Our valued sponsor

Is it possible to hack an iPhone if internet sharing is enabled on the phone?

Eh, perhaps one more naïve question – @0xDEADBEEF or anyone else familiar with Apple environment (sorry :( but I have almost no clue how the Apple sales and customer care network works):
Isn't it possible to come to some Apple Store or Service Center and say “Hi guys, I am a moron and allowed a real mess on my nice phone to arise; could you please get me rid of all this and reinstall the system?” and they reinstall the system from the scratch, wiping all (perhaps but ROM)? (Of course for some lump sum but probably for less than a new phone costs, not even mentioning the forensic analysis.)
It's apparently not a best solution for @clemens but just generally...
Now that you mention it, it would make a lot of sense for them to just reflash the OS when they get a customer device with exotic problems. They must have the tools to fully reinstall the system from scratch for their devices, not sure if they are willing though without 'proof' something exotic is happening. Next time I am in an Apple store I will try to find this out.

Some of their tools are hosted on gsx2.apple.com, but only authorized resellers or Apple personnel have access to it. Would be nice to know if anyone here has/had access to this portal and could tell us about the functionality. The scary part is that a lot of their (troubleshooting) tools is delivered over the network, so they can get most of the information they need by requesting it using your serial number.
 
It's very unlikely , probably just an app/setting .
You can analyze your shutdown.log file : Detecting iOS malware via Shutdown.log file
Automated tools : GitHub - KasperskyLab/iShutdown

You can get the files according to this tutorial: Documentation

Nice; but how one can be sure that the Sysdiagnose results/Shutdown.log file (I have looked here Detecting iOS malware via Shutdown.log file and at the tutorial) are not modified/generated by some code of the attacker? Kaspersky denote it as ”A lightweight method to detect potential iOS malware” – what it IMO really is...
 
  • Like
Reactions: 0xDEADBEEF
making a DNS is good, but what if the app has hard coded ip address.
that will avoid usage of Domain Name Server (Service).
on the other hand, making a separate WiFi and analyzing logs with WireShark would do the trick (hard work).

apple, and pretty much all vendors now a days, have a chain of bootloaders
integrity is not that easy to be compromised due to using very sophisticated math procedures for digital signature (RSA)

in order to run an app it has to be signed, unless signed with enterprise cert or xcode dev (which can be a vector to attack it)

earlier versions of Pegasus were residing in RAM (not in flash), and restart of device would wipe it clear.

anything is possible, but lets be realistic.

also, use lock down mode...another level of protection
 
Nice; but how one can be sure that the Sysdiagnose results/Shutdown.log file (I have looked here Detecting iOS malware via Shutdown.log file and at the tutorial) are not modified/generated by some code of the attacker? Kaspersky denote it as ”A lightweight method to detect potential iOS malware” – what it IMO really is...
They would need to bypass kpp and other protection measures . And they would need to hook diagnose functions , which also introduces more footprints and would it make more easily detectable .
 
They would need to bypass kpp and other protection measures .
:) Sorry – with kpp you mean kernel patch protection? (AFAIK, iOS is built on a Mach microkernel... how it can work there?)
And they would need to hook diagnose functions , which also introduces more footprints
Well... iOS is Unix-like, so the Shutdown.log file is just a dump of kernel messages; with the root privileges you can modify anything there anytime in not much traceable way, IMO... (but I might be completely wrong as I am only guessing about iOS using some general Unix knowledge).
 
Last edited:
Interesting comments.

Yes, it's possible, viable and doable. No, there isn't a physical possesion requirement. Whether it happened, depends on an examination results.

The investigation will provide more intelligence if you tunnel complete device traffic thru a server and analyze that traffic - setup a local VPN with own DNS for start. Be advised that SIM should be disabled and WLAN used exclusively in order to segregate.

In the end, assume compromise and establish sanitary cordon - dispose devices and associated SIM. Change iCloud. Transfer data from offline source.

After I allowed someone to use my mobile network through internet sharing on my iPhone, I feel that both my phone and my brand new Apple Watch Ultra 2 are acting strangely.

The man only had access for 5 minutes MAX, and it was only internet sharing—he did not have the phone in his hand.

Of course, it could just be a coincidence.

Indiferrent probability. May be a coincidence, may be an attack.

So you mean it is not possible to do so in 5 minutes with a iphone from an average guy hanging around in the local gym?

Why do you assume it's a random and average male person if a name of the thread implies nefarious aspect?

He came over to me one morning and said his phone had no network anymore, assuming his data was used up, and asked if I could share my internet with him. I said that I could, but only for 5 minutes, no more. I see him every morning... but never talk to him.

Your OCT content implies that you are aware and critical. What GYM doesn't have a WLAN for members? Probability is now more towards focused action.

Why would a person - assumed attacker - need to be an Israeli agent - maybe you are targeted for kidnaping because you are rich?

If the attacker has root privileges on the device, they could potentially embed the code deeply enough to survive a factory reset.

When a telehone device acts as hotspot, it's a routing and switching function that connects two protocols - 802.11 and any cellular connectivity (3G/4G/5G) on OSI layers 2 and 3, beside DHCP.

Compared to any other switches and routers, traffic passing thru by MAC or IP address does not employ more hardware resources as there is no traffic inspection.

DHCP is a program with root privilege and functions as a delegator of NATed addresses - from private networks scope 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 - that can't be routed via public networks.

A DHCP will assign an address to WLAN client where the traffic packets will be masqueraded by kernel mapping - in order to allow the access to public network and disguise the origin.

Theoreticaly, DHCP and its communication with kernel can have a vulnerability.

When that person's device got NATed address from your device hotspot function, its public address - delegated by provider was discovered. But, nowadays, CGNAT - a carrier grade NAT exist - so there isn't significant risk as your device won't share a directly accesssable public address.

Perhaps, in a scenario where you are not mapped with a device, you may (have been) be a target for permanent identification and location - IMEI/IMSI set or via previous, deployment of a complex payload.

There are malicious payloads for iPhone/iPad that require physical access - also, there are payloads that can be deployed via WLAN as they require network as an attack vector. Beware that security is a relative and that black swans do exist - even if everybody praise something - such as ssh - assume that it's compromised.
 
I setup a DNS server as suggested here, there are no unusual / external connections to see, that means I can be almost sure that nothing happened and the "strange behaviour" is more or less just a coincident or just iPhone problem?
 
  • Like
Reactions: 0xDEADBEEF
why would an attacker register a domain name instead of using ip address?
they can even get a cert for ip address (more difficult, but possible).

so, if you are actually doing something i really think you should do entire network monitoring (easier said than done, but chatgpt can help in examining the log)
I agree with you. If you can create your own proxy and configure DPI, you’ll have everything you need to perform thorough network analysis. You can then bring this data to a networking expert to examine your PCAPs.

Simply put, an attacker will use domains instead of IP addresses for multiple reasons. One reason, as you mentioned, is the ease of obtaining a certificate. In most offensive engagements, using an IP address would be avoided because proxy logs showing an IP address and a path are immediate red flags for analysts. From most attacks I’ve observed, an IP address is rarely used for long-term C2 communication. However, some less mature threat actors might use an IP address for initial access by hosting a malicious payload and connecting via IP. This approach is more common in non-targeted attacks, as malicious domains are blocked much faster than malicious IPs.

Every serious threat actor either registers or buys popular TLDs or uses existing CDN services for cloud fronting. Think of services like Cloudflare, Azure, and even Discord, to maintain control over compromised devices. No system administrator is likely to block Cloudflare or Azure IP ranges/domains, making it a very effective way to fly under the radar and bypass potential blacklisting.

For reference, you can take a look at the Pegasus IoCs here: investigations/2021-07-18_nso at master · AmnestyTech/investigations

I setup a DNS server as suggested here, there are no unusual / external connections to see, that means I can be almost sure that nothing happened and the "strange behaviour" is more or less just a coincident or just iPhone problem?
Good to read that you have not noticed anything weird. My advise would be to continue using your own DNS resolver and keep checking the logs. You could export the queries and extract the unique domains from them, then run these domains through a threat intelligence platform with a free API, such as AlienVault or Abuse.ch. Alternatively, you could invest some time in manually reviewing the list to reduce the number of false positives.

You could also attempt to use this free forensics tool I have found: Mobile Verification Toolkit.
 

Latest Threads