Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox

Presented at Black Hat Asia 2017, March 30, 2017, 3:30 p.m. (60 minutes)

Wi-Fi is nowadays an established technology - supported on almost all devices - including the Apple iOS ones.<br> <br> In this talk, we discuss how to exploit an iOS device remotely via Wi-Fi without any user interaction, completely bypassing the iOS sandbox. We will disclose a chain of several vulnerabilities, leading to arbitrary code execution outside of the iOS sandbox and show that the device can be compromised in different ways in the post exploitation phase.<br> <br>The victim will only have to join the Wi-Fi network, and then the device will be compromised without any user interaction, bypassing all iOS mitigations and sandboxes.

Presenters:

• Marco Grassi - Senior Security Researcher, Keen Lab of Tencent
  Marco Grassi is currently a Senior Security Researcher of the Keen Lab of Tencent (previously known as KEEN Team). He was one of the main contributors at Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. His current focus is mainly Android and OS X/iOS and sandbox escapes. When he's not poking around software, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as Black Hat USA and Asia, ZeroNights, Codegate, HITB, ShakaCon and CanSecWest. You can find him on Twitter at @marcograss.

Links:

• https://www.blackhat.com/asia-17/briefings/schedule/#remotely-compromising-ios-via-wi-fi-and-escaping-the-sandbox-5284
• https://www.youtube.com/watch?v=bP5VP7vLLKo

Similar Presentations:

• Black Hat Europe 2017 / Wi-Fi Direct to Hell: Attacking Wi-Fi Direct Protocol Implementations
• Black Hat USA 2017 / Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
• Black Hat USA 2022 / Ghost in the Wireless, iwlwifi Edition