This is all extremely suspicious. Undocumented debug registers that require a hash? I heard somewhere the hash is related to ECC, so I can conceive of finding this by trial and error, but dang. Burning _two_ kernel exploits, and a Safari exploit from the kernel? They _really_ wanted to hide what they were doing. I guess they hoped people would see the Safari exploit and not think too hard about how it got executed in the first place. The payload is immensely complex, with many clever tricks, suggesting it was written by multiple talented people. The choice of target, and the steps it takes to avoid infecting wrong targets, absolutely reek of the attacker being Not Some Arsehole but rather a large organization... ...and then there's the fact that Apple silently removed those unused, undocumented functions that the exploit used in the font engine. Usually for a security update you warn people that it's important. Perhaps they weren't allowed this time?

@SionynJones

6 ай бұрын

It's definitely not a debug. No one would design a debug system that required signing. The signature is computed using a sbox lookup table which some would need prior knowledge about. It's undocumented and would of not been discovered had these dudes not observed it with this malware. My best guess is coercion but who was coerced apple? Arm? and why Kaspersky? Let alone the possibility of other SoC being compromised.

@carnivorebear6582

6 ай бұрын

​@@SionynJonesI've wondered if other ARM chips have this vulnerability. Even across vendors in x86 land there's a lot of overlap in undocumented instructions between Intel, AMD and VIA.

@MCasterAnd

6 ай бұрын

The font thing didn't seem too suspicious, it's entirely possible that Apple saw this was causing crashes and decided to remove it. But the undocumented debug registers, especially the fact that they figured out they need to differentiate the attack a bit between different CPU's.. This reeks of an intentional backdoor

@rahulramteke3338

5 ай бұрын

Apple is in bed with all three letter agencies

@minirop

3 ай бұрын

@@carnivorebear6582 When a vendor decides to create its own ARM chip (like Apple did), they still need to pass ARM's test suite and follow some rules, so could be.

This talk just kept escalating! By the time we got to the end I was just in shock.

@JustJustSid

6 ай бұрын

My thoughts exactly. Every time I went "Damn that's crazy" it got crazier. The logistics alone that must be behind this attack is crazy to even think about, there is no way this wasn't done by a nation state attacker with very deep pockets. Absolutely mind boggling attack. Also mad props to Kaspersky labs for figuring all of this out. There are some crazy smart people involved on both sides of this.

It must be maddening to be the architect and coders of something this brilliant, but never be able to discuss it. This is genius level stuff and yet not a word was leaked and they say this has been around for 4 years at least. That's serious discipline.

@sumo-ninja

6 ай бұрын

Looks more like 10 years they are saying now

Absolutely amazing research and great work! And thanks for the recording ccc 🎉

crazy good talk! thank you. i didn´t understand much of the details but it was still super interesting

I’m no expert on this, so sorry for my lack of knowledge. But I’ve seen many of these 0 days are reset by rebooting/restarting the phone/mac. Would it be a common an advisable practice to shutdown/reboot all devices once a day? Just like old computers and old phones. It would prevent their persistence and damage potential (I’m not wrong mistaken). Best regards and sorry again if something was misunderstood.

@V4ker

6 ай бұрын

It depends on how difficult it is to exploit a particular attack chain. If it's a more or less reliable 0-click like described in this video, you will annoy hackers by restarting the phone, but ultimately as soon as you do a restart they can just perform attack again right away. But for anything else, especially something that requires your interaction to be exploited, restarts once per day will be very effective. In general, if you think you might be targeted, it's a good measure, but not an ultimate one - and keep in mind that ultimate measures don't exist :)

Thanks again for the good presentation.

this was impressive, thank you!

Fascinating talk, thanks for sharing!

The person behind creating this would be one hell of a computer genius. How in the world does that person stay this much motivated? Maybe he gets a lot better pay than us. Causal NSA. They have more in store than we could imagine.

@seonor

7 ай бұрын

Most likely this wasn't just one person, but several teams for each step, and some of the needed 0days might also have been bought from others.

@TheSwanies

7 ай бұрын

It's most likely an entire team of researchers

@vladislavivanov2511

6 ай бұрын

This sort of thing isn’t a single person effort. There’s a good chance it’s a state actor too

@SadeN_0

6 ай бұрын

This whole thing could easily be something like $5-10 million in 0day black market value. that's a few dubloons to motivate a couple of people. kind of a smooth brain move to burn the whole chain on a security researcher's phone, at their workplace

@wr3ckr270

6 ай бұрын

@@SadeN_0 Make it 500-1000 million. This is actually the worst nightmares coming true.

The complexity feels similar to Stuxnet

This was crazy good

Just epic. Thanks for sharing.

Very interesting presentation! 😄

I'm speechless. About the fact, the research and how cool it was presented.

Crazy good talk! Up there with David Kriesel.

@wr3ckr270

6 ай бұрын

True. David Kriesel level of talk.

@saferugdev8975

6 ай бұрын

imo these guys are like 1-2 universes ahead on the technical level (im thinking compared to the printer scandal) but david has the charisma and confidence to make up for it and provide an overall equally interesting talk

Thx for recording!

makes me feel so dumb :P breathtaking work guyz!

Amazing talk, scary stuff out there.

This attack is way too complex to be done by a joe schmoe. Imo, it seems to be government sponsored.

@rahulramteke3338

5 ай бұрын

It is NSA, CIA, TAO did this

This is incredible.

This is an insane exploit chain. It makes you wonder how they found all those 0-days, especially the undocumented registers and the hash algorithm...

Impressive!

44:20 Nice easter egg :D

I wonder if they updated tinycheck to detect these IOC’s

Absolutely bananas

Title of video should be: Apple's backdoor in iphone exposed.

This makes iLeakage look like a joke

can someone clarify why the attackers use two different kernel exploits?

Crazy. Not that I understand much of it, but how the hell do I calculate the has of a rendered triangle? And how does this lead to device fingerprinting? I imagine the hash of that triangle is different on each device, but how is this coming, technology wise?

@caiocc12

7 ай бұрын

Probably just taking the rasterized result from the framebuffer and hashing that. With anti-aliasing, the target GPU may render it with an imperceptible change in a pixel color around the triangle's edge and that is enough. There are so many layers to that it's hard to believe it's not a backdoor.

@ralphorama

6 ай бұрын

canvas fingerprinting is pretty common on the modern web, I know TikTok's web frontend uses it for tracking. BrowserLeaks says, "this technique relies on variations in how canvas images are rendered on different web browsers and platforms to create a personalized digital fingerprint of a user's browser."

@TyrHeimdal

6 ай бұрын

Just google "canvas fingerprinting", the techniques have been widely known for 10 years to uniquely fingerprint devices. It's still widely in use today, and mitigations will (still to this day) cause you to have worse performance on the interwebz.

How many other obscure register mappings exist on all the soc around the world!? There is no such thing as security 😢

@prodbyfaith

6 ай бұрын

That's why RISC-V is the future

@schlo9358

6 ай бұрын

@@prodbyfaith what do RISC-V diffrently?

@carnivorebear6582

6 ай бұрын

​@schlo9358 It's an open source architecture, unfortunately those in charge of the project are elitest and not interested in taking advantage of all those who would be willing to contribute. I think any open source FPGA implementation of a CPU core would be pretty secure though, no one will write the code to implement functionality which is unknown.

KHEm (NSA) Khem

Crazy how such a sophisticated piece of attack has an MD5 hash in the mix…

What I wonder is if any other arm based SoCs have this vulnerability?

@2k18banvalaki5

6 ай бұрын

Very likely yes. Even Nintendo Switch has a hardware vulnerability regarding to the GPU cores being able to bypass PPL. I bet on other android phones that are not this wide spread there are even more vulnerabilities. Not to mention the kernel is open source (with the patches manufacturers applied). And I have heard if a few times when Samsung Exynos chips had vulnerabilities too.

@xCheddarB0b42x

6 ай бұрын

VaaS - vulns as a service.

Love this QR: 44:11

@Silas_229

6 ай бұрын

Now we not only have to recognize the youtube link but also the qr code at different levels of error correction

@Themoonisachees

6 ай бұрын

@@Silas_229 dQwM and spotify's short-middle-short-tall are already burned in my memory for far longer than either spotify or youtube will exist

Where can I go to check my iPhone? I didn't catch what they said?

Very interesting! I'm wondering, would you feel your phone 'inexplicably' heat up and see its battery drain faster when Apple Neural Engine analyzes thousands of images and files? Seems like a power-intensive process...

@jasopolis

6 ай бұрын

I doubt it - this processing is also regularly done by iOS for legitimate purposes (e.g. being able to search photos by keyword like ‘beach’, OCR features in Photos, etc)

@carnivorebear6582

6 ай бұрын

The neural engine as a whole is a fairly small chunk of silicon relative to CPU/GPU, hence its power usage it's not going to be that noticeable heat wise. Would make some difference to battery life but not sure if it would be big enough to jump out as being fishy

@eagle56786

6 ай бұрын

the processing has already been done

@wrakowic

6 ай бұрын

But the analysis is done when the picture is taken, and results are saved as metadata right? Therefore there wouldn’t be additional mass processing.

@eagle56786

6 ай бұрын

yes, exactly. the attackers just exfiltrate the metadata your iPhone has already processed, and store it on their end, for lack of a better term@@wrakowic​

state actor?

Plot Twist: Apple themselves is behind this one.

of course it was the NSA

homicidalwombat is a pretty banger email address ngl

" there are no virus on apple "

So how much does Apple pay for detailed information like that? It should be at least in the tens of Mio. USD range.

it's NSO new generation malware

plot twist: watching this talk will trigger the dead switch and deactivate exploit on your device

blue team ftw

Netter Rick-Roll ;)

I came here from the dopamine jailbreak 2.0 credits page

No need for virus in apple completely open lol

unfortunately very difficult to understand

@MCasterAnd

6 ай бұрын

I found it quite easy

@Elijahh747

3 ай бұрын

​@@MCasterAndthen write a poc