iPhone Jailbreak Hackers Await $1M Bounty

According to Motherboard, some unspecified (software) hacker just won a $1 million bounty for an iPhone exploit. But this is no ordinary there’s-a-glitch-in-your-Javascript bug bounty.

On September 21, “Premium” 0day startup Zerodium put out a call for a chain of exploits, starting with a browser, that enables the phone to be remotely jailbroken and arbitrary applications to be installed with root / administrator permissions. In short, a complete remote takeover of the phone. And they offered $1 million. A little over a month later, it looks like they’ve got their first claim. The hack has yet to be verified and the payout is actually made.

But we have little doubt that the hack, if it’s actually been done, is worth the money. The NSA alone has a $25 million annual budget for buying 0days and usually spends that money on much smaller bits and bobs. This hack, if it works, is huge. And the NSA isn’t the only agency that’s interested in spying on folks with iPhones.

Indeed, by bringing something like this out into the open, Zerodium is creating a bidding war among (presumably) adversarial parties. We’re not sure about the ethics of all this (OK, it’s downright shady) but it’s not currently illegal and by pitting various spy agencies (presumably) against each other, they’re almost sure to get their $1 million back with some cream on top.

We’ve seen a lot of bug bounty programs out there. Tossing “firmname bug bounty” into a search engine of your choice will probably come up with a hit for most firmnames. A notable exception in Silicon Valley? Apple. They let you do their debugging work for free. How long this will last is anyone’s guess, but if this Zerodium deal ends up being for real, it looks like they’re severely underpaying.

And if you’re working on your own iPhone remote exploits, don’t be discouraged. Zerodium still claims to have money for two more $1 million payouts. (And with that your humble author shrugs his shoulders and turns the soldering iron back on.)

Phone Scope Build Uses Old Optical Drive

It is hardly news that you can use your smart phone as a really crummy oscilloscope. You can even use it as an audio frequency signal generator. There are also plenty of projects that allow you to buffer signals going in and out of your phone to make these apps more useful and protect your phone’s circuitry to some degree. What caught our eye with [loboat’s] phone oscilloscope project was its construction.

Continue reading “Phone Scope Build Uses Old Optical Drive”

Stumbling Upon an Uber Vulnerability

[Nathan] is a mobile application developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and analyze the web traffic between your computer and the Internet. The program essentially acts as a man in the middle, allowing you to view all of the request and response data and usually giving you the ability to manipulate it.

While debugging his app, [Nathan] realized he was going to need a ride soon. After opening up the Uber app, he it occurred to him that he was still inspecting this traffic. He decided to poke around and see if he could find anything interesting. Communication from the Uber app to the Uber data center is done via HTTPS. This means that it’s encrypted to protect your information. However, if you are trying to inspect your own traffic you can use Charles to sign your own SSL certificate and decrypt all the information. That’s exactly what [Nathan] did. He doesn’t mention it in his blog post, but we have to wonder if the Uber app warned him of the invalid SSL certificate. If not, this could pose a privacy issue for other users if someone were to perform a man in the middle attack on an unsuspecting victim.

[Nathan] poked around the various requests until he saw something intriguing. There was one repeated request that is used by Uber to “receive and communicate rider location, driver availability, application configurations settings and more”. He noticed that within this request, there is a variable called “isAdmin” and it was set to false. [Nathan] used Charles to intercept this request and change the value to true. He wasn’t sure that it would do anything, but sure enough this unlocked some new features normally only accessible to Uber employees. We’re not exactly sure what these features are good for, but obviously they aren’t meant to be used by just anybody.

DIY iPhone Mount for a Volvo

[Seandavid010] recently purchased a 2004 Volvo. He really liked the car except for the fact that it was missing some more modern features. He didn’t come stock with any navigation system or Bluetooth capabilities. After adding Bluetooth functionality to the stock stereo himself, he realized he would need a secure location to place his iPhone. This would allow him to control the stereo or use the navigation functions with ease. He ended up building a custom iPhone mount in just a single afternoon.

The key to this project is that the Volvo has an empty pocket on the left side of the stereo. It’s an oddly shaped vertical pocket that doesn’t seem to have any real use. [Seandavid010] decided this would be the perfect place to mount his phone. The only problem was that he didn’t want to make any permanent changes to his car. This meant no drilling into the dash and no gluing.

[Seandavid010] started by lining the pocket with blue masking tape. He then added an additional lining of plastic wrap. All of this was to protect the dashboard from what was to come next. He filled about half of the pocket with epoxy putty. We’ve seen this stuff used before in a similar project. He left a small opening in the middle with a thick washer mounted perpendicular to the ground. The washer would provide a place for an off-the-shelf iPhone holder to mount onto. [Seandavid010] also placed a flat, wooden paint stirrer underneath the putty. This created a pocket that would allow him to route cables and adapters underneath this new mount.

After letting the epoxy putty cure for an hour, he removed the block from the pocket. The stick was then removed, and any gaps were filled in with putty. The whole block was trimmed and smooth down for a more streamlined look. Finally, it was painted over with some flat black spray paint to match the color of the dashboard. An aftermarket iPhone holder allows [Seandavid010] to mount his cell phone to this new bracket. The cell phone holder allows him to rotate the phone into portrait or landscape mode, and even is adjustable to accommodate different sized phones.

Reverse Engineering Apple’s Lightning Connector

Introduced with the iPhone 5 nearly two and a half years ago, Apple’s Lightning connector has stymied the incredible homebrew electronics scene that was previously accustomed to the larger, older, better documented, and more open 30-pin connector. Now, finally, the protocols inside the Apple Lightning connector have been broken. We’re still a ways off from a Lightning breakout board, but this is the first proof that a serial console can be obtained through a Lightning connector. That’s the first step to totally owning an iDevice, and this is how all those exploits will start.

[Ramtin Amin] began the teardown of the Lightning connector began as most reverse engineering tasks should – looking at the patents, finding a source for the connectors, and any other products that use similar hardware. [Ramtin] found a Lightning to Serial converter powered by an STM32 microcontroller. Disassembling the firmware and looking at the output on a logic analyzer, [Ramtin] figured out part of the protocol, most of the wiring, and after some research, schematics for how an until-now unidentified chip in Lightning-enabled iProducts was wired.

The chip in question is colloquially known as the Tristar, and more accurately as a CBTL1608A1. During the teardown craze of the iPhone 5 launch, this chip was frequently identified as a DisplayPort Multiplexer. It is a mux, but not for DisplayPort – it’s only to connect the accessory (Lightning) UART, debug UART, baseband, SoC, and JTAG. This is the key to the castle, and being able to get through this chip means we can now own our iDevices.

The chip is an incredibly small BGA affair that [Ramtin] desoldered, reflowed onto a breakout board, and connected to an STM32 Discovery board. Using the techniques he used with other Lightning-enabled hardware, [Ramtin] was able to connect his iPhone and ever so slightly peek his head into the inner workings of his device.

It’s not complete control of an iDevice yet, but this is how all those future exploits will start. [Ramtin] uploaded a short video as a proof of concept, you can check that out below.

Continue reading “Reverse Engineering Apple’s Lightning Connector”

Clockety Uses Phone Flash for Projection Clock

[Gaurav Taneja] was showing off his projection clock add-on for iPhone called Clockety at this year’s Consumer Electronics Show. The concept is pretty neat, a clip-on clock which uses the iPhone flash LED as the light source. It may sound a little gimmicky until you see the functionality of the accompanying app which is shown off in the video after the break. Once clipped onto the phone, you lay it face down on your night stand and a gentle tap on the furniture will turn the projection on or off. This is a killer feature when you’re staying some place without an illuminated bedside clock.

Continue reading “Clockety Uses Phone Flash for Projection Clock”

Controlling a Point and Shoot With Bluetooth

Loading point and shoot digital cameras is old hat around here, but [Alex] and [Andreas] are taking it to the next level. They’ve made a Bluetooth controller for a cheap Canon camera, allowing pictures to be taken with an iPhone or Android device.

The camera in question is a Canon IXUS70, although any camera supported by CHDK will work. We’ve seen a few builds using this firmware to take pictures of the sunrise every day and transmitting images over a radio link, but this build is far more interactive.

The camera is connected to an Arduino and Bluetooth shield with a hacked up USB cable. The ‘duino communicates with a phone using a JQuery app, giving any phone with a Bluetooth module control of the camera’s zoom and shutter.

All the code is available on the github, with a very good video demonstration of the build available below.

Continue reading “Controlling a Point and Shoot With Bluetooth”