Apple Kernel Code Vulnerability Affected All Devices

November 1, 2018 by Jonathan Bennett 81 Comments

Another day, another vulnerability. Discovered by [Kevin Backhouse], CVE-2018-4407 is a particularly serious problem because it is present all throughout Apple’s product line, from the Macbook to the Apple Watch. The flaw is in the XNU kernel shared by all of these products.

This is a buffer overflow issue in the error handling for network packets. The kernel is expecting a fixed length of those packets but doesn’t check to prevent writing past the end of the buffer. The fact Apple’s XNU kernel powers all their products is remarkable, but issues like this are a reminder of the potential downside to that approach. Thanks to responsible disclosure, a patch was pushed out in September.

Anatomy of a Buffer Overflow

Buffer overflows aren’t new, but a reminder on what exactly is going on might be in order. In low level languages like C, the software designer is responsible for managing computer memory manually. They allocate memory, tagging a certain number of bytes for a given use. A buffer overflow is when the program writes more bytes into the memory location than are allocated, writing past the intended limit into parts of memory that are likely being used for a different purpose. In short, this overflow is written into memory that can contain other data or even executable code.

With a buffer overflow vulnerability, an attacker can write whatever code they wish to that out-of-bounds memory space, then manipulate the program to jump into that newly written code. This is referred to as arbitrary code execution. [Computerphile] has a great walk-through on buffer overflows and how they lead to code execution.

This Overflow Vulnerabilty Strikes Apple’s XNU Kernel

[Kevin] took the time to explain the issue he found in further depth. The vulnerability stems from the kernel code making an assumption about incoming packets. ICMP error messages are sent automatically in response to various network events. We’re probably most familiar with the “connection refused’ message, indicating a port closed by the firewall. These ICMP packets include the IP header of the packet that triggered the error. The XNU implementation of this process makes the assumption that the incoming packet will always have a header of the correct length, and copies that header into a buffer without first checking the length. A specially crafted packet can have a longer header, and this is the data that overflows the buffer.

Because of the role ICMP plays in communicating network status, a closed firewall isn’t enough to mitigate the attack. Even when sent to a closed port, the vulnerability can still trigger. Aside from updating to a patched OS release, the only mitigation is to run the macOS firewall in what it calls “stealth mode”. This mode doesn’t respond to pings, and more importantly, silently drops packets rather than sending ICMP error responses. This mitigation isn’t possible for watchOS and iOS devices.

The good news about the vulnerability is that a packet, malformed in this way, has little chance of being passed through a router at all. An attacker must be on the same physical network in order to send the malicious packet. The most likely attack vector, then, is the public WiFi at the local coffee shop.

Come back after the break for a demonstration of this attack in action.

Continue reading “Apple Kernel Code Vulnerability Affected All Devices” →

Apple Introduces What We’ve All Been Waiting For

October 30, 2018 by Brian Benchoff 66 Comments

The biggest news this week comes from Apple. There’s a new Mac Mini (the press copy says it makes a great digital signage platform but we’ll stick to our Raspberry Pis), a gigantic iPad that costs $1900, and the MacBook Air gets a display with more than 900 pixels of horizontal resolution. It’s big news, but this isn’t the biggest news from Cupertino. [Aki-Baidya] reports Apple is bringing back the old-school rainbow logo to t-shirts sold in the Apple Park visitor center. The move follows Apple’s trademark renewal of the rainbow logo earlier this year.

The O.G. rainbow Apple logo was not Apple’s first logo — this honor belongs to the ‘Newton woodcut’ logo designed by [Jobs] and [Ronald Wayne] in 1976. [Wayne] is best known for selling his 10% stake in Apple for $800. The ‘rainbow Apple’ appeared in 1977 after [Jobs] commissioned [Rob Janoff] to design a logo based on the Apple itself. Newton is of course missing from this logo but his contributions to the sciences — the laws of motion and optics — are alluded to with the rainbow apple.

The rainbow Apple logo was phased out in 1998 with the release of the original Bondi Blue iMac and gradually replaced the logo on all four of Apple’s computer lines. The rainbow logo was last seen on Apple laptops with the Wall Street II / PDQ Powerbook, replaced by the Lombard PowerBook in May, 1999. On desktops, the last rainbow logo was found on the beige G3 tower, replaced with the Blue and White G3 in January, 1999.

Despite being discontinued twenty years ago, the rainbow Apple logo has remained one of the most loved corporate logos of all time. To this day, you can still find rainbow Apple logo stickers on the back of old Volvos and pinned to the windows of offices. It is a staple of 80s and 90s-era design. The Rainbow Apple logo t-shirt is available exclusively at the Apple Park Visitor Center gift shop, price is $40.

Mergers And Acquisitions: Apple Buys Most Of Dialog

October 13, 2018 by Brian Benchoff 16 Comments

Apple is buying a $600 million stake in Dialog Semiconductor in a deal Dialog is describing as an asset transfer and licensing deal.

Dialog’s current portfolio is focused mainly on mobile devices, with Bluetooth wearables-on-a-chip, CODEC chips for smartphones, and power management ICs for every type of portable electronics. Power managment ICs are by far the most visible component, although they do have the very interesting GreenPAK, a sort of mixed-signal FPGA-ish thing that is one of the more interesting chips to be come online in the last few years. Apple of course are a trillion dollar company that once made computers, but now receives most of its revenue through phone dongles and lightning connector converters. It is not clear at the time of this writing whether a Dialog engineer with experience in heat management will be joining Apple.

In the last week, Apple have taken some bad press about the state of their supply chain. Bloomberg reported Apple found hidden chips in Supermicro motherboards. ostensibly implanted by Chinese intelligence agencies. This story is reportedly multiply sourced, but there’s no evidence or explanation of how this supply chain hack was done. In short, infiltration of a supply chain by foreign agents could happen (and I suspect Bloomberg engineers found something in some of their hardware), but the Bloomberg piece is merely just a wake-up call telling us yes, you are vulnerable to a hardware attack.

This is further evidence of Apple’s commitment to vertical integration. Apple are making their own chips, and the A12 Bionic in the new iPhone X is an Apple-designed CPU, GPU, and ‘neural engine’ that turns your Facetime sessions into animated emojis. This chip is merely the latest in a series of SoCs developed by Apple, and adds to Apple’s portfolio of chips designed to run the Apple Watch, Apple AirPods, and system management controllers in Apple products. There’s no other electronics manufacturer that is as dedicated to vertical integration as Apple (although we’re pouring one out for Commodore), and the acquisition of Dialog will surely add to Apple’s capabilities.

Pristine Apple I Sells At Auction For A Jaw-Dropping Price

October 1, 2018 by Dan Maloney 29 Comments

If you think Apple products are overpriced now, wait until they’re 50 years old.

This original Apple I recently sold at auction for $375,000, making it one of the most expensive 6502-based computers in history. Given that only something like 60 or 70 of the machines ~~were ever made~~ are known to exist, most built by hand by [Jobs] and [Wozniak], it’s understandable how collectors fought for the right to run the price up from the minimum starting bid of $50,000. And this one was particularly collectible. According to the prospectus, this machine had few owners, the most recent of whom stated that he attended a meeting of the legendary Homebrew Computer Club to see what all the fuss was. He bought it second-hand from a coworker for $300, fiddled with it a bit, and stashed it in a closet. A few years later, after the Apple ][ became a huge phenomenon, he tried to sell the machine to [Woz] for $10,000. [Woz] didn’t bite, and as a result, the owner realized a 125,000% return on his original investment, before inflation.

The machine was restored before hitting the auction block, although details of what was done were not shared. But it couldn’t have been much since none of the previous owners had even used the prototyping area that was so thoughtfully provided on the top edge of the board. It was sold with period-correct peripherals including a somewhat janky black-and-white security monitor, an original cassette tape interface, and a homebrew power supply. Sadly, there’s no word who bought the machine – it was an anonymous purchase.

Hackers, check your scrap bins. Anything hanging out there that might be worth six figures in a few decades? It’s unlikely, but if you get lucky, hacking just might turn into your retirement plan.

Thanks to [my wife] for the tip on this one.

Knock-Off AirPods Merged Into Bluetooth Receiver

August 31, 2018 by Tom Nardi 8 Comments

Whether or not you personally like the concept of the AirPod Bluetooth headphones is irrelevant, as an Apple product one thing is certain: all the cool kids want them. That also means that plenty of overseas manufacturers are pumping out janky clones for a fraction of the price for those who are more about the Apple look than the Apple price tag. Are they any good? No, of course not. But that doesn’t mean you can’t do something interesting with them.

[Igor Kromin] took apart a pair of fake AirPods and was predictably underwhelmed. So much so that he didn’t even bother putting the things back together. Instead, he took the two poor Bluetooth audio receivers and combined them into one slightly less poor Bluetooth audio receiver. It probably doesn’t meet the classical definition of a “good” use of time and/or money, but at least he got some entertainment out of a product that was otherwise destined for the trash.

As you might imagine, the left and right “AirPod” each has its own battery, Bluetooth receiver, and speaker. It has to, as they have no physical connection to each other. That also means that each receiver is only playing one channel, making them useless individually. What [Igor] realized was that he could put together a little PCB that combines the two audio channels back into a regular stereo 3.5 mm audio jack.

While he was at it, he also wired the individual buttons on each headphone to a center button on the PCB which would allow him to physically synchronize them. Even still, [Igor] mentions that occasionally they don’t come on at the same time. But what do you expect for something that’s nearly a 20th the price of the original?

The last time we saw a hack related to the Apple AirPod, it was when somebody threw them out the window, so one might presume most hackers prefer their iDevice tethered.

Hackaday Links: May 6th 2018

May 6, 2018 by Brian Benchoff 36 Comments

Way back in the day, if you were exceptionally clever, you could just solder more RAM to your computer. You did this by taking a DIP, stacking it on top of an existing RAM chip, bending out the enable pin, and soldering everything down. Wire the enable pin to an address pin, and you have more RAM. [Eric] wanted to get a game running on a Tandy 1000A, but that computer just doesn’t have enough RAM. The solution was to stack the RAMs. It’s a human centipede of deadbugging skills.

We’ve mentioned this before, but I just received another copy of either the best or worst press release I’ve ever seen. Dateline George Town, Cayman Islands: Onstellar is a cryptocurrency-based social network focusing on the paranormal. Apparently, you can use a blockchain to talk about UFOs. It gets better, though: Onstellar will be exhibiting at the world’s largest UFO conference at the beginning of June, in the middle of the Mojave, where a bunch of Air Force and Navy planes are flying all the time. It seems like you would want to have a UFO conference where there’s a lower rate of false positives, right?

A Biohacker has died. Aaron Traywick was found dead in a sensory deprivation chamber in Washington DC this week. Traywick found fame as the CEO of Ascendance Biomedical and by skirting the FDA by self-medication; he recently injected himself with a ‘research compound’ that he said could cure herpes. He was planning CRISPR trials in Tijuana.

You’ve heard of Bad Obsession Motorsports, right? It’s a YouTube channel of two blokes in a shed stuffing a Celica into a Mini. It is the greatest fabrication channel on YouTube. They haven’t uploaded anything in six months, but don’t worry: the next episode is coming out on May 18th. Yes, this is newsworthy.

As further evidence that Apple hardware sucks, if you plug both ends of a USB-C PD cable into a MacBook, it charges itself.

Defcon China is this week. Let me set the scene for you. Last year, at the closing ceremonies for Defcon (the Vegas one), [DT] got up on stage and announced 2018 would see the first Defcon in China. The sound of four thousand raised eyebrows erupted. We’re interested to see how this one goes down. Here are the talks It’s a bit light, but then again this is only the first year.

The Swiss Guard is now 3D printing their helmets. The personal army of the Pope also wears funny hats, and they’re replacing their metal helmets with 3D printed ones. Of note: these helmets are printed in PVC. The use of PVC has been repeated in several high-profile publications, leading me to believe that yes, these actually are printed in PVC, or everyone is getting their information from an incorrect Vatican press release This is odd, because PVC will give everyone within a five mile radius cancer if used in a 3D printer, and you wouldn’t use PVC anyway if ABS and PLA are so readily available. If you’re wondering if injection molding makes sense, giving each new recruit their own helmet means producing about thirty per year; the economics probably don’t work.

Upgrade Your Mac With A Touchscreen, For Only A Dollar

April 5, 2018 by Jenny List 77 Comments

Imagine how hard it could be to add a touch screen to a Mac laptop. You’re thinking expensive and difficult, right? How could [Anish] and his friends possibly manage to upgrade their Mac with a touchscreen for only a dollar? That just doesn’t seem possible.

The trick, of course, is software. By mounting a small mirror over the machine’s webcam, using stiff card, hot glue, and a door hinge. By looking at the screen and deciding whether the image of a finger is touching its on-screen reflection, a remarkably simple touch screen can be created, and the promise of it only costing a dollar becomes a reality. We have to salute them for coming up with such an elegant solution.

They have a video which we’ve put below the break, showing a few simple applications for their interface. Certainly a lot less bother than a more traditional conversion.

Continue reading “Upgrade Your Mac With A Touchscreen, For Only A Dollar” →