
About the security content of iOS 10.3.1 - okket
https://support.apple.com/en-us/HT207688
======
0x0
It looks a lot like this google project zero bug (same reporter, same bug type
(stack overflow on the wifi chip)) but the CVE number has the last two digits
swapped

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=10...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1051)

Looks like it's hitting android devices as well as ios devices?

Edit: Apple must have known when they released iOS 10.3.0 since they named the
next-day-beta 10.3.2. Perhaps they were embargoed because of other broadcom
customers, but didn't want to delay the other crazy security fixes that 10.3.0
brought. Were they forced to ship an known insecure broadcom firmware because
of Android then? Double edit: Or more likely they just wanted to get some more
testing time. Looks like the p0 bug was unrestricted on Mar 23.

~~~
tedunangst
Well, it's quite obvious to see what went wrong.

    
    
        void function_79390(void* unk, char* ie, char* buf)
    

Those are terrible names for functions and variables. Very shoddy development.

~~~
jeroenhd
This is probably decompiled code. Many functions loose their names if code
gets optimized or obfuscated. function_XYZ is probably a placeholder used by
the decompiler.

~~~
johncolanduoni
I'm 99% certain it was a joke...

------
danielvf
> Impact: An attacker within range may be able to execute arbitrary code on
> the Wi-Fi chip"

That's a major problem!

~~~
RKearney
And yet Apple requires you to download this update over Wi-Fi to receive it
OTA.

Sure you could update via a computer, but that seems to go against Apple's
vision of not requiring tethering your device to a computer every time you
need to update/sync/setup.

~~~
evilduck
What do you propose then? Typing in the patch?

~~~
0x0
Allowing downloads of OS updates less than 100MB over 3G/4G, just like regular
apps?

The 10.3.0->10.3.1 patch is ~20MB. My phone downloads multiple ~100MB app
updates daily over cellular. Refusing cellular iOS updates that are smaller
than one of those apps is getting pretty silly these days.

~~~
mikeash
Are you really using 10GB of cellular data each month just for app updates?
Isn't that expensive?

~~~
RKearney
Why[0] would[1] it[2] be[3]?

[0] [https://www.verizonwireless.com/plans/verizon-
plan/](https://www.verizonwireless.com/plans/verizon-plan/)

[1] [https://www.att.com/plans/unlimited-data-
plans.html](https://www.att.com/plans/unlimited-data-plans.html)

[2] [https://www.t-mobile.com/cell-phone-plans](https://www.t-mobile.com/cell-
phone-plans)

[3] [https://www.sprint.com/landings/unlimited-cell-phone-
plans/](https://www.sprint.com/landings/unlimited-cell-phone-plans/)

~~~
PhantomGremlin
The only thing "unlimited" about all 4 of those plans are the weasel words.

Verizon: After 22 GB/line/mo, we may prioritize your data behind other Verizon
customers during network congestion.

ATT: After 22GB of data usage, AT&T may slow speeds

T-Mobile: On all T-Mobile plans, if congested, top 3% of data users
(>30GB/mo.) may notice reduced speeds due to prioritization

Sprint: Data deprioritization during congestion after 23GB/mo.

------
dep_b
Could this also work on "cold" devices, so devices that have Wi-Fi but it's
turned off?

~~~
danudey
Presumably not, since the wifi chip in those cases is usually powered down
entirely (hence why it can't be used for geolocation).

~~~
duskwuff
Receiving any sort of communications over wifi would require the radio to be
powered on, and sucking down battery the whole time. There's no way Apple
would have missed such an obvious way to extend battery life -- I'd be
surprised if it's even powered on unless the phone is actively communicating
on the wireless network.

------
bdrool
Something I just noticed about the iOS update process: it appears that when it
tries to "verify" an update (which requires that you be online), it does not
do so over a secure connection. I was on a captive network (the kind where
HTTPS goes through but plain HTTP does not, until you click through an
agreement page), and while it was able to download the update just fine, it
couldn't verify it until I opened Safari and tried to go to neverssl.com to
click past the captive network's "I agree" button. Doesn't that seem wrong? Or
perhaps it's just the "check to see if the user is online before verifying"
step that is unsecured. Either way that seems like a bug.

~~~
klodolph
The way iOS and macOS applications are verified is by signing the application
package itself, presumably the OS updates use a similar mechanism. At that
point it is irrelevant whether the connection used to download the package is
secure. This is similar to the way that packages for most (sane) Linux
distributions are signed. The advantage to this technique is twofold: that
there are network environments where SSL communication is not possible, and
you can distribute updates offline or from your own server and devices will
still accept the updates.

~~~
0x0
No, iOS updates require online validation because the boot rom will issue a
one-time challenge based in part on the device's unique serial number, and it
needs to be granted a "ticket" response by the apple servers. This is why you
usually can't downgrade iOS versions (as the apple servers will refuse to
grant a ticket for old versions). Google keywords: apnonce, apticket, shsh
blobs, signing window

~~~
klodolph
This comment appears to add additional, specific information to my general
comment rather than disagreeing with what I said, but the comment starts with
"no", which implies otherwise.

The core idea here is that SSL is not necessary if the data is signed through
some other mechanism.

~~~
mikeash
I think "no" was due to "you can distribute updates offline or from your own
server and devices will still accept the updates." I assume you just meant
that as a general thing, but one could read the comment as saying that because
iOS signs updates this way, it can do offline updates.

