Un-Sexy Headline: USB Restricted Mode Will Improve iPhone User Security

By Riana Pfefferkorn on June 14, 2018 at 4:01 pm

In the upcoming version of the Apple iPhone iOS operating system, iOS 12, the phone’s Lightning cable port (used for charging and data transmission) will be disabled an hour after the phone is locked. The device will still charge, but transferring data to or from the device via the Lightning cable will require entering the device’s password first. Connecting to the data port via Lightning cable is what third-party forensic devices called Cellebrite and GrayKey rely upon to extract data from locked, encrypted iPhones. These tools (made, respectively, by the eponymous Cellebrite and a company called Grayshift) are employed by U.S. law enforcement agencies at federal, state, and local levels. Unsurprisingly, just about everybody covering the story is framing Apple’s move as one that will thwart law enforcement.[…]

https://cyberlaw.stanford.edu/blog/2018/06/un-sexy-headline-usb-restricted-mode-will-improve-iphone-user-security

Apple fixed firmware vulnerability found by Positive Technologies

June 14, 2018
The vulnerability allowed exploiting a critical flaw in Intel Management Engine and still can be present in equipment of vendors that use Intel processors. Apple released an update for macOS High Sierra 10.13.4, which fixes the firmware vulnerability CVE-2018-4251 found by Positive Technologies experts Maxim Goryachy and Mark Ermolov. For more details, see Apple Support.[…]

http://blog.ptsecurity.com/2018/06/apple-fixed-vulnerability-founde-by-PT-experts.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251
https://support.apple.com/en-us/HT208849

Apple macOS 10.13.5 EFI update, CVE-2018-4251

https://support.apple.com/en-us/HT208849

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4251

 

Duo on Apple firmware security (and new EFIgy release)

Nice article on latest Apple changes to firmware security, T2 processor, Secure Boot, etc, are discussed here. Maybe one day Apple will create a similar whitepaper.

https://duo.com/blog/apple-imac-pro-and-secure-storage

http://efigy.io/

Apple to make their own processor, replacing Intel?

Quoting Bloomberg:

Apple Inc. is planning to use its own chips in Mac computers beginning as early as 2020, replacing processors from Intel Corp., according to people familiar with the plans. The initiative, code named Kalamata, is still in the early developmental stages, but comes as part of a larger strategy to make all of Apple’s devices — including Macs, iPhones, and iPads — work more similarly and seamlessly together, said the people, who asked not to be identified discussing private information. The project, which executives have approved, will likely result in a multi-step transition.

https://www.bloomberg.com/news/articles/2018-04-02/apple-is-said-to-plan-move-from-intel-to-own-mac-chips-from-2020

https://www.theverge.com/circuitbreaker/2018/4/2/17189372/apple-intel-chip-processors-macs-date

https://www.ft.com/content/1c0637da-36a1-11e8-8eee-e06bde01c544

SDQAnalyzer: A Saleae analyzer plugin for the SDQ (Apple Lightning, MagSafe, Battery) protocol

https://github.com/nezza/SDQAnalyzer

A Saleae analyzer plugin for the SDQ (Apple Lightning, MagSafe, Battery) protocol.

https://support.saleae.com/hc/en-us/articles/115005987726-Protocol-Analyzer-SDK

Example of the analyzer in action

MacAdmins Podcast: Episode 70: Secure Boot

Synopsis: Tim Perfitt joins the pod to talk about SecureBoot, the iMac Pro, the future of securing everything, and the history of BootRunner and other products at Twocanoes.

Your Hosts:
Tom Bridge, Partner at Technolutionary LLC [@tbridge]
Pepijn Bruienne, R&D Engineer at Duo Security [@bruienne], Proprietor of EnterpriseMac.Bruienne.com
Charles Edge, Director of Marketplace at Jamf, [@cedge318]

Guests: Tim Perfitt, Founder of Twocanoes Software

https://podcast.macadmins.org/2018/02/21/episode-70-tim-perfitt-twocanoes-software/

show notes:

https://twocanoes.com/secureboot-imac-pro/

Low-level iOS forensics: iBoot ‘metadata whitening’

Low-level iOS forensics
Thu 28 June 2012 by jean

iOS filesystem encryption and data protection mechanisms are now well documented and supported by many forensics tools. iOS devices use NAND flash memory as their main storage area, but physical imaging usually refers to a “dd image” of the logical partitions. The iOS Flash Translation Layer for current devices is software-based (implemented in iBoot and the kernel), which means that the CPU has direct access to raw NAND memory. In this post we will describe how to acquire a NAND image and use FTL metadata to recover deleted files on A4 devices. The information presented here is based on the great reverse engineering work done by the iDroid/openiBoot team.[…]

http://esec-lab.sogeti.com/posts/2012/06/28/low-level-ios-forensics.html

https://code.google.com/archive/p/iphone-dataprotection/wikis

Apple baseband comm driver kext source leaked?

https://twitter.com/Mario_Vilas/status/962023148806750208

https://twitter.com/internals_apple/status/962143308070957057

https://twitter.com/Apple_External/status/962147625221767168

https://twitter.com/internals_apple/status/961391228771332097

https://twitter.com/kittenpies3/status/962343688373440513

Apple iBoot source code gets leaked

DMCA takedowns have taken down some of the copies, but multiple others are still online.

https://twitter.com/Morpheus______/status/961369055700627456

https://github.com/ZioShiba/iBoot

https://github.com/h1x0rz3r0/iBoot

https://github.com/emrakul2002/iboot

https://0xacab.org/sizeofcat/iBoot

 

MountEFI – mac tool to select drive containing an EFI to mount

This Mac-centric bash script has been rewritten as a Mac-centric Python script:

“A more robust edition of my previous MountEFI script. Added my usual collection of disk functions – plus some experimentation with callback functions.

def custom_quit():
     head(“MountEFI”)
     print(“by CorpNewt\n”)
     print(“Thanks for testing it out, for bugs/comments/complaints”)
     print(“send me a message on Reddit, or check out my GitHub:\n”)
     print(“www.reddit.com/u/corpnewt”)
     print(“www.github.com/corpnewt\n”)
     print(“Have a nice day/night!\n\n”)
exit(0)

https://github.com/corpnewt/MountEFI

iExtractor: automate extraction from iOS firmware files

iExtractor: Automate Extraction from iOS Firmware Files
iExtractor is a collection of tools and scripts to automate data extraction from iOS firmware files (i.e. IPSW files). It runs on macOS and partially on Linux (certain tools and features only work on macOS). IPSW (iPhone Software) files are provided publicly by Apple for OTA (over-the-air) updates for devices running iOS. ipsw.me provides links to IPSW files by device and iOS version. Similar information is on The iPhone Wiki. IPSW files are ZIP files packing the filesystem, kernel image and other files. The filesystem image and kernel image files for iOS <= 9 are encrypted; the firmware keys for most of these files are provided by the community on The iPhone Wiki. In the command output below 058-25512-331.dmg (the largest file) is the filesystem image file and kernelcache.release.n41 is the kernel image file or the kernelcache.[…]

https://github.com/malus-security/iExtractor

 

Apple seeks Junior UEFI Security Engineer

 

AptioFix: drivers for using Aptio to boot macOS

AptioFix: AptioFixPkg drivers fixing certain UEFI APTIO Firmware issues relevant to booting macOS.

WARNING: The code in this repository should be considered to be a proof of concept draft quality, and is only intended to be used as a software implementation guide. Due to the lack of time, this codebase may contain partially understood reverse-engineering samples, almost no documentation, hacks, and absolute ignorance of EDK2 codestyle.

AptioInputFix: Reference driver to shim AMI APTIO proprietary mouse & keyboard protocols for File Vault 2 GUI input support.

Features
* Sends pressed keys to APPLE_KEY_MAP_DATABASE_PROTOCOL
* Fixes mouse movement via EFI_SIMPLE_POINTER_PROTOCOL
[…]

https://github.com/vit9696/AptioFixPkg