Sunday, November 17, 2024
Google search engine
HomeMobileJailbreakKaspersky team discusses how they discovered a KTRR bypass for arm64e devices...

Kaspersky team discusses how they discovered a KTRR bypass for arm64e devices at the 37c3 conference

Right on schedule, the group from Kaspersky that said they would take the stage at the 37c3 conferenceĀ on Wednesday to discuss their findings and showcase a KTRR bypass for arm64e devices (A12-A16, and maybe even A17) did exactly that this morning.

The Kaspersky team unveils the KTRR bypass for arm64e devices at 37c3.The Kaspersky team unveils the KTRR bypass for arm64e devices at 37c3.
The Kaspersky team discusses how they found a KTRR bypass for arm64e devices at 37c3.

Weā€™ll give a brief overview of what led the team to find what they did below, but if youā€™d rather watch the presentation yourself, then you may certainly do so.

The group, which was comprised of Boris Larin (@oct0xor), Leonid Bezvershenko (@bzvr_), and Georgy Kucherin (@kucher1n) shared an interesting story about how themselves and colleagues were targeted by malware and how they responded with careful triangulation and reverse engineering techniques to learn more about it.

After observing strange behavior in the form of unexpected communications to and from iOS devices connected to their Wi-Fi network, their interest was piqued and they decided to dive deeper. This led them to find an attack that could be triggered with a malicious iMessage.

The attackers appeared to try covering their tracks by removing any trace of the iMessage and assets that could lead the Kaspersky team to find out what was going on, but they made a vital error ā€” they didnā€™t remove all traces.

The Kaspersky team then set up a server to intercept the traffic where it could later be decrypted and inspected via forensic analysis. Through this method, they acquired the email addresses of their attackers and learned more about the workings of the attack.

Enter the KTRR bypass ā€” a way to bypass security mitigations put in place by Apple to prevent access to kernel memory in the kernel text readonly region ā€” which can be leveraged in a full exploit chain to make a jailbreak.

The attack chain for the KTRR bypass found by the Kaspersky team.The attack chain for the KTRR bypass found by the Kaspersky team.
A slide from the Kaspersky teamā€™s KTRR bypass talk at 37c3.
A slide from the Kaspersky teamā€™s KTRR bypass talk at 37c3.A slide from the Kaspersky teamā€™s KTRR bypass talk at 37c3.
A slide from the Kaspersky teamā€™s KTRR bypass talk at 37c3.

The KTRR bypass is hardware-based, which means that Apple canā€™t patch it with software updates. All the company can hope to do is obscure it with bandaids, but that wonā€™t be enough to keep determined jailbreak creators out for long.

To be clear, while the KTRR bypass is hardware-based, itā€™s not the same as a hardware-based bootrom exploit like checkm8. However, since itā€™s hardware based, it can be used on affected handsets time and time again for as long as needed to create new jailbreaks.

Apple is likely to tweak their hardware in future iPhones to ensure that they arenā€™t vulnerable to the KTRR bypass. Still, doing so wonā€™t fix the many devices that are already in circulation, which is why this is such a huge deal.

While newer software updates have obviously fixed the unique attack described by the Kaspersky team in detail today, anyone on an affected device type or firmware with a little bit of know-how can use the teamā€™s open-source tool to see if their device has been compromised by the same attack that their team was hit with.

As of now, the Kaspersky teamā€™s KTRR bypass isnā€™t yet publicized, but that is expected to change soon enough. It supports all firmware lower than iOS & iPadOS 16.6, which includes iOS & iPadOS 16.5.1 and older. Furthermore, the bypass works only on arm64e devices (A12-A16, and possibly A17, albeit the latter remains unconfirmed).

It will be interesting to see what becomes of the KTRR bypass, as it has the potential to bring us several more seasons of jailbreaking just when everyone was beginning to give up.

Dominic Rubhabha-Wardslaus
Dominic Rubhabha-Wardslaushttp://wardslaus.com
infosec,malicious & dos attacks generator, boot rom exploit philanthropist , wild hacker , game developer,
RELATED ARTICLES

Most Popular

Recent Comments

ź°•ģ„œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
źøˆģ²œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
źµ¬ģ›”ė™ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź°•ģ„œźµ¬ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ģ˜¤ģ‚°ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ź“‘ėŖ…ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ģ•ˆģ–‘ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė™ķƒ„ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ģ„œģšøģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶„ė‹¹ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ė¶€ģ²œģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ķ™”ź³”ė™ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź°•ģ„œźµ¬ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ź³ ģ–‘ģ¶œģž„ģ•ˆė§ˆ on How to store XML data into a MySQL database using Python?
ķ™”ģ„±ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?
ģ²œķ˜øė™ģ¶œģž„ė§ˆģ‚¬ģ§€ on How to store XML data into a MySQL database using Python?