
Exploiting the Wi-Fi Stack on Apple Devices - archimag0
https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html
======
js2
I'd love to know how many hours were needed to develop this exploit from start
to finish, and how many dead ends the researcher ran into along the way.

Just writing the blog post and generating all the images for it must've taken
many days.

~~~
bitexploder
I have followed iOS JB for years and keep up with exploit dev and
mitigation/defense.

The usage of source code and avoiding deep assembly documenting helped a lot.
You are still looking at several man days of deep work on understanding the
driver and stack.

KASLR was the only real mitigation to bypass. That could have been a difficult
part worth it's own discussion. Bypassing ASLR typically requires an info
leak.

I think 3-4 weeks of one person's effort is a good guess. +/\- 1wk depending.

~~~
KGIII
If others don't know, the K is for kernel. I had guessed that it was, but
decided to look it up. I figure this may save others some time.

It looks pretty neat, conceptually. It loads the kernel into a random location
in memory on boot. I haven't looked into how random it is, but it's a good
idea.

------
pwinnski
This post is a thing of beauty. The details of how this works are amazing.

~~~
caf
Yes, I particularly liked the detail of using the KTRR registers to defeat
KASLR.

------
benzinschleuder
Amazing. Did they need to jailbreak or physically open the phone to find all
this stuff? They talk about reversing binary images and using their
"Legilimency" toolkit; I wonder if a vanilla phone was enough to research all
this and propagate through Wi-Fi.

~~~
0x0
I'm guessing there must be other jailbreaks involved to be able to observe and
experiment on the ios kernel side of things while developing the wifi chip
exploit; going in all blind from the wifi side only sounds impossible. The
question now is, are they sitting on 0day jailbreaks for current iOS versions
or did they have to do all the tests on legacy iOS versions?

~~~
xoa
It looks like that setup work for their research environment was all covered
in part 1 (all the parts are really interesting and worth a read if anyone
hasn't already incidentally). Specifically, the reason they mention at the end
of part 3 that

> _The exploit has been tested against the iPhone 7 running iOS 10.2 (14C92)._

was because iOS 10.2 has a known kernel exploit developed by Ian Beer [1], and
they used that as part of the basis of subsequent research. Presumably they
either found some iPhones still running 10.2 (which stopped being signed a
long while back) or like many well funded researches just keep a set of
different iPhones loaded with major iOS versions so they're ready to go for
research if an exploit is found after signing stops (dedicated jailbreakers
sometimes to the same thing if they can). And of course security patches
themselves are handy for reverse engineering old exploits from whatever bugs
Apple fixes.

In part one read under "Kernel Memory Analysis Framework".

\----

1:
[https://googleprojectzero.blogspot.co.uk/2017/04/exception-o...](https://googleprojectzero.blogspot.co.uk/2017/04/exception-
oriented-exploitation-on-ios.html)

------
walterbell
Why did Apple make it harder to turn off the WiFi radio in iOS11?

~~~
mikeash
Because people would turn off WiFi from Control Center and then forget about
it, resulting in expensive cellular overages. (This cost me about $30, for
example.)

I think the pertinent question is: why didn't they make the change more clear?

~~~
Cyph0n
On Android 7.0, the cellular icon in the status bar makes it very clear when
you are not on WiFi. The icon serves as a reminder for me since I usually
switch off WiFi in the morning and re-enable it at home. I don't recall ever
forgetting cellular on.

Regardless, I think Apple could have come up with a more user-friendly
solution. This just looks like a lazy hack to be honest.

~~~
nardi
It would have taken you 10 seconds to Google and find out that iOS also has an
icon in the status bar that shows you whether you’re on Wi-Fi or cellular.

~~~
Cyph0n
Why thank you! I would truly be lost without your wisdom.

Unfortunately, that still doesn't explain Apple's decision to make it harder
to switch off WiFi. Do iPhone users simply not notice the status bar?

~~~
TheSpiceIsLife
I'm not defending nor evangelising Apples current solution.

I'm lead to believe it's not iPhone users specifically, but people in general.

I've worked in IT, but qualified as a tradesmen nearly a decade before, and
_I_ occasionally forget to turn wifi back on when I get home. I currently work
for a large steel fabrication company. One of the project managers here _doesn
't even use email_.

It's _way too easy_ for the average person to forget to turn wifi on and blow
all your mobile data / get slogged with overage.

In a similar fashion, it's not hard to see and feel when a / the tyres on your
car need a bit of air, but we mandate tyre pressure monitoring systems.

We are, for good or bad, reluctant to regulate software system. So, I guess,
as always, if we think of a better design we should probably make a demo or
promote it, maybe iOS / Android will pick it up along the way.

~~~
rospaya
In 5 years we're gonna wonder how we got to the point where you can't easily
turn off wifi, slowly dumbing down devices for all of us for the sake of your
project manager and the like.

~~~
Tepix
@mikeash it takes a minimum of 4 or 5 taps and button presses.

~~~
mikeash
On my 6+, the sequence is: press home button, tap Settings, Wi-Fi, Off. That's
3-4 depending on whether you count the home button.

On a 6s or newer, with 3D touch, you can cut it down to 2-3: unlock, force
touch on Settings and toggle WiFi from the menu that appears. (That might be
1-2, I forget whether you can force touch and drag to what you want to
activate, or whether it has to be a separate tap.)

~~~
Tepix
I didn't know about using force touch on the settings app. However when I tap
on the wifi menu entry that appears, I still need yet another tap to disable
wifi.

Anyway, here's my count: 1\. use touch-id to unlock the phone 2\. press home
to get to first screen with the settings app (if you aren't already) 3\. tap
Wifi 4\. turn it off

You then need to navigate back to where you were previously.

------
lukeh
This is an incredible combination of both reverse engineering skill and
communication ability. So good!

------
israrkhan
These guys are amazing. Excellent level of details.

------
conchy
Skimming through this makes me feel even more comfortable using my iPhone ...
look how smart you need to be to exploit it!

------
mankash666
Wonder if something like this was used to get into the San Bernardino
shooter's phone by the FBI

~~~
NegativeLatency
The shooter had an iPhone 5C[1], which according to the article uses USB, so
the DMA PCIe exploit detailed here wouldn't work for it.

Not saying it wasn't something similar, but it could have been pretty
different.

1\.
[https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute](https://en.wikipedia.org/wiki/FBI–Apple_encryption_dispute)

~~~
DiabloD3
It has a Lightning port, so maybe a different at-the-time undisclosed DMA
exploit?

------
senatorobama
When will Apple dump Broadcom?

~~~
ksec
But Why? Not until Apple make their own WiFi Chip ( Which they are doing with
W1 in Airpod and W2 in Apple Watch )

But until then Broadcom still has the best WiFi Chip. Qualcomm Atheros is a
big no no.

~~~
e12e
> Qualcomm Atheros is a big no no

Sarcasm? If not, care to elaborate?

------
forapurpose
What is the story with Project Zero? What is the strategy here?

If you think about it, pointing out flaws in competitors' products is actually
unusual for businesses, especially large ones. It raises questions of motives,
of trust (are they drumming up business in a negative way? Can I trust what
company X says about their chief rival? Are they exaggerating or spinning
it?), and it looks unsavory: You don't win in the court of public opinion by
insulting the competition, right or wrong; you just look like a jerk. Also,
there's a liability risk, which adds legal costs to otherwise free blog posts
- 'can't you guys just find Linux bugs?'.

On the other hand, it might improve security for everyone if Apple and Google
started competing to publicize each other's flaws. :) (But I'd bet the noise
of accusations and counter-accusations of errors in analysis, misleading
statements, etc. would soon drown out the technical info, and then the
lawsuits would begin ...).

~~~
late2part
I submit for your consideration that:

1\. The Google Project Zero guys are idealists and motivated by increasing
security.

2\. Google security is taken far more seriously than most other companies

3\. If Apple and Google competed in publicizing exploits, Google would win [is
winning].

~~~
advisedwang
If everyone competed in publicizing exploits and like project zero coordinates
disclosure with vendors, then _consumers_ win!

