37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers

media.ccc.de

Подписаться 210 тыс.

Просмотров 70 тыс.

50% 1

media.ccc.de/v...
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of the attack. Now, for the first time, we're ready to tell you all about it. This is the story of the most sophisticated attack chain and spyware ever discovered by Kaspersky.
In this presentation, we will share:
* How we managed to discover and capture all stages of a zero-click attack on iOS, despite the attackers’ efforts to hide and protect it,
* a comprehensive analysis of the entire attack chain, which exploited five vulnerabilities, including four zero-days
* the capabilities of the malware that transforms your phone into the ultimate surveillance tool,
* and the links to previously known malware we were able to find.
oct0xor
kucher1n
bzvr_
events.ccc.de/...
#37c3 #Security

Опубликовано:

20 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 102

@joecincotta5805 8 месяцев назад

This talk just kept escalating! By the time we got to the end I was just in shock.

@JustJustSid 8 месяцев назад

My thoughts exactly. Every time I went "Damn that's crazy" it got crazier. The logistics alone that must be behind this attack is crazy to even think about, there is no way this wasn't done by a nation state attacker with very deep pockets. Absolutely mind boggling attack. Also mad props to Kaspersky labs for figuring all of this out. There are some crazy smart people involved on both sides of this.

@renakunisaki 8 месяцев назад

This is all extremely suspicious. Undocumented debug registers that require a hash? I heard somewhere the hash is related to ECC, so I can conceive of finding this by trial and error, but dang. Burning _two_ kernel exploits, and a Safari exploit from the kernel? They _really_ wanted to hide what they were doing. I guess they hoped people would see the Safari exploit and not think too hard about how it got executed in the first place. The payload is immensely complex, with many clever tricks, suggesting it was written by multiple talented people. The choice of target, and the steps it takes to avoid infecting wrong targets, absolutely reek of the attacker being Not Some Arsehole but rather a large organization... ...and then there's the fact that Apple silently removed those unused, undocumented functions that the exploit used in the font engine. Usually for a security update you warn people that it's important. Perhaps they weren't allowed this time?

@SionynJones 8 месяцев назад

It's definitely not a debug. No one would design a debug system that required signing. The signature is computed using a sbox lookup table which some would need prior knowledge about. It's undocumented and would of not been discovered had these dudes not observed it with this malware. My best guess is coercion but who was coerced apple? Arm? and why Kaspersky? Let alone the possibility of other SoC being compromised.

@carnivorebear6582 8 месяцев назад

@@SionynJonesI've wondered if other ARM chips have this vulnerability. Even across vendors in x86 land there's a lot of overlap in undocumented instructions between Intel, AMD and VIA.

@MCasterAnd 8 месяцев назад

The font thing didn't seem too suspicious, it's entirely possible that Apple saw this was causing crashes and decided to remove it. But the undocumented debug registers, especially the fact that they figured out they need to differentiate the attack a bit between different CPU's.. This reeks of an intentional backdoor

@rahulramteke3338 7 месяцев назад

Apple is in bed with all three letter agencies

@minirop 5 месяцев назад

@@carnivorebear6582 When a vendor decides to create its own ARM chip (like Apple did), they still need to pass ARM's test suite and follow some rules, so could be.

@JWieg 8 месяцев назад

Absolutely amazing research and great work! And thanks for the recording ccc 🎉

@libenasukro 8 месяцев назад

It must be maddening to be the architect and coders of something this brilliant, but never be able to discuss it. This is genius level stuff and yet not a word was leaked and they say this has been around for 4 years at least. That's serious discipline.

@sumo-ninja 7 месяцев назад

Looks more like 10 years they are saying now

@jpphoton 13 дней назад

totally agree.

@casgie 8 месяцев назад

The complexity feels similar to Stuxnet

@Th3Mag1c1an 8 месяцев назад

The person behind creating this would be one hell of a computer genius. How in the world does that person stay this much motivated? Maybe he gets a lot better pay than us. Causal NSA. They have more in store than we could imagine.

@seonor 8 месяцев назад

Most likely this wasn't just one person, but several teams for each step, and some of the needed 0days might also have been bought from others.

@TheSwanies 8 месяцев назад

It's most likely an entire team of researchers

@vladislavivanov2511 8 месяцев назад

This sort of thing isn’t a single person effort. There’s a good chance it’s a state actor too

@SadeN_0 8 месяцев назад

This whole thing could easily be something like $5-10 million in 0day black market value. that's a few dubloons to motivate a couple of people. kind of a smooth brain move to burn the whole chain on a security researcher's phone, at their workplace

@wr3ckr270 8 месяцев назад

@@SadeN_0 Make it 500-1000 million. This is actually the worst nightmares coming true.

@julianbruns7459 8 месяцев назад

crazy good talk! thank you. i didn´t understand much of the details but it was still super interesting

@jpphoton 12 дней назад

brilliant young lads. excellent presentation

@joaoalonso6942 8 месяцев назад

This attack is way too complex to be done by a joe schmoe. Imo, it seems to be government sponsored.

@rahulramteke3338 7 месяцев назад

It is NSA, CIA, TAO did this

@Lino1259 8 месяцев назад

Crazy good talk! Up there with David Kriesel.

@wr3ckr270 8 месяцев назад

True. David Kriesel level of talk.

@saferugdev8975 7 месяцев назад

imo these guys are like 1-2 universes ahead on the technical level (im thinking compared to the printer scandal) but david has the charisma and confidence to make up for it and provide an overall equally interesting talk

@alzaimar 8 месяцев назад

I'm speechless. About the fact, the research and how cool it was presented.

@abwesend 8 месяцев назад

this was impressive, thank you!

@TK3C 8 месяцев назад

Fascinating talk, thanks for sharing!

@judgewooden 8 месяцев назад

Title of video should be: Apple's backdoor in iphone exposed.

@Zatarra48 8 месяцев назад

Thanks again for the good presentation.

@pardal_bs 8 месяцев назад

This is an insane exploit chain. It makes you wonder how they found all those 0-days, especially the undocumented registers and the hash algorithm...

@szpl 8 месяцев назад

44:20 Nice easter egg :D

@Dr-Zed 8 месяцев назад

This makes iLeakage look like a joke

@TotoMacFrame 8 месяцев назад

Crazy. Not that I understand much of it, but how the hell do I calculate the has of a rendered triangle? And how does this lead to device fingerprinting? I imagine the hash of that triangle is different on each device, but how is this coming, technology wise?

@caiocc12 8 месяцев назад

Probably just taking the rasterized result from the framebuffer and hashing that. With anti-aliasing, the target GPU may render it with an imperceptible change in a pixel color around the triangle's edge and that is enough. There are so many layers to that it's hard to believe it's not a backdoor.

@ralphorama 8 месяцев назад

canvas fingerprinting is pretty common on the modern web, I know TikTok's web frontend uses it for tracking. BrowserLeaks says, "this technique relies on variations in how canvas images are rendered on different web browsers and platforms to create a personalized digital fingerprint of a user's browser."

@TyrHeimdal 8 месяцев назад

Just google "canvas fingerprinting", the techniques have been widely known for 10 years to uniquely fingerprint devices. It's still widely in use today, and mitigations will (still to this day) cause you to have worse performance on the interwebz.

@ttrss 8 месяцев назад

KHEm (NSA) Khem

@ac12223 8 месяцев назад

This was crazy good

@joecincotta5805 8 месяцев назад

How many other obscure register mappings exist on all the soc around the world!? There is no such thing as security 😢

@prodbyfaith 8 месяцев назад

That's why RISC-V is the future

@schlo9358 8 месяцев назад

@@prodbyfaith what do RISC-V diffrently?

@carnivorebear6582 8 месяцев назад

@schlo9358 It's an open source architecture, unfortunately those in charge of the project are elitest and not interested in taking advantage of all those who would be willing to contribute. I think any open source FPGA implementation of a CPU core would be pretty secure though, no one will write the code to implement functionality which is unknown.

@GeorgeTsiros 25 дней назад

Yeah, because the ISA a CPU implements somehow guarantees to you that the chip has no other, unknown, undocumented, malicious functionality.

@GeorgeTsiros 25 дней назад

And you trust the FPGA... because... ?

@scilor 8 месяцев назад

Love this QR: 44:11

@Silas_229 8 месяцев назад

Now we not only have to recognize the youtube link but also the qr code at different levels of error correction

@Themoonisachees 8 месяцев назад

@@Silas_229 dQwM and spotify's short-middle-short-tall are already burned in my memory for far longer than either spotify or youtube will exist

@OutbackCatgirl 8 месяцев назад

homicidalwombat is a pretty banger email address ngl

@wr3ckr270 8 месяцев назад

Plot Twist: Apple themselves is behind this one.

@blaaaaaaaaaaaaa 8 месяцев назад

makes me feel so dumb :P breathtaking work guyz!

@SionynJones 8 месяцев назад

What I wonder is if any other arm based SoCs have this vulnerability?

@氷語 8 месяцев назад

Very likely yes. Even Nintendo Switch has a hardware vulnerability regarding to the GPU cores being able to bypass PPL. I bet on other android phones that are not this wide spread there are even more vulnerabilities. Not to mention the kernel is open source (with the patches manufacturers applied). And I have heard if a few times when Samsung Exynos chips had vulnerabilities too.

@xCheddarB0b42x 8 месяцев назад

VaaS - vulns as a service.

@k0in640 7 месяцев назад

can someone clarify why the attackers use two different kernel exploits?

@eltebux 4 месяца назад

Crazy how such a sophisticated piece of attack has an MD5 hash in the mix…

@Vielpi 4 месяца назад

of course it was the NSA

@cybersamurai99 6 месяцев назад

Amazing talk, scary stuff out there.

@NeverGiveUpYo 8 месяцев назад

Just epic. Thanks for sharing.

@sbjf 8 месяцев назад

state actor?

@interested8430 4 месяца назад

Where can I go to check my iPhone? I didn't catch what they said?

@JonathanHarkerYT 8 месяцев назад

I’m no expert on this, so sorry for my lack of knowledge. But I’ve seen many of these 0 days are reset by rebooting/restarting the phone/mac. Would it be a common an advisable practice to shutdown/reboot all devices once a day? Just like old computers and old phones. It would prevent their persistence and damage potential (I’m not wrong mistaken). Best regards and sorry again if something was misunderstood.

@V4ker 8 месяцев назад

It depends on how difficult it is to exploit a particular attack chain. If it's a more or less reliable 0-click like described in this video, you will annoy hackers by restarting the phone, but ultimately as soon as you do a restart they can just perform attack again right away. But for anything else, especially something that requires your interaction to be exploited, restarts once per day will be very effective. In general, if you think you might be targeted, it's a good measure, but not an ultimate one - and keep in mind that ultimate measures don't exist :)

@Versette 8 месяцев назад

Very interesting presentation! 😄

@Davide73 8 месяцев назад

" there are no virus on apple "

@SadeN_0 8 месяцев назад

Absolutely bananas

@alienmajik3798 8 месяцев назад

I wonder if they updated tinycheck to detect these IOC’s

@etziowingeler3173 8 месяцев назад

Thx for recording!

@xCheddarB0b42x 8 месяцев назад

This is incredible.

@FreakAzoiyd 6 месяцев назад

So how much does Apple pay for detailed information like that? It should be at least in the tens of Mio. USD range.

@MewK_ 8 месяцев назад

Impressive!

@DigDowner 8 месяцев назад

Very interesting! I'm wondering, would you feel your phone 'inexplicably' heat up and see its battery drain faster when Apple Neural Engine analyzes thousands of images and files? Seems like a power-intensive process...

@jasopolis 8 месяцев назад

I doubt it - this processing is also regularly done by iOS for legitimate purposes (e.g. being able to search photos by keyword like ‘beach’, OCR features in Photos, etc)

@carnivorebear6582 8 месяцев назад

The neural engine as a whole is a fairly small chunk of silicon relative to CPU/GPU, hence its power usage it's not going to be that noticeable heat wise. Would make some difference to battery life but not sure if it would be big enough to jump out as being fishy

@eagle56786 8 месяцев назад

the processing has already been done

@wrakowic 8 месяцев назад

But the analysis is done when the picture is taken, and results are saved as metadata right? Therefore there wouldn’t be additional mass processing.

@eagle56786 8 месяцев назад

yes, exactly. the attackers just exfiltrate the metadata your iPhone has already processed, and store it on their end, for lack of a better term@@wrakowic