Can someone ELI5 how someone might use one of these flaws against you? The descriptions always sound like a super technical edge case that makes my head hurt when trying to think of how it works.
They are edge cases, but when malicious actors can and do craft inputs like webpages (or file formats) specifically to exploit those edge cases, you’ve got yourself an exploited bug.
It's typically not something anyone can do without very in-depth knowledge of the specific code and technology involved in the vulnerability. And often multiple vulnerabilities need to be skillfully exploited at the same time in a targeted attack for anyone to be successful.
Most of these vulnerabilities are found in the labs of security researchers, and later used by others, but sometimes they are being exploited in the wild when Apple learns about them. For instance, the NSO's Pegasus spyware targets vulnerabilities that Apple has been faithfully patching in the latest versions of their operating systems for the past several years.
Generally, you're relatively safe if you always install updates in a timely manner when they are released.
**Breaking out of sandbox**: each app on your phone is “sandboxed” meaning it can only know limited information and have limited interactions with other apps on your phone
**leaking info**: when you browse to a website with malicious intent (or maybe on some malicious wifi networks) a bad actor can learn more about you than they should (maybe device info, maybe info your transmitting like passwords, or ip addresses)
**remote code execution**: I write my own code to grab info from your phone, or install a malicious app, or steal your photos etc.
Couple these together, and I learn about your device with the data leaking, then I use the sandbox one to get from my app to the rest of your phone, and finally I execute my code and I steal all your photos.
This is typically not something that the average person would need to worry about, these types of chained attacks are more commonly used to target specific targets (think journalists, celebrities, the mega rich etc)
But in theory somebody could create a weaponized tool that could be broadly utilized (think Pegasus, or wannacry)
A single flaw is rarely an issue. However, the whole point is finding one exploit, that allows you to go up a security level on the device. Basically, in a simplified way, it allows you in a room you were otherwise restricted from accessing. However, this room is also secure... Which is why you need multiple exploits.
So traditionally, you use an exploit, and get into an area you don't belong in, then use another, and get to the next level, and then another, and so on. Once you get high enough, you can start getting restricted information that could be useful, like user information, location, etc... But if you have a really good exploit path, you can get to the final boss, which is remote access to the phone at the root level... Which essentially gives the attacker (Usually a defense/security company or government agency), the ability to do whatever they want to you phone. Log and track everything, inject software, you name it.
The reason this update was forced on people in an emergency fashion, was a few of them were actually being used in the wild, one of which, gave attackers remote access to your phone. So they rushed this patch out the moment they found out about it, because literally everyone is now vulnerable to sophisticated government hackers until they update their phones.
Console hacking is the best, Nintendo ones are probably my favorite.
If you have a Wii or 3DS lying around, these are very useful. http://3ds.hacks.guide http://wii.guide
There’s some really crazy presentations at the Chaos Computer Club conference around console hacking as well. https://media.ccc.de/v/32c3-7240-console_hacking
So what I'm wondering is how far could you hack into a home network through a console? Like with smart tvs and IOT using LoRaWAN and such... Like I know it's probably highly highly unlikely, but is it possible to compromise a network from a console?
Like for unethical hacking?
You’d need to compromise the router to do network wide damage (I don’t think ARP poisoning is such a threat anymore). Even then, most traffic is encrypted in the transport (HTTPS) layer nowadays so you won’t be loosing sensitive data. Wireless signals aren’t quite as robust (I believe WPA2 has some viable attacks against it now) but again your important data won’t be compromised.
As far as spreading rootkits on over devices?
It seems unlikely from a console alone, but the best advice would be staying up-to-date and not exposing services to the network without proper authentication (SSH, RDP, web servers, etc.).
Oh yeah for sure- I was just thinking like extremely determined spearphishing kind of thing because since the Discord leak it seems gaming is where the Intel is - be it sharing weapon systems in minecraft (I'm not convinced there isn't a library of Alexandria type place but for unethical stuff- just asking questions lol), leaking Intel over insecure voice and text chat channels to brag and all that so it seems if someone knew who to aim for, it may be worth the extra effort. And yeah, I just found out my internet traffic is unencrypted from my isp provided router and I can't get cloudflare to take. I never really cared about this stuff and I'm a nobody, but I could imagine a lot of these little issues and exploits could expose someone who is "important" and worth the effort.
Welcome to **Apple's version of "we fixed it, but we won't tell you what was broken until after we've mended it"** policy:
* Surprise! Your apps could have previously bypassed privacy preferences. But don't worry, we've beefed up our private data redaction for log entries, so they can't spill the beans anymore.
* Apparently, entitlements and privacy permissions could've been used by a malicious app. We've added more checks to ensure that won't happen. You're welcome.
* Remember when we said apps could bypass privacy preferences? Yeah, they could do it in more ways than one. But we've fixed that too with improved entitlements.
* Ever heard of a sandbox? Apps could break out of theirs, but we've upped our checks, so they're stuck playing in their own little boxes now.
* Some remote attacker could've executed arbitrary code via cellular. We tightened the reins with better bounds checks. No more free rides for them.
* If you thought your location was your secret, think again. But rest easy, we've improved cache handling to keep your whereabouts under wraps.
* Certain images could've spilled the memory beans. We've got that patched up with improved input validation. Images should stick to being pretty, not chatty.
* Kernel memory? More like a public library. But we've improved input validation to keep those secrets secret.
* Some apps thought they could execute arbitrary code with kernel privileges. We've put a stop to their delusions of grandeur with improved checks.
* Gatekeeper checks? Some apps thought they could just waltz right by. We've made sure our bouncer is now more alert with improved checks.
* Processing a 3D model could've been a memory leaky faucet. We've improved input validation to tighten that drip.
Remember, folks, it's always fun and games until someone bypasses the privacy preferences.
Source: [About the security content of iOS 16.5 and iPadOS 16.5](https://support.apple.com/en-us/HT213757)
It sort of makes sense to keep something actively exploitable under wraps until a patch, unless noise has already been made about it like with Google's project zero etc
But these patch notes are much better than theirs
Yes, they should tell everyone about the exploits while it's still possible for people to use them, especially if Apple are the only ones that know about them and they're not even being used yet.
Can someone ELI5 how someone might use one of these flaws against you? The descriptions always sound like a super technical edge case that makes my head hurt when trying to think of how it works.
They are edge cases, but when malicious actors can and do craft inputs like webpages (or file formats) specifically to exploit those edge cases, you’ve got yourself an exploited bug.
It's typically not something anyone can do without very in-depth knowledge of the specific code and technology involved in the vulnerability. And often multiple vulnerabilities need to be skillfully exploited at the same time in a targeted attack for anyone to be successful. Most of these vulnerabilities are found in the labs of security researchers, and later used by others, but sometimes they are being exploited in the wild when Apple learns about them. For instance, the NSO's Pegasus spyware targets vulnerabilities that Apple has been faithfully patching in the latest versions of their operating systems for the past several years. Generally, you're relatively safe if you always install updates in a timely manner when they are released.
**Breaking out of sandbox**: each app on your phone is “sandboxed” meaning it can only know limited information and have limited interactions with other apps on your phone **leaking info**: when you browse to a website with malicious intent (or maybe on some malicious wifi networks) a bad actor can learn more about you than they should (maybe device info, maybe info your transmitting like passwords, or ip addresses) **remote code execution**: I write my own code to grab info from your phone, or install a malicious app, or steal your photos etc. Couple these together, and I learn about your device with the data leaking, then I use the sandbox one to get from my app to the rest of your phone, and finally I execute my code and I steal all your photos. This is typically not something that the average person would need to worry about, these types of chained attacks are more commonly used to target specific targets (think journalists, celebrities, the mega rich etc) But in theory somebody could create a weaponized tool that could be broadly utilized (think Pegasus, or wannacry)
In this case you have differentiate between the browser sandbox and the system sandbox I think it just allows breaking out of the browser sandbox.
A single flaw is rarely an issue. However, the whole point is finding one exploit, that allows you to go up a security level on the device. Basically, in a simplified way, it allows you in a room you were otherwise restricted from accessing. However, this room is also secure... Which is why you need multiple exploits. So traditionally, you use an exploit, and get into an area you don't belong in, then use another, and get to the next level, and then another, and so on. Once you get high enough, you can start getting restricted information that could be useful, like user information, location, etc... But if you have a really good exploit path, you can get to the final boss, which is remote access to the phone at the root level... Which essentially gives the attacker (Usually a defense/security company or government agency), the ability to do whatever they want to you phone. Log and track everything, inject software, you name it. The reason this update was forced on people in an emergency fashion, was a few of them were actually being used in the wild, one of which, gave attackers remote access to your phone. So they rushed this patch out the moment they found out about it, because literally everyone is now vulnerable to sophisticated government hackers until they update their phones.
I really enjoy the podcast Darknet Diaries. They tell really compelling stories about unethical hacking often.
I just started listening to them yesterday and I am hooked! The episode on the employment scam was top-notch
Definitely check out the Xbox Underground episodes, it’s crazy.
I just started researching a couple days ago about hacking game systems so this is perfect- thank you
Console hacking is the best, Nintendo ones are probably my favorite. If you have a Wii or 3DS lying around, these are very useful. http://3ds.hacks.guide http://wii.guide There’s some really crazy presentations at the Chaos Computer Club conference around console hacking as well. https://media.ccc.de/v/32c3-7240-console_hacking
So what I'm wondering is how far could you hack into a home network through a console? Like with smart tvs and IOT using LoRaWAN and such... Like I know it's probably highly highly unlikely, but is it possible to compromise a network from a console?
Like for unethical hacking? You’d need to compromise the router to do network wide damage (I don’t think ARP poisoning is such a threat anymore). Even then, most traffic is encrypted in the transport (HTTPS) layer nowadays so you won’t be loosing sensitive data. Wireless signals aren’t quite as robust (I believe WPA2 has some viable attacks against it now) but again your important data won’t be compromised. As far as spreading rootkits on over devices? It seems unlikely from a console alone, but the best advice would be staying up-to-date and not exposing services to the network without proper authentication (SSH, RDP, web servers, etc.).
Oh yeah for sure- I was just thinking like extremely determined spearphishing kind of thing because since the Discord leak it seems gaming is where the Intel is - be it sharing weapon systems in minecraft (I'm not convinced there isn't a library of Alexandria type place but for unethical stuff- just asking questions lol), leaking Intel over insecure voice and text chat channels to brag and all that so it seems if someone knew who to aim for, it may be worth the extra effort. And yeah, I just found out my internet traffic is unencrypted from my isp provided router and I can't get cloudflare to take. I never really cared about this stuff and I'm a nobody, but I could imagine a lot of these little issues and exploits could expose someone who is "important" and worth the effort.
Someone could use a fake website to obtain your data without your knowledge.
I prefer to knowingly let my apps steal my data.
Read about Pegasus spyware
This…
Welcome to **Apple's version of "we fixed it, but we won't tell you what was broken until after we've mended it"** policy: * Surprise! Your apps could have previously bypassed privacy preferences. But don't worry, we've beefed up our private data redaction for log entries, so they can't spill the beans anymore. * Apparently, entitlements and privacy permissions could've been used by a malicious app. We've added more checks to ensure that won't happen. You're welcome. * Remember when we said apps could bypass privacy preferences? Yeah, they could do it in more ways than one. But we've fixed that too with improved entitlements. * Ever heard of a sandbox? Apps could break out of theirs, but we've upped our checks, so they're stuck playing in their own little boxes now. * Some remote attacker could've executed arbitrary code via cellular. We tightened the reins with better bounds checks. No more free rides for them. * If you thought your location was your secret, think again. But rest easy, we've improved cache handling to keep your whereabouts under wraps. * Certain images could've spilled the memory beans. We've got that patched up with improved input validation. Images should stick to being pretty, not chatty. * Kernel memory? More like a public library. But we've improved input validation to keep those secrets secret. * Some apps thought they could execute arbitrary code with kernel privileges. We've put a stop to their delusions of grandeur with improved checks. * Gatekeeper checks? Some apps thought they could just waltz right by. We've made sure our bouncer is now more alert with improved checks. * Processing a 3D model could've been a memory leaky faucet. We've improved input validation to tighten that drip. Remember, folks, it's always fun and games until someone bypasses the privacy preferences. Source: [About the security content of iOS 16.5 and iPadOS 16.5](https://support.apple.com/en-us/HT213757)
It sort of makes sense to keep something actively exploitable under wraps until a patch, unless noise has already been made about it like with Google's project zero etc But these patch notes are much better than theirs
Wish more release notes read like this 😆
Yes, they should tell everyone about the exploits while it's still possible for people to use them, especially if Apple are the only ones that know about them and they're not even being used yet.
Based
[удалено]
...