undefined | Better HN

0 pointsdguido6y ago0 comments

It certainly will _feel_ persistent if you're successfully attacked with this technique.

If your iOS software is swapped out for a version with a backdoor, then the attacker will have collected your passwords and authentication tokens to services you use. If you reboot to clear the backdoor (and let's be honest: no one reboots their phones), then you won't also "clear" your attacker's memory of all your passwords.

0 comments

12 comments · 3 top-level

tptacek6y ago· 4 in thread

I reboot my phone once in a blue moon, but my phone reboots itself roughly every other day (usually because I space on charging it). Am I that unusual, or is "the phone is rarely going to reboot" not really a reliable predicate for attackers?

ladberg6y ago

I similarly reboot my phone rarely, but my phone never runs out of battery. I never charge it during the day (except if I'm using it for GPS in my car), and it's just a routine to charge it at night. I don't think my current phone, which I've had for about a year, has ever run out of battery.

saagarjha6y ago

Anecdotal, but my family members reboot slightly less frequently than iOS updates come out (they miss a couple).

wglb6y ago

Only on update, and only if the update requires it.

tedunangst6y ago

My reboot frequency is slightly more than 1.0 times per update, but less than 2.0 times per update.

justicz6y ago· 3 in thread

Ha, I wonder if an attacker could use this bug to prevent or fake the rebooting process by changing the behavior of the lock/volume buttons when they’re held.

I know there’s also a “hard reset” you can do with volume up -> volume down -> power, not sure if that works at a lower level.

dguidoOP6y ago

Yes, an attacker using checkm8 could do that if they had a separate exploit for persistence. That exploit would be in iOS and take over at a later point in the boot process, and it would be possible for Apple to patch it with an iOS update. Those bugs are hard to find, but there have been dozens discovered in the past.

justicz6y ago

I’m a little confused, which part of my comment would require persistence? I was suggesting a lulzy payload that would prevent the user from _actually_ restarting their device by changing the behavior of the power button. As a means of bypassing the “just restart your phone every time you use it” countermeasure.

1 more reply

kvakil6y ago

Seems likely that the hard reset works on a lower level as it works even if the phone is hung.

selectodude6y ago· 2 in thread

If your iOS version is swapped out with one that is backdoored, it won’t boot after you reboot it without using this boot loader exploit on a computer again.

This makes you ever so slightly more vulnerable to an evil maid attack, but we don’t even have a jailbreak yet using this so it’s to be determined how it all shakes out.

withzombies6y ago

You don't need to modify the kernel or iBoot on disk to inject a patched OS (or malware). redsn0w didn't, it would boot over dfu every time.

It's totally possible to rootkit a phone and have it reboot just fine (with the rootkit removed).

saagarjha6y ago

I believe a reboot will cause you to boot stock iOS again.

j / k navigate · click thread line to collapse

0 comments

12 comments · 3 top-level

tptacek6y ago· 4 in thread

ladberg6y ago

saagarjha6y ago

Anecdotal, but my family members reboot slightly less frequently than iOS updates come out (they miss a couple).

wglb6y ago

Only on update, and only if the update requires it.

tedunangst6y ago

My reboot frequency is slightly more than 1.0 times per update, but less than 2.0 times per update.

justicz6y ago· 3 in thread

Ha, I wonder if an attacker could use this bug to prevent or fake the rebooting process by changing the behavior of the lock/volume buttons when they’re held.

I know there’s also a “hard reset” you can do with volume up -> volume down -> power, not sure if that works at a lower level.

dguidoOP6y ago

justicz6y ago

1 more reply

kvakil6y ago

Seems likely that the hard reset works on a lower level as it works even if the phone is hung.

selectodude6y ago· 2 in thread

If your iOS version is swapped out with one that is backdoored, it won’t boot after you reboot it without using this boot loader exploit on a computer again.

This makes you ever so slightly more vulnerable to an evil maid attack, but we don’t even have a jailbreak yet using this so it’s to be determined how it all shakes out.

withzombies6y ago

You don't need to modify the kernel or iBoot on disk to inject a patched OS (or malware). redsn0w didn't, it would boot over dfu every time.

It's totally possible to rootkit a phone and have it reboot just fine (with the rootkit removed).

saagarjha6y ago

I believe a reboot will cause you to boot stock iOS again.

j / k navigate · click thread line to collapse