Archiv: iBoot


31.08.2019 - 08:38 [ Project Zero team at Google ]

Implant Teardown

The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage. We can see here screenshots of the apps on the left, and on the right the contents of the database files stolen by the implant which contain the unencrypted, plain-text of the messages sent and received using the apps:

(…)

There‘s something thus far which is conspicuous only by its absence: is any of this encrypted? The short answer is no: they really do POST everything via HTTP (not HTTPS) and there is no asymmetric (or even symmetric) encryption applied to the data which is uploaded. Everything is in the clear. If you‘re connected to an unencrypted WiFi network this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server.

This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.

31.08.2019 - 08:26 [ Project Zero team at Google ]

A very deep dive into iOS Exploit chains found in the wild

I recommend that these posts are read in the following order:

31.08.2019 - 08:20 [ Gizmodo ]

Google Hackers Reveal Websites Hacked Thousands of iPhone Users Silently for Years

“To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group,” he said. “All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

31.08.2019 - 07:50 [ derStandard.at ]

Mysteriöser iOS-Hack: Websites infizierten jahrelang iPhones

Außerdem war die IP-Adresse des Servers, zu dem die Daten versandt wurden, fest in der Malware kodiert. Das erleichtert es, den Angreifer ausfindig zu machen – Google hat aber hierzu keine weiteren Informationen öffentlich gemacht.