Fake Carrier App Appears on iPhone

In collaboration with Project Zero, TAG has published an additional post with more details around the targeting and the actor. We've had discussions within Project Zero about whether this DCP vulnerability is interesting at all. The Asahi linux project reverse-engineered the API to talk to the DCP but they are restricted to using Apple's DCP firmware (loaded by iBoot) - they can't use a custom DCP firmware. Six privilege escalation exploits are bundled with this app. There's little public information about the DCP; the most comprehensive comes from the Asahi linux project which is porting linux to M1 Macs. This sideloading works because the app is signed with an enterprise certificate, which can be purchased for $299 via the Apple Enterprise developer program. Then the triggering of a kernel vulnerability followed by well-known steps to turn that into something useful, perhaps by disclosing kernel memory then building an arbitrary kernel memory write primitive. An app signed with the developer certificate embedded within that mobileprovision file can be sideloaded on any iPhone, bypassing Apple's App Store review process. (). Continue reading.



Related Hacker News news



You may also be interested in iPad Exercise Year In Review Blockchain Yandex Yakuza Arctic Cities