected process)
- Broke out of the process. (gained root access; attacker can run anything)
- Broke into the kernel space (gained 100% control over the hardware)
- Corrupted some kernel memory via a damm magic MMIO accesses nobody knows (hardware vulnerable)
- Bypassed protections that kernel set up earlier such that it cannot accidentally modify itself.
- Finally broke the kernel via hardware exploit thus the attacker got rootkit level access.
Getting arbitrary code execution and root access is one thing, but breaking out from the damm kernel configured hardware protections is insane.
They basically managed to flip a “read-only” switch to “modify-as-much-as-you-like”. The infected device at this point is broken beyond repair, as the firmware(s) may have been tampered with. End result is a terrestrial spy brick.
