Sweet QuaDreams or Nightmare Before Christmas? Dissecting an iOS 0-Day

Researchers uncover a zero-day iOS exploit, dubbed "Quadream", used by threat actors to target specific individuals for political or human rights violations, highlighting the importance of collaboration and mobile device security.

Key takeaways
  • Collaboration between researchers led to the discovery of a zero-day iOS exploit, dubbed “Quadream”.
  • The exploit was used by threat actors to target specific individuals, potentially for political or human rights violations.
  • The exploit took advantage of the iMessage processing pipeline, specifically the add_id process, which is responsible for generating codes for iMessage invitations.
  • The attackers modified the rtbuddy file to inject malicious code into the add_id process, allowing them to execute arbitrary code on the device.
  • The exploit was designed to establish persistence on the device, allowing the attackers to maintain access even after a reboot.
  • The attackers used a combination of techniques, including dial-up injection and function hooking, to bypass various security measures and achieve code execution.
  • The exploit was discovered in part due to the researchers’ focus on analyzing the device’s calendar database, which revealed suspicious activity.
  • The attackers used the calendar database to send malicious invitations to targeted individuals, which were then processed by the add_id process, allowing them to establish persistence on the device.
  • The exploit was particularly noteworthy due to its use of a novel attack vector, the iMessage processing pipeline, and its ability to bypass various security measures, including Blast Door.
  • The researchers noted that the exploit was likely used to target specific individuals, potentially for political or human rights violations, and that it is important to continue monitoring and analyzing mobile devices to identify and mitigate these types of threats.
  • The researchers emphasized the importance of collaboration and information sharing between researchers and the need for continued attention to mobile device security.
  • The exploit was likely used to establish persistence on the device, allowing the attackers to maintain access even after a reboot.
  • The researchers noted that the exploit was particularly noteworthy due to its use of a novel attack vector, the iMessage processing pipeline, and its ability to bypass various security measures, including Blast Door.

More talks

Russell Keith-Magee - Build a Data Visualization App For Your Phone | PyData Global 2023

ElixirConf 2023 - Jeffery Utter - Scaling Teams with Kafka on the BEAM

William Dealtry - Data persistence with consistency and performance in a truly serverless system

From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams

SAINTCON 2023 - Derek Espiritu - Breaking Into Cyber Security

Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip

Lessons On Learning Angular with Deborah Kurata | Roadmap to Learning Angular E10 | ng-conf

Prototype & Design App Store Ready App In Interface Builder • Jake Lin • YOW! 2016