In the following post I go through how to escape from a truly air gapped network using Apple Wireless Direct Link -network and leveraging information leakage privacy issue in Apple devices. Issue was fixed by Apple on 24th of April 2021 with iOS 14.5, iPadOS 14.5, watchOS 7.4 and Big Sur 11.3.
We go through following scenario:
- Infected MacBook exists inside of air gapped High Security Network
- Anyone brings the iPhone to close physical proximity
- MacBook can leak secret data to the Internet via previously unknown iPhone from step 2
Background
Lately me and my colleagues were discussing developing new tests…
Zero-Click Zip TL;DR
I found a zero click vulnerability in Apple Mail, which allowed me to add or modify any arbitrary file inside Mail’s sandbox environment. This could lead to many bad things including unauthorized disclosure of sensitive information to a third party. An attacker can modify victim’s Mail configuration including mail redirects which enables takeover of victim’s other accounts via password resets. This vulnerability can be used to change the victim’s configuration so that victims will be propagating the attack to their correspondents in a worm-like fashion. Apple has patched this vulnerability in 2020–07.
Story
I was researching another vulnerability case (I’ll write…
Plot twist: this time it is not about us doing vulnerability research and reporting. This is a story about our customer in action, told to us by their CISO with a promise to share it anonymously.
When there is a failure in network isolation — a leak — it gets blamed on bad design, faulty configuration or human error. It may feel like that the blame is on you. Sometimes that misses the mark. This time was different. The root cause was a network product behaving badly. For once they, the vendors, get the spotlight. …
I recently found a surprising leak vector in Windows 10 installations. We were porting our Beacon Application to Windows and for easy deployment. The plan was to create just one .exe including everything. However we found out that End Point Protection (EPP) solutions didn’t like that at all and we had to go with the MSI installer option. This is a story what happened during the .exe testing.
I used my personal malware analysis lab for testing the application. My lab is an isolated network environment which has a whitelist based firewall rules. Whitelist firewall is needed to carefully allow…
When you need to build isolated and strictly restricted Linux environments for special purposes you want to know it truly is and stays isolated. Typically isolation is done with strict firewall rules, VLAN segregation or even with air gaps. But the common question remains. Do you know that those restrictions works as expected?
This article will walk you through how to to deploy SensorFu Beacon Linux Application.
Step 1: Configure and download
To get things rolling, you need to have access to Beacon Home.
Log in to Beacon Home and create new Beacon Linux Application and download it.
Step 2: Deploy
Transfer the binary to your target machine…
We recently implemented a network escape to SensorFu Beacon that uses Ethernet broadcasts. Why? First of all you can test all the hosts in the LAN (Local Area Network) with one packet. Second, with broadcast frames, all the devices in the LAN think the frame is for them. Once we get past that point, we get to play with the funny ways how network stacks work. In the last 10 years of network security auditing, we’ve seen devices act in interesting and sometimes exploitable ways when presented with specific types of broadcast frames.
How it works
On a local network, your data travels…
