[HN Gopher] Analyzing iOS 16 Lockdown Mode: Browser Features and...
___________________________________________________________________
Analyzing iOS 16 Lockdown Mode: Browser Features and Performance
Author : mjs
Score : 198 points
Date : 2022-07-21 09:58 UTC (13 hours ago)
(HTM) web link (www.sevarg.net)
(TXT) w3m dump (www.sevarg.net)
| castillar76 wrote:
| This is a good writeup! A couple random thoughts that occurred to
| me while reading through it:
|
| - It would be really nice to be able to disable Lockdown Mode for
| specific people in iMessage the way you can for specific websites
| in Safari. I'm guessing you can't because the sandboxing isn't
| implemented the same way it is in Safari...but maybe that should
| be fixed!
|
| - Disabling WebRTC in Lockdown Mode is probably an overall win,
| but it may result in certain web-video-conferencing tools not
| working. In most cases, the correct answer will be "then install
| the app for that instead", but it may result in a few issues. On
| the other hand, users can also disable LM for those sites (and I
| like that you can do it easily, so I could do it temporarily and
| then flip it back off afterwards).
|
| - It will be interesting to see if the ability to turn this on is
| a feature available in MDM. I can imagine companies mandating
| that users traveling to certain areas of the world must have LM
| MDM-force-enabled on their phones at all times instead of taking
| a burner phone.
|
| - I wonder how the prohibition on wired accessories will work if
| the phone is unlocked when the accessory is plugged in. As an
| example, with LM enabled I could plug my phone into my car and
| use CarPlay, but does it then turn off when the phone locks? I'm
| assuming not, but if you're going full-bore-privacy-protections,
| there's an argument there that it should actually just disable
| the port fully when the phone locks (and that's certainly the
| easier option to code).
| Syonyk wrote:
| > _I can imagine companies mandating that users traveling to
| certain areas of the world must have LM MDM-force-enabled on
| their phones at all times instead of taking a burner phone._
|
| That only solves a few of the possible issues a content-free
| burner phone solves, though. I sure wouldn't travel to those
| bits of the world with a regular device with all my information
| on it. Rubber hose cryptography is a thing.
| madmod wrote:
| I wonder how lockdown mode affects apps that use WKWebView? (Not
| SFWebView which afaik is supposed to be more like the Safari app
| with things like password manager support.) Eg would this break a
| WebRTC meeting in a native app?
| dellIsBetter wrote:
| The lockdowm mode modify apple telemetry?
| birdman3131 wrote:
| Question on part of this. He skips over it in the article.
|
| How do 2 locked down phones that have not done so before do a
| facetime call? As neither one will accept the others call.
| tinus_hn wrote:
| A logical solution would be for it to work if they have each
| others number in their address book, but I don't know what they
| chose.
| [deleted]
| etchalon wrote:
| Initiating the call counts. So both parties initiate a call,
| which both phones deny. The second attempt works.
| epolanski wrote:
| What about store apps privacy.
| 0x0 wrote:
| The missing icons are probably web fonts being disabled?
| thewebcount wrote:
| Ah, that explains a lot. I do heavy ad and tracker blocking,
| including blocking loading of all web fonts. I constantly find
| various arrows and other tiny images not rendering and didn't
| know why. You'd think for something like a left and right
| arrow, you could at least set the alt text to the unicode
| character for left or right arrow, or at least ASCII art (i.e.
| "->" and "<-"). It would also make it make sense for people
| using screen readers.
| pizlonator wrote:
| Yup.
| kemayo wrote:
| Yeah, those are FontAwesome icons.
| yessirwhatever wrote:
| So lockdown mode is IE6 on iOS?
| newscracker wrote:
| Since several web features are disabled with Lockdown mode
| enabled, I wonder what measures Apple is planning to implement to
| defeat (at least to some extent) fingerprinting attempts to
| detect the people/devices using Lockdown mode while browsing.
|
| > If you can't stand the impact on performance or image
| rendering, well, maybe Lockdown isn't for you. Apple claims only
| a tiny fraction of users will need it, though I'd argue an awful
| lot of users will _want_ it.
|
| Of course, I want it! (I already go through many other
| inconveniences for privacy and security).
|
| > Should You Turn it On?
|
| > Yes. Seriously. Turn it on when you have a supported OS and
| don't look back.
|
| Amen! I'll be telling some laypeople to turn it on and try it out
| (along with instructions on how to turn it off selectively or
| completely).
| O__________O wrote:
| How would Apple counter fingerprinting?
|
| Already pointed out this issues in a prior point here 14-days
| ago:
|
| https://news.ycombinator.com/item?id=32006436
|
| From that comment: "If Apple is logging if this feature is on
| and sending it back to Apple, it will result in targeting from
| nation states even if this feature is "invincible" - which I
| have no reason it is; basically, nation states demand list of
| users subject to its jurisdiction."
|
| Obviously there are likely other ways to fingerprint Apple
| devices with lockdown mode on, but to me, at the point you need
| "lockdown mode" likely should realize the doing so will likely
| make you more of a target.
| [deleted]
| nneonneo wrote:
| I think one reason to make this feature public is to get more
| people to use it, and therefore dilute Lockdown Mode as a
| signal. As you say, it's pretty easy for an attacker to
| detect this mode: with a browser, just check that the Safari
| version is high enough but that certain features are not
| available. If even 1% of iPhone users are using Lockdown
| mode, it'll far exceed the number of people who really need
| the feature to stay ahead of nation-state targeting.
| AndrewUnmuted wrote:
| Sporktacular wrote:
| It just makes sense to lock down iMessage, for example,
| as a vector.
|
| They're doing this for credibility? Yeah, in part, that's
| how companies work. But if it produces an improvement
| then what's the problem? Capitalism?
|
| Also, what's with the aggression? Tone it down.
| O__________O wrote:
| If that was the case, Apple would have just offered end-
| to-end-encryption for iCloud, which they did not; turning
| off iCloud is also not a default configuration of the new
| lockdown mode, which it should be.
| threeseed wrote:
| I think you should spend less time on conspiracy sites.
|
| The world including Apple's product map doesn't revolve
| around Hunter Biden.
| AndrewUnmuted wrote:
| O__________O wrote:
| Issues is automatically targeting users would be easy.
|
| If Apple tracks users that have both lockdown mode and
| iCloud on, all a nation state with jurisdiction has to do
| is request list of users with both on; having lockdown mode
| on might even qualify as justification for a search warrant
| and legally hack anyone using it, which is already the case
| for Tor:
|
| https://www.nolo.com/legal-encyclopedia/what-does-
| rule-41-sa...
|
| Find it horrifying that Apple has this feature, but makes
| no effort to inform users about the risks of iCloud; in my
| opinion, if you have lockdown mode on, iCloud should not be
| option, should trigger an off boarding from iCloud and
| wiping of any data on iCloud; also pointed this out in
| comments here:
|
| https://news.ycombinator.com/item?id=32006436
|
| To me, as is, lockdown mode sounds like a honeypot:
|
| https://en.m.wikipedia.org/wiki/Honeypot_(computing)
| Syonyk wrote:
| This would be another good reason for "lots of random
| people to use it," certainly - same as Tor.
| O__________O wrote:
| Using Tor is legal justification for a warrant to
| remotely hack systems using it:
|
| https://www.nolo.com/legal-encyclopedia/what-does-
| rule-41-sa...
|
| As such, highly likely most systems running Tor nodes
| have been hacked and that Tor is not secure.
|
| Very possible lockdown mode might be as well a legal
| justification for a warrant, given it "conceals" systems.
| mrex wrote:
| Ways to counter fingerprinting:
|
| Offer a spoof mode, make the Lockdown mode browser look to
| external websites like it isn't in Lockdown mode. Tricky but
| doable with some site breakage that can always be fixed by
| disabling Lockdown mode for sites a user trusts.
|
| Convince as many people to use Lockdown mode as possible. I,
| for one, don't see any reason NOT to enable Lockdown mode on
| all my devices. Do you need iMessage URLs sent by randoms to
| load remote content without your consent?
|
| Above all, lets begin to consider signed web content..
| yjftsjthsd-h wrote:
| > Above all, lets begin to consider signed web content.
|
| What are you proposing that is not currently provided by
| https?
| mrex wrote:
| TLS is transport encryption, not a content signature.
|
| Ideally, I'd like to see every resource being served
| along with a signature verifying its authenticity,
| origin, and suitability for public consumption.
|
| Users would then be empowered to make the decision
| whether we wanted to interact with a resource that does
| not offer these protections, and assume the risk, or
| simply refuse to load any resource that doesn't
| positively identify where it's coming from, who made it,
| and who certifies it as worthy of your consumption.
| O__________O wrote:
| Have you ever study fingerprinting, read the linked post
| that's the subject of this thread, understand how prior
| advanced targeting attacks using fingerprinting worked,
| etc?
|
| As is, not even researching it, appears very likely that
| lockdown mode is easy to fingerprint via a browser from
| information shared in the linked article. Spoofing if
| functionality is off is not a common thing and would be
| very hard to do if not impossible if combined with
| challenge-response like counter-measure from the attacker
| to confirm the functionality is actually accessible to the
| end-user.
| mrex wrote:
| How realistic is an "advanced fingerprinting attack",
| though?
|
| I think the more realistic threat model here is presented
| by ad networks and major websites doing typical types of
| browser fingerprinting, like canvas, fonts, etc. as well
| as possibly some of the techniques mentioned in the
| article here, like webGL, JIT JS, etc.
|
| In that case of a limited number of trusted sites that we
| focus on ensuring compatibility with, spoofing is easier,
| because we can pay a lot of attention to ensuring that
| our "middleman" fixes the errors introduced by spoofed
| client-to-server communications.
|
| Some technologies like WebGL will simply never work on a
| spoofed site, of course. But for the very limited number
| of sites when users lose important functionality, they
| can just turn off Lockdown mode.
|
| If a Lockdown'd phone habitually patronizes malicious
| websites, the protection will never be enough anyway. So
| we shouldn't worry about protecting against being
| fingerprinted by a very malicious website - Lockdown
| users must simply avoid these, with or without a
| fingerprinting vulnerability!
| O__________O wrote:
| Sorry, but I don't understand what technically you
| describing.
|
| If your suggesting Apple should proxy all internet
| traffic to devices -- that is a horrible idea, incredibly
| dangerous, and a huge step in the wrong direction. To
| counter the issues I pointed out, Apple would literally
| have to be able to decrypt all the traffic and act as if
| they were the user, which is obviously a insane security
| issue.
|
| As for avoiding malicious websites, again, I don't
| believe you understand what advanced attacks look like.
| Any site can be hacked and if it is, fingerprinting can
| be used to only attack a very well defined known list of
| targets. For example, a very well known CEO of a security
| startup used a limousine service that was hacked after
| this was discovered and used to launch at attack against
| them.
|
| Understand your interested in the topic, that's great,
| but try to balance your technical familiarity,
| familiarity with the topic, and the very real threat
| security breaches pose to very small subset of the world.
| These features are not intended to counter AD companies,
| but attackers that in the worst case situation will
| ultimately kill the target.
| mrex wrote:
| I wasn't suggesting proxying anything, just that the
| browser should attempt to correct errors that it
| introduces into page rendering when it spoofs feedback to
| the server.
|
| And again, is it a realistic threat model to imagine that
| a high volume website, trusted enough to be browsed
| regularly by Lockdown-paranoid users, will be hacked in
| such a way as to deliver a fingerprinting attack to
| browsers, and only that?
|
| I appreciate the sense of superiority that you have, but
| try to follow along.
| O__________O wrote:
| If I had a sense of superiority, why would I even be
| taking the time to attempt to understand what you're
| saying, makes no sense.
|
| The device has the features turned off because they are
| know to be hard to harden against attacks or worse, have
| known vulnerabilities. To spoof them being on, a proxy
| that isolates requests to the functionality that's off on
| the device would have to be sent to another device, but
| accurately responds as if it was on, including specific
| designed counter-measuring from an attacker to confirm
| the end user had real-time control over the proxied
| system. Just makes no sense to have such a complex system
| and in majority of situations would require another
| device that would be vulnerable to attack and always near
| the target and secured device.
|
| >> And again, is it a realistic threat model to imagine
| that a high volume website, trusted enough to be browsed
| regularly by Lockdown-paranoid users, will be hacked in
| such a way as to deliver a fingerprinting attack to
| browsers, and only that?
|
| Simple answer is yes. Also, it doesn't have to be a high
| volume website, just one the target trusts enough to
| visit.
| mrex wrote:
| >Just makes no sense to have such a complex system
|
| It's not that complex, it really can be reduced to what
| the browser already does: attempts to render web pages
| best for the display, without full hinting from the
| server-side.
|
| In the end, what I'm getting at is that browsers should
| start viewing any page in an untrusted mode, and this
| mode should dramatically limit available fingerprint
| features to the most minimal subset that provides an
| acceptable user experience.
| O__________O wrote:
| No. Whole point of disabling long list of functionality
| mentioned in the article is so that -- no - code is
| executed via that functionality on the device at all. You
| are suggesting something that go against whole point of
| turning it off. Browser already operates in "untrusted"
| mode. Apple's iPhone systems and hardware are not
| designed to be separated. Even if the hardware was
| duplicated and completely isolated, the secure hardware
| would be in close physical proximity to non-secure
| hardware and as a result would be vulnerable to side-
| channels leaks and/or attacks.
|
| You also are ignoring that a challenge-response counter-
| measures by the attacker would require direct and real-
| time action from the targeted users; CAPTCHA is a type of
| real-time challenge-response combined with private
| information would confirm that the target user is
| actively using the device being targeted.
|
| If you think you understand something I don't that's
| fine, but I clearly neither understand what you're trying
| to communicate, nor agree with what little I believe I do
| and have repeatedly attempted to explain why and you have
| repeatedly ignored my points. If I have ignore a material
| point made by you, please explicitly point it out.
| p410n3 wrote:
| > make the Lockdown mode browser look to external websites
| like it isn't in Lockdown mode.
|
| This will be instantly defeated by benchmarking the js
| performance. But disabling JIT is a VERY important step to
| harden your browser. This is one of these things where you
| have to actually choose between privacy and security
| mrex wrote:
| >This will be instantly defeated by benchmarking the js
| performance.
|
| How common is this behavior for non-malicious websites
| that a Lockdown mode user is likely to use? It seems to
| me that if you're loading malicious content from a site
| controlled by foreign intelligence services, you're
| probably done whether Lockdown is enabled or not.
| Preventing more casual profiling from common logs likely
| to be strewn about in CDNs, etc. is still an important
| level of protection, I'd argue.
| ev1 wrote:
| Incredibly, extremely common on tons of sites.
|
| Normal web pages that load ads will attempt to detect
| "fraud" by connecting back over WebRTC, running
| benchmarks to see how "valuable" of a user you are (how
| shit or expensive your hardware is), and running
| benchmarks to see whether you might be a fake browser/"ad
| fraud" user running large amounts of sessions at the same
| time and therefore have slower performance. It's bullshit
| and should be illegal.
|
| I already dislike webgl leaking the model of my gpu,
| concurrency leaking memory and cores available, and disk
| space.
|
| Go visit walmart or really any major site - almost more
| likely than not it will do this - and watch it attempt to
| enumerate all of your plugins, connect over webrtc,
| enumerate performance.* msPerformance, mozPerformance,
| make a webgl video and ask for unmasked renderer,
| enumerate thousands of fonts, attempt and fail to spawn
| piles of ActiveXObject, use "window.msDoNotTrack" as a
| fingerprinting feature point, enumerate hundreds of
| browser functions and getters (maxTouchPoints,
| doNotTrack, hardwareConcurrency, ...) and calling
| toString() on dozens of specific things like
| window.RTCDataChannel.toString() and seeing whether it
| fails in a try/catch, if it returns a function, or if it
| returns "function RTCDataChannel() { [native code] }" as
| a string, etc.
| mrex wrote:
| Wow. I had no idea. This bullshit is why I browse with
| javascript off, and enable it only on a per subdomain
| basis with uMatrix, and disable all the tracking
| technologies I can. I probably already stick out like a
| sore thumb to anyone doing browser fingerprinting.
|
| Not only did the kids fail to get off our lawn, look at
| this giant hunk of poop they left all over it. Eternal
| September never ends.
| ev1 wrote:
| Well, good thing they reverse-proxy the javascript code
| first party directly on the domain (www.*), and attempt
| to load multiple subdomains on the primary domain one
| after another (including randomised CDN paths)
| JackGreyhat wrote:
| I'm trying to grasp what you are explaining here. Is this
| another fingerprinting method?
| ev1 wrote:
| "enable it only on a per subdomain basis" works when the
| tracking runs off a separate subdomain. Walmart, for
| example, intentionally proxies the files through their
| primary domain, the one that you are visiting, to try and
| bypass this.
|
| --
|
| Other sites and services will also use blocking them as a
| fingerprinting point. For example, it loads native first-
| party JS to try and bootstrap the rest of it.
|
| A really simplified example:
|
| Stage 1: on-page script tag, not a separate file, sets up
| a variable - let's call it "counter"
|
| Stage 2: Load cross-site-tracker.js from obvious-
| analytics.example.com.
|
| If it fails:
|
| Stage 3: Load QyojK8oIwLjske2JkW9mdJY0Np.js from
| hqMOBRLccCmEnG9.cloudfront.net; increment a "shady user
| is trying to hide from us" counter
|
| If it fails:
|
| Stage 4: Load RandomWordsRainbowButterfly.js from
| N4NqCUJAT9UUXFcwnn.cloudfront.net; increment a "shady
| user is trying to hide from us" counter
|
| Keep trying this through 3-4 domains, use random s3
| buckets, cloudfront hostnames, akamaized.net hostnames.
| Upload all tracking data as soon as one of them succeeds.
| ev1 wrote:
| Can't edit anymore, but I want to point out that one
| particularly gross thing I've seen is code that checks
| how well your device characteristics line up with
| expectations for CPU and RAM.
|
| The numbers are intentionally imprecise for anti-
| fingerprinting, but I've seen JS code that treats users
| as suspicious or bad when your logical core count reports
| 1-2 but memory is 8+, or a lot of cores and very little
| memory, or if your device is non-mobile but reporting
| less than 4 or 8 GB of memory. The assumption is that you
| are a virtual machine if you're a "desktop or laptop" and
| have a single or dual core in 2022, for example.
| naillo wrote:
| It's not clear to me why you wouldn't just turn off your phone if
| you think you're being targeted by such an extreme attack.
| newscracker wrote:
| Turn off the phone for how long? And how would one even know if
| they're being attacked? Turning off the phone is not an easy
| option for investigative journalists and activists, especially
| in today's world where communicating with people in different
| geographical locations may be necessary.
|
| Right out of the box, smartphones are more secure than
| mainstream personal computers (running Windows, macOS or Linux)
| that are connected to the Internet.
| saagarjha wrote:
| Because people generally do things that require being able to
| use a phone?
| ben174 wrote:
| Politicians, executives, and celebrities are under constant
| attack. You can't just expect they halt communication.
| bugmen0t wrote:
| I'd love to know if you can still use a third-party browser
| (e.g., Firefox) and if it would inherit lockdown settings per web
| page (given that all iOS browsers have to use webkit webview).
| dagmx wrote:
| The security is enabled at the WebKit layer, not the Safari
| layer. Otherwise it would be trivially defeated
| robertoandred wrote:
| Put a point in the "no third-party web engines" column.
| traceroute66 wrote:
| It will be interesting to see how this fits in with Supervised
| Mode.
|
| For example, I'm assuming "configuration profiles cannot be
| installed" will only to apply to unsupervised devices. Otherwise
| it could make Supervised Mode rather, erm, tricky !
|
| Also "Allow access to USB accessories when device is locked"
| option has already been available in Supervised Mode for years.
|
| So I wonder if Lockdown Mode is more removing some of the
| "supervised only" restrictions from certain options (e.g. the
| "USB when locked" is currently "supervised only" option, but it
| looks like Lockdown Mode will bring this option to all users).
|
| Overall, I think this is a good move by Apple though even if some
| of the details remain to be seen.
| galad87 wrote:
| Existing configuration profiles will continue to work after
| enabling the lockdown mode.
| Sporktacular wrote:
| Ah, so it's just the MDM enrolment/control that stops with
| Lockdown? IT still works with Supervised Mode?
| Linda703 wrote:
| AshleysBrain wrote:
| Disabling WebGL will block a lot of HTML5 games. I think there
| will be a lot of "WebGL not supported" or "browser out of date"
| messages that will need updating to include "please turn off
| lockdown mode"...
| tinus_hn wrote:
| 10 years ago if you were building a secure hardened browser,
| would you have included the Flash plugin?
| jon-wood wrote:
| In practice I wouldn't expect many devices to have lockdown
| mode turned on, and the people who are turning it on probably
| aren't also using the same device to play Fruit Ninja in a
| browser. This is a feature explicitly designed for people who
| have reason to believe they're being personally targeted by
| national intelligence agencies, or other extremely well funded
| organisations.
| hedora wrote:
| I suspect it will be much more popular than that.
|
| <Insert rant about how I miss my Windows 8 phone because it
| had less crap on it here.>
|
| The only thing I saw in the writeup that I can imagine normal
| people over 25 missing is web font icons, and maybe emailing
| PDFs around to sign with iMessage. (Though those come in as
| jpegs from cameras or PNG screenshots half the time
| anyway...)
| AshleysBrain wrote:
| The blog says "Should You Turn it On? Yes. Seriously. Turn it
| on when you have a supported OS and don't look back." If that
| becomes the general advice, I imagine it will end up getting
| more broad use - even if most of the people who turn it on
| don't really need the extra security.
| Syonyk wrote:
| I am writing to a somewhat technical audience on my blog...
| but, yes, I don't care if my devices can't play some online
| WebGL game if the tradeoff is far better security in
| general.
|
| Also, since you can turn it off for specific domains, it's
| easy enough to re-enable WebGL for some site, while still
| having Lockdown mode apply to all the random ad serving
| backends and such you come across. If you're not someone
| who might be specifically targeted, I think that's entirely
| reasonable. Secure by default, drop the security level
| somewhat, by concrete actions I've taken, for some site I
| want to do something more on.
|
| At some point, I'd assume attackers will try to get people
| to turn it off so they can attack, but you've made an awful
| lot more noise by that point.
| HidyBush wrote:
| Are you actually suggesting that people in need of this feature
| care about games on a phone?
| coldcode wrote:
| Would such a thing be possible in Android world? I wonder since
| there are so many phone manufacturer and ISP mods that might not
| be under Google's control.
| stefan_ wrote:
| Android fully supports alternate browsers (you don't have the
| "skins" for the Apple engine that you get on iOS) so nothing is
| stopping e.g. Firefox from introducing such a mode.
| mrex wrote:
| But that's only a single application. Lockdown Mode affects
| the operation of the entire OS, and all applications that use
| certain iOS features.
| cornedor wrote:
| Every third party browser you install on Android already has a
| differeny JIT, so all those apps probably need to implement
| their own rules.
| trixie_ wrote:
| I already use an extra iPhone as a secure platform crypto wallet,
| this feature sounds like it'll make it even better.
| bni wrote:
| Disabling old archaic image formats, link previews, ill advised
| web apis sounds like a great feature. I will definitely try this
| out.
| A7med wrote:
| prbly they shared how to pass by this mode with the pegasus team
| pebblydy
| rootusrootus wrote:
| Will this become entirely moot in the EU after they force Apple
| to throw open the gates to iOS?
| modeless wrote:
| No, why would it? Lockdown mode is a choice, and so is not
| using software from outside the app store etc.
| rootusrootus wrote:
| Every time someone says the word Android in this discussion,
| the next reply is that Android allows any <insert software
| here> you want, therefore it's up to that software to
| implement such a lockdown feature. Ergo, "lockdown mode"
| isn't able to be a thing on Android. And following from that,
| if iOS is forced to have all the same openings, then Lockdown
| Mode will be just as meaningless.
| modeless wrote:
| You're not making any sense. Google could easily implement
| a lockdown mode on Android in exactly the same way. Sure,
| you could choose to use a browser that doesn't have a
| lockdown mode. You could also choose to turn off lockdown
| mode! It's pretty much the same choice. Having that choice
| to disable lockdown doesn't make lockdown meaningless.
| Lockdown is voluntary.
| mixmastamyk wrote:
| Finally a feature I'm interested in and they drop support for the
| 6s.
| execveat wrote:
| Aren't configuration profiles necessary for configuring VPN
| though? For the best security you'd want all your traffic to go
| through your own server for retrospective analysis.
| rootusrootus wrote:
| Depends on the VPN and use case. I don't use a configuration
| profile for mine right now, but if I wanted to do anything more
| than manual activation I would need to use a profile to
| accomplish that.
| Gigachad wrote:
| You can have them, they just can't be added while the mode is
| on. So they have to be added beforehand.
| samwestdev wrote:
| I had no idea you could use Photoshop document (PSD) as an image
| on a webpage!
| olliej wrote:
| If it is a format supported by macOS internally it's likely
| viewable in Safari - webkit basically passes image decoding to
| the system image decoders (hand wavey here)
| stefan_ wrote:
| Now that sounds like a truly terrifying, terrible idea.
| Syonyk wrote:
| That seems to be how one of the exploits from a year or two
| ago worked.
|
| https://googleprojectzero.blogspot.com/2021/12/a-deep-
| dive-i...
|
| It exploited an archaic Xerox format parser to make its own
| virtual machine, and then went out from there.
|
| So I'd agree, throwing anything on a webpage (or incoming
| message) into the "Can you parse this weird thing?"
| pipeline is a bad idea!
| astrange wrote:
| JBIG2 is a mandatory part of PDF, not its own weird image
| format. (Though I think it's also allowed in TIFF files
| and those might count as weird.)
| WhyNotHugo wrote:
| So lockdown mode disables any attachment except images on their
| messaging app, because parsing these has often been introducing
| exploits.
|
| The fascinating this is that this parsing would happen on a
| process which even _has_ privileges to trigger any exploits.
| Parsing a message should be done far far away from the core OS
| operations, high in userspace, by a sandboxed process that can't
| break anything.
|
| Based on previously seen exploits, it seems messages are handled
| by rather privileged processes. I wonder if there's a reason for
| that (e.g.: special messages can trigger privileged operations?)
| twobitshifter wrote:
| Its not about privileges, the iMessage blastdoor exploit built
| a turing machine using a weird old image format and then
| escaped.
|
| https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
| ylk wrote:
| Privileged is the wrong word, but GP is not entirely wrong.
| What you linked to is only the first part of the exploit and
| analysis.
|
| From the conclusion of the second post, which analyses the
| sandbox escape:
|
| > Perhaps the most striking takeaway is the depth of the
| attack surface reachable from what would hopefully be a
| fairly constrained sandbox. [...] The expressive power of
| NSXPC just seems fundamentally ill-suited for use across
| sandbox boundaries, even though it was designed with exactly
| that in mind. [...]
|
| (The above is severely cut down, reading at least the entire
| conclusion or even the whole post is worth it)
|
| https://googleprojectzero.blogspot.com/2022/03/forcedentry-s.
| ..
| [deleted]
| why_only_15 wrote:
| Parsing already does happen (mostly) on a process which doesn't
| have privileges. Read about Blastdoor.
| Syonyk wrote:
| > _Read about Blastdoor._
|
| I have. Mostly in the context of how this grandiose
| sandboxing scheme was just bypassed. Again.
| est31 wrote:
| Getting into the process that does the message parsing is only
| the first step in a full exploit chain. Usually processes, even
| the unprivileged ones, have direct access to the kernel. So if
| there is a bug in there for example, you can exploit the kernel
| as a second step. Alternatively, you exploit a bug in the IPC
| interface with the messaging app. Etc.
| infinityplus1 wrote:
| How about some kind of Firewall which sends requests only to
| trusted domains and blocks everything else?
| kergonath wrote:
| This can already be done, there are several apps that do more
| or less this. Now, a GUI to manually block or allow specific
| hosts without having to go trough a pseudo-vpn would be cool.
| jiripospisil wrote:
| > Apple is previewing a groundbreaking security capability that
| offers specialized additional protection to users...
|
| That's an amazing marketing spin. It's not their admittance of
| failure of engineering to make the features secure, no, it's a
| _groundbreaking_ security capability! To be fair, I do appreciate
| that they acknowledge the problem in the first place and are
| trying to do something about it.
| kergonath wrote:
| A large tech company acknowledging that flashy convenience
| features can be a security risk is groundbreaking in itself. No
| need to be so cynical, this is a step in the right direction.
| Sporktacular wrote:
| "But it's an admission that the complexity of a modern phone
| operating system (or tablet, or desktop OS) have just gotten too
| much to handle, so the best path forward is to offer the option
| to not do those things."
|
| Looking at non-consumer security mobile phones (like the one from
| Boeing) or those that are modified to be secure (like the
| Blackberry used by Obama) they all seem to employ this less-is-
| more approach to security.
|
| In other words, what's the minimum tolerable feature set we can
| offer without further compromising security? It follows from the
| question 'why use a phone at all? If there is a functionality the
| client can't do without, then how do we provide just that without
| any security downside?'
|
| It's a sensible approach which means Apple has just entered this
| market. Not in a big way yet - phones are made in China, modem
| chip firmware security has a long way to go. But lockdown is just
| beginning too and it shows Apple understands this is serious.
|
| But all this is just defense. Next step is the entire industry.
| Finfisher is done - next up: NSO, Candiru and Darkmatter, their
| investors, suppliers and scumbag employees before they
| dissolve/rebrand and scurry back out of the light.
| amq wrote:
| Firefox on Android could easily offer something similar for the
| web part. Sounds like a quick win to get some attention.
| Ansil849 wrote:
| It's not clear to me if Lockdown Mode would have prevented
| Hermit, the latest mobile APT which targeted iOS via sideloading
| by enrolling in the Apple Developer Enterprise Program.
|
| The list of lockdown features don't seem to explicitly list that
| in-house app sideloading is disabled - is it? If not, then this
| mode seems like security theater from Apple, in that it doesn't
| actually lock down the parts of the attack surface that are
| actively being leveraged. How about instead, or better yet
| alongside this, Apple explains how they granted entry in the
| Enterprise program to the spyware company, and what measures
| they're taking to prevent it from happening again.
| _kbh_ wrote:
| > The list of lockdown features don't seem to explicitly list
| that in-house app sideloading is disabled - is it? If not, then
| this mode seems like security theater from Apple, in that it
| doesn't actually lock down the parts of the attack surface that
| are actively being leveraged. How about instead, or better yet
| alongside this, Apple explains how they granted entry in the
| Enterprise program to the spyware company, and what measures
| they're taking to prevent it from happening again.
|
| Im pretty sure that iMessage is one, if not the most targeted
| parts of the iOS ecosystem for practical exploitation.
| Disabling link previews and restricting the formats that are
| rendered likely renders this much more difficult.
|
| The side loaded app would likely have to target non technical
| people as i'm pretty sure side loaded apps require lots of
| clicking through and trusting of certificates to get to run on
| a phone.
| ajconway wrote:
| High-level targets (for whom this mode is specifically
| advertised) are likely aware of the dangers of installing apps.
|
| Enterprise-signed apps require an explicit (and non-obvious)
| action from the user when running for the first time.
| Ansil849 wrote:
| > High-level targets (for whom this mode is specifically
| advertised) are likely aware of the dangers of installing
| apps.
|
| I firstly don't believe this is true at all, plenty of high-
| level targets are not tech savvy; but more to the point of
| Lockdown mode, you could then say the same thing about most
| of its other features ("High-level targets are likely to
| already be aware of the dangers of doing
| $thing_Lockdown_prevents").
| saagarjha wrote:
| The features lockdown mode disabled are used in 0- and
| 1-click attacks. Installing an enterprise app is somewhat
| different.
| olliej wrote:
| The whole benefit of the iOS App Store system is that those
| apps can't be malicious.
|
| This requires an atypical install/launch process that you'd
| hopefully trigger some sense of "this isn't right" - similar
| to the macOS complaints when you choose to run an unsigned
| app.
| liberia wrote:
| The 'high level target' or person of interest thing is
| slightly absurd. Everyone is a person of interest and
| security shouldn't be only for the domain of journalists,
| activists, dissidents etc
| olliej wrote:
| I will try to rephrase this.
|
| "What is Apple doing to prevent any government contractor from
| being able to use enterprise apps?"
|
| Which is what you're actually asking. "Spyware" sounds like
| you're conflating with its traditional meaning of being a
| general consumer malware/virus plague. This is software made by
| companies that provide services and support for [among others]
| intelligence agencies, etc for actual targeted spying.
|
| If you disagree with that being the actual question, then
| you're saying that having access to the enterprise is dependent
| on Apple auditing your _entire_ company, its corporate
| hierarchy, its owners, and its executives - at least. That isn
| 't going to be cheap, it isn't going to be fast, I'm sure you'd
| not be happy as a company to find distributing internal apps
| suddenly requires regular expensive audits, or as an employee
| to discover your employer now required you to agree to
| background checks, etc by Apple.
|
| The whole, and it seems only, reason for the enterprise program
| was so companies ("enterprises" in marketing) could have
| internal apps that didn't have to pass the App Store review
| process.
|
| It would have been vastly easier to convince a victim to
| install a piece of software from the App Store, but that would
| not have worked because despite naysayers the App Store as a
| first step in platform security works. Otherwise there would be
| unending stories of malware on HN :D
| jon-wood wrote:
| > Configuration profiles cannot be installed, and the device
| cannot enroll into mobile device management (MDM), while
| Lockdown Mode is turned on.
|
| (From the article)
|
| So this would have prevented Hermit as you'd need to install a
| new configuration profile to allow sideloading of applications
| from that source.
| Ansil849 wrote:
| > So this would have prevented Hermit as you'd need to
| install a new configuration profile to allow sideloading of
| applications from that source.
|
| Are you sure that's true? I haven't seen a Hermit sample
| firsthand, but from everything I've read about it targets did
| not need to install an MDM profile, they simply needed to
| click a link. Looking at Apple's distribution guidelines -
| https://support.apple.com/en-
| bw/guide/deployment/depce7cefc4... - MDM is listed as one
| option, and simply going to a link is listed as another:
|
| > There are two ways you can distribute proprietary in-house
| apps: > > Using MDM > > Using a website
|
| It seems like the latter was used, so I don't think
| installation of a custom profile was required, which brings
| me back to my original question of whether Lockdown would
| have prevented it.
| buran77 wrote:
| An yet I wouldn't immediately jump to the conclusion that
| it's "security theater" because it only protects you from
| the vast majority of attacks and it may still be vulnerable
| to many 0-days. By this definition we have nothing _but_
| security theater in everything. And as the saying goes, if
| everything is security theater, nothing is security
| theater.
| Ansil849 wrote:
| Lockdown is literally presented by Apple as being for
| people targeted by APTs like those developed by NSO
| Group, therefore I expect it to prevent attack vectors
| used by these APTs, like exploitation of the Developer
| program to facilitate sideloading malicious apps. I don't
| feel like this is an unrealistic expectation, and not
| having the mode actually do that amounts to security
| theater, which is a far cry from decrying everything as
| such.
| ylk wrote:
| > I expect it to prevent attack vectors used by these
| APTs
|
| It does, it just doesn't close _all_ attack vectors used
| by APTs.
|
| They say[0]:
|
| > Turning on Lockdown Mode [...] further hardens device
| defenses and strictly limits certain functionalities,
| sharply reducing the attack surface that potentially
| could be exploited by highly targeted mercenary spyware.
|
| They don't say "turn this on and you'll be unhackable".
| They go on to say:
|
| > Apple will continue to strengthen Lockdown Mode and add
| new protections to it over time.
|
| So what they released in the current _beta_ is just the
| start. They decided that releasing Lockdown mode with
| only some additional protections would be worthwhile to
| at-risk users and I personally agree. It 's both true
| that Lockdown likely helps at-risk users (see reply by
| _kbh_) and still has lots of room for improvement.
|
| [0]: https://www.apple.com/newsroom/2022/07/apple-
| expands-commitm...
| reaperducer wrote:
| _It does, it just doesn 't close all attack vectors used
| by APTs._
|
| It's an ongoing problem with the pathological Apple-
| haters that they _imagine_ that Apple says or promise
| something, and spread that falsehood all over the
| internet, when in realty Apple promised no such thing.
| They see what they want to see.
|
| In addition to the thread above, another example is the
| dozens and dozens of times on HN where they claim that
| Apple promises that its app review process will keep 100%
| of malware out of the App Store. Apple doesn't make that
| claim. It says that app store reviews _help_ prevent
| malware.
|
| It's like discussing politics at the Thanksgiving table.
| People hear what they want to hear.
| _kbh_ wrote:
| > Lockdown is literally presented by Apple as being for
| people targeted by APTs like those developed by NSO
| Group, therefore I expect it to prevent attack vectors
| used by these APTs, like exploitation of the Developer
| program to facilitate sideloading malicious apps. I don't
| feel like this is an unrealistic expectation, and not
| having the mode actually do that amounts to security
| theater, which is a far cry from decrying everything as
| such.
|
| These APTs overwhelming use RCE vectors that are less
| obvious then side loading apps, iMessage is probably the
| most popular and I would hazard a guess that other
| popular messaging applications (WeChat, signal, telegram,
| etc) and safari would be next.
| olliej wrote:
| Running an enterprise app still is not a trivial single tap
| on iOS.
|
| Obviously with the new EU legislation mandating support for
| unrestricted malware of this kind, that's kind of a moot
| factor in EU and EU-adjacent markets.
| Ansil849 wrote:
| > Running an enterprise app still is not a trivial single
| tap on iOS.
|
| Yes, but still successful, as Hermit demonstrated. So my
| question is whether Lockdown mode would have prevented
| APTs like Hermit which it claims to prevent against. If
| not, then the move is security theater which doesn't
| address the actual flaws (like poor vetting into the
| Enterprise Program) being successfully leveraged in the
| wild.
| olliej wrote:
| I had a more detailed reply to an earlier post you made -
| but the summary is "What constitutes an enterprise that
| should be allowed to have 'enterprise apps'"
| Ansil849 wrote:
| > "What constitutes an enterprise that should be allowed
| to have 'enterprise apps'"
|
| Apple has a list of requirements -
| https://developer.apple.com/programs/enterprise/ - for
| example, a company needs to have at least 100 employees.
| The issue, however, seems to be how stringently these
| requirements are enforced, or whether they are at all. In
| the case of Hermit, the Italian spyware company seems to
| have created a fake company and tricked Apple into
| granting the fake company access to the developer
| program. Now, the interesting question for me is whether
| the fake company actually managed to pass all of the
| requirements, like giving Apple a list of 100 fake
| employees, and whether Apple actually performed their due
| dilligence and checked whether the employee list was
| real, or whether they accepted it at face value, or
| didn't even require it.
|
| In other words, I think a key takeaway from the latest
| incident is Apple needs to take accountability and harden
| their Enterprise program entry requirements, and I
| haven't seen anything about that being the case.
| tinus_hn wrote:
| I think you can also buy enterprise accounts on the black
| market, there used to programs with pirated apps that
| used this kind of distribution.
| reaperducer wrote:
| _I haven 't seen anything about that being the case._
|
| So, if revisions to Apple's internal policies and review
| processes aren't posted in Techcrunch, then they didn't
| happen?
| saagarjha wrote:
| Fun fact, the browser limitations used for lockdown mode are very
| similar to the existing restrictions that Apple already had in
| place for rendering captive portal screens :)
| pizlonator wrote:
| Nope. Captive portal mostly just disabled JIT. This is more
| comprehensive.
| jeshin wrote:
| if there's one thing I hate, it's websites "supporting" tor by
| redirecting from a specific article to the main page of their (in
| this case non-functional) onion URL.
|
| twitter did this too a while back, they made a big show of how
| they're supporting tor now, and now whenever i click a link to a
| tweet via tor, it redirects me to their frontpage.
|
| thanks, can you stop supporting tor now please, so I can use the
| site with tor again?
| Syonyk wrote:
| You know, I don't think I tested specific pages when I put the
| Tor meta support in. That's a fairly recent addition I was
| messing around with.
|
| It's a '<meta http-equiv="onion-location"' tag, and it points
| to the base URL even on the blog pages. I'll get that fixed to
| point to the actual page of interest (should be easy enough in
| Jekyll to just re-render things). It's handled client side in
| your browser, so you should be able to tell the browser to
| ignore that.l
|
| But as far as I can tell, the Onion address _is_ up and
| operating.
| jeshin wrote:
| Yes, unfortunately this is often the case. people who don't
| really use or test the site in tor put in some half-baked
| support and it just ends up making things worse. But my
| grievances aside (and please don't take this personally, it's
| just an issue that I've encountered one too many times, so it
| gets on my nerves), thank you for fixing it, and indeed it
| looks like the onion URL is now online, it wasn't working for
| me earlier.
| Syonyk wrote:
| I very much appreciate it - as I said, it was something I'd
| missed in my dorking around with Tor. No idea why it was
| down earlier, unless it was just loaded - I haven't changed
| anything on the server related to Tor in a while.
|
| It seems any time a post of mine makes the HN rounds, I get
| some other weird corner case of my site pointed out, and it
| does improve things over time! Jekyll makes it easy to just
| re-render the site with changes like this too.
| Syonyk wrote:
| I think it's fixed now. The meta onion-location line is now
| pointing to the specific page, not the base website, and Whonix
| does the redirect to the proper page now.
|
| I'd missed that in testing - I went to the root domain, and it
| redirected properly and let me browse to pages, but I never
| went directly to a post, on a browser that wasn't already aware
| of the redirect. Thank you so much for pointing that out!
___________________________________________________________________
(page generated 2022-07-21 23:01 UTC)