apple

What Happens When A Regular Person Finds A Huge Security Flaw?

January 29, 2019 by 38 Comments

The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.

But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

Continue reading “What Happens When A Regular Person Finds A Huge Security Flaw?”

Apple II Megademo Is Countin’ Cycles and Takin’ Names

December 5, 2018 by 23 Comments

The demoscene is an active place to this day, with enthusiasts around the world continuing to push the envelope as far as the capabilities of machines are concerned. [Deater], along with a skilled team, produced this Apple II Megademo which won first place at Demosplash 2018.

The demo starts with an intentional tease, with an emulated C64 BASIC startup screen which splits to reveal the title card. White-on-blue text isn’t the easiest on the Apple II, due to palette limitations, but it’s necessary for the joke to work. The following scenes make heavy use of mode-switching techniques in the middle of drawing the screen. Single screens are made up of various sections in LORES, HIRES, and even text modes. The term “cycle-counting” refers to the fact that the demo is written to operate in a cycle-exact fashion. This is necessary to achieve the mode-switching effects and to make the most of the limited resources of the Apple II.

It’s a demo that, like many others, does the right things in the wrong way to achieve its impressive results, and is a worthy competition winner. [Deater] has kindly provided an FAQ and source code for those who wish to study it further.

If you’ve written a mindblowing demo yourself, be sure to notify the tips line. Video after the break.

Continue reading “Apple II Megademo Is Countin’ Cycles and Takin’ Names”

What’s Inside that New Mac Mini Anyway?

November 10, 2018 by 65 Comments

It’s been four long years since Apple has refreshed their entry-level desktop line. Those that have been waiting for a redesign of the Mac Mini can now collectively exhale as the Late 2018 edition has officially been released. Thanks to [iFixit] we have a clearer view of what’s changed in the new model as they posted a complete teardown of the Mac Mini over on their website.

Mac Mini Teardown Late 2018 RAM Slots

One of the most welcomed changes is that the DDR4 RAM is actually user upgradeable this time around. Previously RAM was soldered directly to the motherboard, and there were no SO-DIMM slots to speak of. The 2018 Mac Mini’s RAM has also been doubled to 8GB compared to the 4GB in the 2014 model. Storage capacity may have taken a hit in the redesign, but the inclusion of a 128GB PCIe SSD in the base model fairs better than the 500GB HDD of old. The number of ports were flip-flopped between the two model generations with the 2018 Mini featuring four Thunderbolt ports along with two USB 3.0 ports. Though the biggest upgrade lies with the CPU. The base 2018 Mac Mini comes with a 3.6GHz quad-core Intel Core i3 as compared to the 2014’s 1.4GHz dual-core Intel Core i5.

Although Apple lacked “the courage” to drop the 3.5mm headphone jack this time around, they did retain the same footprint for Mac Mini redesign. It still provides HDMI as the default display out port, although the additional Thunderbolt ports provide additional options via an adapter. A quick overview of the spec differences between the 2018 and 2014 base Mac Mini models have been summarized below.

Model 2018 Mac Mini 2014 Mac Mini
CPU 3.6GHz quad-core Intel Core i3 1.4GHz dual-core Intel Core i5
Storage 128GB PCIe SSD 500GB HDD
RAM 8GB DDR4 @ 2666MHz 4GB DDR3 @ 1600MHz
Graphics Intel UHD 630 Intel HD 5000
Ports Thunderbolt 3 (x4), USB 3.0 (x2) Thunderbolt 2 (x2), USB 3.0 (x4)
Card Slot N/A SDXC
WiFi 802.11a/b/g/n/ac 802.11a/b/g/n/ac
Audio 3.5mm Headphone Jack 3.5mm Headphone Jack
Video HDMI HDMI
Price from $799 from $499

Source [MacWorld]

Apple Kernel Code Vulnerability Affected All Devices

November 1, 2018 by 81 Comments

Another day, another vulnerability. Discovered by [Kevin Backhouse], CVE-2018-4407 is a particularly serious problem because it is present all throughout Apple’s product line, from the Macbook to the Apple Watch. The flaw is in the XNU kernel shared by all of these products.

This is a buffer overflow issue in the error handling for network packets. The kernel is expecting a fixed length of those packets but doesn’t check to prevent writing past the end of the buffer. The fact Apple’s XNU kernel powers all their products is remarkable, but issues like this are a reminder of the potential downside to that approach. Thanks to responsible disclosure, a patch was pushed out in September.

Anatomy of a Buffer Overflow

Buffer overflows aren’t new, but a reminder on what exactly is going on might be in order. In low level languages like C, the software designer is responsible for managing computer memory manually. They allocate memory, tagging a certain number of bytes for a given use. A buffer overflow is when the program writes more bytes into the memory location than are allocated, writing past the intended limit into parts of memory that are likely being used for a different purpose. In short, this overflow is written into memory that can contain other data or even executable code.

With a buffer overflow vulnerability, an attacker can write whatever code they wish to that out-of-bounds memory space, then manipulate the program to jump into that newly written code. This is referred to as arbitrary code execution. [Computerphile] has a great walk-through on buffer overflows and how they lead to code execution.

This Overflow Vulnerabilty Strikes Apple’s XNU Kernel

[Kevin] took the time to explain the issue he found in further depth. The vulnerability stems from the kernel code making an assumption about incoming packets. ICMP error messages are sent automatically in response to various network events. We’re probably most familiar with the “connection refused’ message, indicating a port closed by the firewall. These ICMP packets include the IP header of the packet that triggered the error. The XNU implementation of this process makes the assumption that the incoming packet will always have a header of the correct length, and copies that header into a buffer without first checking the length. A specially crafted packet can have a longer header, and this is the data that overflows the buffer.

Because of the role ICMP plays in communicating network status, a closed firewall isn’t enough to mitigate the attack. Even when sent to a closed port, the vulnerability can still trigger. Aside from updating to a patched OS release, the only mitigation is to run the macOS firewall in what it calls “stealth mode”. This mode doesn’t respond to pings, and more importantly, silently drops packets rather than sending ICMP error responses. This mitigation isn’t possible for watchOS and iOS devices.

The good news about the vulnerability is that a packet, malformed in this way, has little chance of being passed through a router at all. An attacker must be on the same physical network in order to send the malicious packet. The most likely attack vector, then, is the public WiFi at the local coffee shop.

Come back after the break for a demonstration of this attack in action.

Continue reading “Apple Kernel Code Vulnerability Affected All Devices”

Mergers And Acquisitions: Apple Buys Most of Dialog

October 13, 2018 by 16 Comments

Apple is buying a $600 million stake in Dialog Semiconductor in a deal Dialog is describing as an asset transfer and licensing deal.

Dialog’s current portfolio is focused mainly on mobile devices, with Bluetooth wearables-on-a-chipCODEC chips for smartphones, and power management ICs for every type of portable electronics. Power managment ICs are by far the most visible component, although they do have the very interesting GreenPAK, a sort of mixed-signal FPGA-ish thing that is one of the more interesting chips to be come online in the last few years. Apple of course are a trillion dollar company that once made computers, but now receives most of its revenue through phone dongles and lightning connector converters. It is not clear at the time of this writing whether a Dialog engineer with experience in heat management will be joining Apple.

In the last week, Apple have taken some bad press about the state of their supply chain. Bloomberg reported Apple found hidden chips in Supermicro motherboards. ostensibly implanted by Chinese intelligence agencies. This story is reportedly multiply sourced, but there’s no evidence or explanation of how this supply chain hack was done. In short, infiltration of a supply chain by foreign agents could happen (and I suspect Bloomberg engineers found something in some of their hardware), but the Bloomberg piece is merely just a wake-up call telling us yes, you are vulnerable to a hardware attack.

This is further evidence of Apple’s commitment to vertical integration. Apple are making their own chips, and the A12 Bionic in the new iPhone X is an Apple-designed CPU, GPU, and ‘neural engine’ that turns your Facetime sessions into animated emojis. This chip is merely the latest in a series of SoCs developed by Apple, and adds to Apple’s portfolio of chips designed to run the Apple Watch, Apple AirPods, and system management controllers in Apple products. There’s no other electronics manufacturer that is as dedicated to vertical integration as Apple (although we’re pouring one out for Commodore), and the acquisition of Dialog will surely add to Apple’s capabilities.

Pristine Apple I Sells at Auction for a Jaw-Dropping Price

October 1, 2018 by 29 Comments

If you think Apple products are overpriced now, wait until they’re 50 years old.

This original Apple I recently sold at auction for $375,000, making it one of the most expensive 6502-based computers in history. Given that only something like 60 or 70 of the machines were ever made are known to exist, most built by hand by [Jobs] and [Wozniak], it’s understandable how collectors fought for the right to run the price up from the minimum starting bid of $50,000. And this one was particularly collectible. According to the prospectus, this machine had few owners, the most recent of whom stated that he attended a meeting of the legendary Homebrew Computer Club to see what all the fuss was. He bought it second-hand from a coworker for $300, fiddled with it a bit, and stashed it in a closet. A few years later, after the Apple ][ became a huge phenomenon, he tried to sell the machine to [Woz] for $10,000. [Woz] didn’t bite, and as a result, the owner realized a 125,000% return on his original investment, before inflation.

The machine was restored before hitting the auction block, although details of what was done were not shared. But it couldn’t have been much since none of the previous owners had even used the prototyping area that was so thoughtfully provided on the top edge of the board. It was sold with period-correct peripherals including a somewhat janky black-and-white security monitor, an original cassette tape interface, and a homebrew power supply. Sadly, there’s no word who bought the machine – it was an anonymous purchase.

Hackers, check your scrap bins. Anything hanging out there that might be worth six figures in a few decades? It’s unlikely, but if you get lucky, hacking just might turn into your retirement plan.

Thanks to [my wife] for the tip on this one.