I haven’t previously contributed to this discussion, but I’m scratching my head trying to understand how kernel memory corruption causes a device to not boot. Plenty of others have asked, but I don’t see an answer anywhere. Sounds like a bigger bug at work?
-
-
Replying to @TheDaveCA @pati_gallardo
There is no bigger bug than remote kernel memory corruption, that is effectively game over. I think the disconnect here is that you're assuming "bricking" is higher severity and are confused why it's not called out as a possibility, but that's not the case.
1 reply 0 retweets 1 like -
You could use a kernel RCE to brick a phone, but that would be like spending $100k on a prank, most people would just give you their phone for half of that, so why would do that? We envision govs developing attacks to spy on dissidents, not pranking their friends.
1 reply 0 retweets 2 likes -
Replying to @taviso @pati_gallardo
I understand the risks of a kernel RCE. But what happened when she did her demo to help the engineers reproduce? Did they reboot their phones using the magic button sequences to force a hardware reboot? Or were their devices damaged beyond a reboot?
1 reply 0 retweets 0 likes -
Replying to @TheDaveCA @pati_gallardo
Required DFU restore. Honestly, it's odd to say "did they reboot their phone" after I said bricked, it sounds like you're probing to catch me out.
1 reply 0 retweets 0 likes -
Replying to @taviso @pati_gallardo
Not at all, I just wonder whether DFU was enough, or bricked to the point that not even that was possible. I read chunks of the thread and didn’t see an answer, although also possible I missed it. Basically curious: Could I fix this myself or would I need Apple.
0 replies 0 retweets 0 likes -
Replying to @taviso @pati_gallardo
Oh absolutely. But a RCE that invariably results in a bricked device within seconds would arguably be less dangerous than one that could be exploited undetectably.
3 replies 0 retweets 0 likes -
Replying to @TheDaveCA @pati_gallardo
If a vulnerability invariable results in a bricked device, that is not an RCE, right? That would be a remote DoS. The difference is that DoS is a subset of what you can do with an RCE (although why you would do that, I don't know).
1 reply 0 retweets 1 like -
Replying to @taviso @pati_gallardo
Maybe that’s part of the confusion? In the demo it was used as a DoS, I think? Did she need to brick the devices or could she have just displayed a picture of a brick on the screen (as a nod to ancient jailbreaking history)?
1 reply 0 retweets 1 like
Your question is very confusing, nevertheless I will try to answer it. Yes, in theory she could have developed an exploit and made a payload that displayed a picture of a brick (?).
-
-
I regret I have but one brick picture to contribute.pic.twitter.com/AaeuzvRrWj
0 replies 0 retweets 6 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.