[HN Gopher] How a single line of code could brick your iPhone
___________________________________________________________________
How a single line of code could brick your iPhone
Author : sashk
Score : 95 points
Date : 2025-04-27 19:12 UTC (3 hours ago)
(HTM) web link (rambo.codes)
(TXT) w3m dump (rambo.codes)
| _rrnv wrote:
| Great work! This is my favourite type of vulnerability, simple,
| effective and brutal. Reminds me of a time two decades ago when
| with a friend from uni we theorised about a perfect server
| vulnerability where you'd exploit a machine by pinging it. And of
| course, two years ago it was in fact discovered as
| CVE-2022-23093.
| Rygian wrote:
| Ping of death was already a thing two decades ago.
|
| https://web.archive.org/web/19981206105844/http://www.sophis...
| dgfitz wrote:
| This link doesn't show me anything useful.
| giantrobot wrote:
| Try scrolling down. On mobile (maybe because of ad
| blockers) Wayback pages have a full screen of white space
| above the page contents anymore for me. This happens on
| pretty much every Wayback page I've tried. It's also
| relatively recent and I'm not sure the exact cause.
| NitpickLawyer wrote:
| Back in the dial-up days you could disconnect someone by adding
| ATH commands to a ping payload field.
| brontitall wrote:
| Only if their modem didn't implement the Hayes command set
| properly or you could otherwise control the per-character
| timing of the OS sending. It required a pause (1sec by
| default), "+++" with no pauses, another pause, _then_ the ATH
| command
| wat10000 wrote:
| Which was fairly common, as Hayes had a patent on those
| pauses.
| brontitall wrote:
| Huh, TIL. I guess they might have used TIES
|
| https://en.wikipedia.org/wiki/Time_Independent_Escape_Seq
| uen...
| NitpickLawyer wrote:
| I had an _external_ USRobotics 56k modem, I was immune. But
| the many many "bulk" no-name modems were vulnerable. You
| could ping entire ranges of dial-up IPs and watch the
| results on big IRC channels. Uhmmm, allegedly :)
| cryptoegorophy wrote:
| I remember you could brute force passwords by brute forcing
| in sequence single characters to access anyone's disk on a
| giant dialup network. Crazy times.
| dado3212 wrote:
| Neat, $17,500 is pretty good, I'm so used to these blog posts
| being for peanuts, or where companies fix the vulnerability but
| don't pay out at all. Apple's gotten better about this since
| 2019.
| nativeit wrote:
| I read a comment under the story about the recent YouTube
| vulnerability where one could unmask the related Google account
| and its owner using the standard YouTube API (something similar
| to that anyway), and they explained a lot of lesser-known
| nuances in establishing values for bounties like these, and it
| helped explain a lot (not all) of the reasons for what might
| seem like low-ball/high-ball valuations on the surface. If I
| can find their comment I'll post back, it was really
| insightful. That said, there are also plenty of examples of
| people just getting shafted.
| sdeframond wrote:
| Probably one of those https://hn.algolia.com/?dateRange=all&p
| age=0&prefix=false&qu...
| croisillon wrote:
| is this the one:
| https://news.ycombinator.com/item?id=43025038
| shrx wrote:
| > Looking into the binaries, SpringBoard was observing that
| notification to trigger the UI. The notification is triggered
| when the device is being restored from a local backup via a
| connected computer, but as established before, any process could
| send the notification and trick the system into entering that
| mode.
|
| This should probably be reworked regardless if the patch
| described in the article was implemented.
| jonplackett wrote:
| Anyone know how long ago that system would have been introduced?
|
| It seems like such an obvious security concern. Maybe it was pre-
| AppStore? And more assumed trust in other apps?
| plorkyeran wrote:
| The notification API is quite old (iOS 3). It's explicitly an
| untrusted API that you shouldn't use for something like showing
| the restore in progress UI, so I suspect that was something
| written quite a bit later. Widget extensions are iOS 14.
| There's older ways to run background tasks, but none of them
| would give the soft brick. Background fetch, for example,
| originally didn't run until after you launched an app for the
| first time after restarting.
| MBCook wrote:
| Wasn't it in OS X before that?
| brcmthrowaway wrote:
| Ultimately, does this require installing a sketchy app in the
| first place?
| saagarjha wrote:
| Yes.
| g-b-r wrote:
| Or a reputable one with that line of code included (in one of
| the updates, after having built a good reputation); maybe
| dormant until a certain date.
| MBCook wrote:
| Or a bug in some good app that allows an attacker to execute
| the right thing.
| piyuv wrote:
| Lots of credible apps use lots of dependencies. Find an
| abandoned one, get your code into it, ...
| urbandw311er wrote:
| Nice. I can only imagine what a crap day in the office it was
| when the iOS core team reviewed that one.
| doesnt_know wrote:
| I get that it's potentially lower priority since a user needs to
| actively install a malicious app, but that timeline doesn't
| exactly feel me with confidence...
___________________________________________________________________
(page generated 2025-04-27 23:00 UTC)