back

Messenger Hacking: Remotely Compromising an iPhone through iMessage

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:01:49
Language
English
Abstract
So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone this year. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. The insights gained from the exploitation process will hopefully help defend against such attacks in the future.

This talk will dive into the internals of an iMessage exploit that achieves unsandboxed remote code execution on vulnerable devices (all iPhones and potentially other iDevices up to iOS 12.4) without user interaction and within a couple of minutes. All that is necessary for a successful attack in a default configuration is knowledge of the target’s phone number or an email address. Further, the attack is also possible without any visible indicators of the attack displayed to the user.

First, an overview of the general iMessage software architecture will be given, followed by an introduction of the exploited vulnerability. Next, a walkthrough of the exploitation process, including details about how the various exploit mitigations deployed on iOS were bypassed, will be presented. Some of the exploitation techniques are rather generic and should be applicable to exploit other vulnerabilities, messengers, and even other platforms such as Android. Along the way, some advice will be shared with the audience on how to bootstrap research in this area. The talk concludes with a set of suggestions for mobile OS and messenger vendors on how to mitigate the demonstrated exploit techniques effectively and hopefully make these kinds of attacks significantly more difficult/costly to perform in the future. While previous experience with iOS userland exploitation will not be required for this talk, some basic background knowledge on memory corruption vulnerabilities is recommended.

Talk ID
10497
Event:
36c3
Day
1
Room
Ada
Start
2:10 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Samuel Groß
Talk Slug & media link
36c3-10497-messenger_hacking_remotely_compromising_an_iphone_through_imessage

Talk & Speaker speed statistics

Very rough underestimation:
144.5 wpm
791.8 spm
145.2 wpm
796.2 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
144.5 wpm
791.8 spm
exploitthingaddressmessagecodequestionpointersenddeliveryworksurfacebitcrashimessagereceiptobjectheapattackmethodaddressesmessagesappleprocesscalledmemorypointsharedkeynumberaslrsideworkscachequestionsideatimefakecasereceiptsiphoneobjective-ccallfunctionbasicallymappedserverleftbugclassfind
Samuel Groß:
145.2 wpm
796.2 spm
exploitaddressthingcodepointerimessagemessageobjectmethodcrashheapaddressesreceiptattacksurfacepointcalleddeliverybitsendworksmemoryaslrapplemessagessidekeysharedfakeworkprocessbasicallyfunctionobjective-ccachereceiptscallstartleftclassbugmappedguessfinddatasharedkeysetsandboxjavascriptclickstuff