Is it possible to hack an iPhone if internet sharing is enabled on the phone?

[clemens]

After I allowed someone to use my mobile network through internet sharing on my iPhone, I feel that both my phone and my brand new Apple Watch Ultra 2 are acting strangely.

The man only had access for 5 minutes MAX, and it was only internet sharing—he did not have the phone in his hand.

Of course, it could just be a coincidence.

 

[sergeylim88]

ask your self how high profile target you are.
if you are really really high, then this is possible since it would be easier vector than SMS/WhatsApp message rooting/jailbraking.

on the other hand, after a hack like that you wouldn't be able to tell anything

 

[clemens]

So you mean it is not possible to do so in 5 minutes with a iphone from an average guy hanging around in the local gym?

 

[Martin Everson]

After I allowed someone to use my mobile network through internet sharing on my iPhone, I feel that both my phone and my brand new Apple Watch Ultra 2 are acting strangely.

Did they look like Mossad agent...lol?

Wifi packet exploits have existed in iphones. This could be a new exploit you have fallen victim to or your just paranoid.

iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever

Before Apple patch, Wi-Fi packets could steal photos. No interaction needed. Over the air.

arstechnica.com

 

[clemens]

thank you, interesting link

he looked like this guy with my phone

 

[Martin Everson]

Are you the one who suggested to share your wifi or did he?

 

[clemens]

He came over to me one morning and said his phone had no network anymore, assuming his data was used up, and asked if I could share my internet with him. I said that I could, but only for 5 minutes, no more. I see him every morning... but never talk to him.

 

[Martin Everson]

He came over to me one morning and said his phone had no network anymore, assuming his data was used up, and asked if I could share my internet with him. I said that I could, but only for 5 minutes, no more. I see him every morning... but never talk to him.

Are you getting any strange enter icloud password prompts? What you mean phone is acting strangely also?

 

[Forester]

Well, my answer to the question in the thread title is: for sure.

So you mean it is not possible to do so in 5 minutes with a iphone from an average guy hanging around in the local gym?

From an average guy likely not. IMO. But are you sure that it was an average guy? He need not be an agent of Mossad, just IT skilled.

Of course, it could just be a coincidence.

Of course. I am saying. Some person with a life experience in security (not necessarily three letter agencies) would say there are no coincidences

 

[sergeylim88]

well @0xDEADBEEF is IT skilled as you said, lets ask him if he could do it if he wanted

exploits like that are patched very fast after they become public.
zero day are expensive, rare...

 

[Forester]

exploits like that are patched very fast after they become public.
zero day are expensive, rare...

iOS is quite safe, definitely much safer than a common Android; but it is a closed proprietary system. 99% of the general public know literally nothing about the current situation with exploits; and the people who are insiders are (understandably) very restrained in publishing anything.

well @0xDEADBEEF is IT skilled as you said, lets ask him if he could do it if he wanted

Well, I agree that @0xDEADBEEF can give some valuable insight into this.

 

[clemens]

Are you getting any strange enter icloud password prompts? What you mean phone is acting strangely also?

No, it's that some applications don't load properly (I've restarted the phone several times) and then suddenly it makes these strange click vibrations when you swipe through the pages on the main screen. And today, my Apple Watch went crazy, it wouldn't start Spotify, and it just kept loading when I set it to GYM mode... I've also reset the watch, and so far it works again.

 

[0xDEADBEEF]

This seems interesting. Is it possible? Definitely possible as long as there are mercenaries performing offensive security work and governments financing those activities. Feasible? It depends on whether you are working on something that might impact or benefit a powerful adversary. In 99 out of 100 cases, it would be a nation-state threat actor performing such an attack. It might not be their tools or personnel, but it will definitely be for their own motivations.

The way it works is that your phone sets up a small private network and acts as the gateway for his connections. This means you technically have more opportunities to perform an adversary-in-the-middle attack where you could manipulate his connections. However, you also open up your phone and some services to his device. While it’s possible, he would need some sort of delivery method on his device as well. So, if something like this occurred, you would be dealing with a very skilled adversary.

As Sergey says, zero days are very expensive and, unfortunately, rare for the public. There is definitely a lot of business going around selling these exploits, so you should be really objective about your identity, your activities and whether there is some benefit to bringing out the big guns and bucks to compromise you.

But you should also define what you constitute as strange behavior (how are the applications not loading? Do they appear blank, shut down, make your phone freeze?, because you are mentioning it on your phone and your watch. Funnily enough, I met a well-known forensic expert a while ago who mentioned to me that they (law enforcement) already have methods to extract data from Apple Watches with just access to the iPhone for forensic investigations. I have not done a deep dive into this, but if you are able to perform forensics this way, then it is safe to say that ‘hopping’ devices is also possible.

Normally, I would say do not touch your device and see a forensic expert who specializes in mobile devices ASAP, but that might not be easy to find in your case, nor would you perhaps be willing to pay a hefty amount for a deep dive that might not have been needed.

So I can also recommend you do the following:

• Disconnect any shared networks (WiFi/Ethernet) where the devices could potentially connect to other devices.
• Persistence is key in most attacks and actually way harder to pull off on iOS, as mentioned you have already rebooted your device. You could potentially wiped some valuable evidence because of this, for instance, information about how the attack occurred could be stored here. But if the attacker already has established persistence, this won’t matter as the malicious code will probably appear in memory again.
• Attackers have used the Shortcuts app on iOS in the past; this could be used to configure certain triggers to run a malicious executable again to help an attacker connect to your device. If you use the app, try to see whether unknown automations have appeared in the Shortcuts app.
• Also, I think you mentioned somewhere that you were in IT. What you could potentially do is set up your own DNS server and configure it as the DNS server for the iPhone. This way, you can also see what connections your devices make and identify any anomalies in the connections, assuming they connect to a C2 (Command & Control) server via HTTP/DNS.

The good news is, you do not have Android, where it is much easier to trick you into giving more privileges to attackers.

 

[JohnnyDoe]

Lesson: when you go to the gym, lift weights, don’t waste time with your phone.

 

[Forester]

This seems interesting. Is it possible? Definitely possible as long as there are mercenaries performing offensive security work and governments financing those activities. Feasible? It depends on whether you are working on something that might impact or benefit a powerful adversary. In 99 out of 100 cases, it would be a nation-state threat actor performing such an attack. It might not be their tools or personnel, but it will definitely be for their own motivations.

The way it works is that your phone sets up a small private network and acts as the gateway for his connections. This means you technically have more opportunities to perform an adversary-in-the-middle attack where you could manipulate his connections. However, you also open up your phone and some services to his device. While it’s possible, he would need some sort of delivery method on his device as well. So, if something like this occurred, you would be dealing with a very skilled adversary.

As Sergey says, zero days are very expensive and, unfortunately, rare for the public. There is definitely a lot of business going around selling these exploits, so you should be really objective about your identity, your activities and whether there is some benefit to bringing out the big guns and bucks to compromise you.

But you should also define what you constitute as strange behavior (how are the applications not loading? Do they appear blank, shut down, make your phone freeze?, because you are mentioning it on your phone and your watch. Funnily enough, I met a well-known forensic expert a while ago who mentioned to me that they (law enforcement) already have methods to extract data from Apple Watches with just access to the iPhone for forensic investigations. I have not done a deep dive into this, but if you are able to perform forensics this way, then it is safe to say that ‘hopping’ devices is also possible.

Normally, I would say do not touch your device and see a forensic expert who specializes in mobile devices ASAP, but that might not be easy to find in your case, nor would you perhaps be willing to pay a hefty amount for a deep dive that might not have been needed.

So I can also recommend you do the following:

• Disconnect any shared networks (WiFi/Ethernet) where the devices could potentially connect to other devices.
• Persistence is key in most attacks and actually way harder to pull off on iOS, as mentioned you have already rebooted your device. You could potentially wiped some valuable evidence because of this, for instance, information about how the attack occurred could be stored here. But if the attacker already has established persistence, this won’t matter as the malicious code will probably appear in memory again.
• Attackers have used the Shortcuts app on iOS in the past; this could be used to configure certain triggers to run a malicious executable again to help an attacker connect to your device. If you use the app, try to see whether unknown automations have appeared in the Shortcuts app.
• Also, I think you mentioned somewhere that you were in IT. What you could potentially do is set up your own DNS server and configure it as the DNS server for the iPhone. This way, you can also see what connections your devices make and identify any anomalies in the connections, assuming they connect to a C2 (Command & Control) server via HTTP/DNS.

The good news is, you do not have Android, where it is much easier to trick you into giving more privileges to attackers.

@0xDEADBEEF, I admit I am not familiar with iOS (fortunately, since some time, I has not been forced to touch any non-free system even with a meter pole), so just an incompetent question: isn't there such a trick as Factory Reset, which brings a device back to the original factory status and settings? Of course it would be necessary afterwards to restore personal settings from backup or redo it (the latter is probably a nightmare); but it might be a safe(?) solution?

 

[clemens]

What you could potentially do is set up your own DNS server and configure it as the DNS server for the iPhone.

I can do that and give it a try.

Thank you very much for your very detailed explanation of this whole mess. So much for being kind and sharing your WiFi on the phone for just 5 minutes.

I no longer take my phone to the gym, which is why I bought this Apple Watch, but if the jerk has access to the watch, it's almost the same... However, I can throw the watch away and buy a new one since there's nothing special installed on it. It's worse with the phone. What do you think it would cost to get a phone checked? And who could you imagine could do such a thing?

 

[aniglo22]

It's very unlikely , probably just an app/setting .
You can analyze your shutdown.log file : Detecting iOS malware via Shutdown.log file
Automated tools : GitHub - KasperskyLab/iShutdown

 

[0xDEADBEEF]

@0xDEADBEEF, I admit I am not familiar with iOS (fortunately, since some time, I has not been forced to touch any non-free system even with a meter pole), so just an incompetent question: isn't there such a trick as Factory Reset, which brings a device back to the original factory status and settings? Of course it would be necessary afterwards to restore personal settings from backup or redo it (the latter is probably a nightmare); but it might be a safe(?) solution?

Good question! Restoring the system to a vulnerable state could provide only a temporary solution. It’s safe to assume that any adversary who has already targeted your device might have gathered specific information that could make future attacks easier. Additionally, spyware on iOS has been known to trick users into believing a device has been turned off, while still operating in the background. So some behaviour has been observed in regards to tricking users the phone is in certain state while it is not.

I’m not entirely familiar with the exact processes at a file system level during a factory reset on an iPhone. However, I imagine that malicious code could be hidden in a system partition that is not wiped during the reset. If the attacker has root privileges on the device, they could potentially embed the code deeply enough to survive a factory reset. But I find this pretty hard to pull off, since Apple has a lot of integrity checks integrated, especially since the latest spyware campaigns.

But even in most enterprise environments I am used to just swapping devices when an attack has occurred and then sending the device back to the vendor. So I would always advise to get a fresh device and not touch the compromised device as there is some juicy information on there that could help find the narrative of the attack.

I no longer take my phone to the gym, which is why I bought this Apple Watch, but if the jerk has access to the watch, it's almost the same... However, I can throw the watch away and buy a new one since there's nothing special installed on it. It's worse with the phone. What do you think it would cost to get a phone checked? And who could you imagine could do such a thing?

I’m just estimating here, but I know that standard forensic services, such as collecting data from mobile devices, typically cost between 1500 to 2500 euros for the full package. This includes reporting with expert interpretation if needed for a court hearing. This process generally involves plugging the device into a forensic tool, analyzing the data, and producing a useful report, with the expert being willing to testify in court if necessary. For a deeper dive, the costs will probably start around 5000 to 6000 euros, as this would involve an actual expert conducting a thorough investigation. Keep in mind that this also means providing your device as-is, so your private data will be examined.

You might want to look around in your region for a cybersecurity company that offers Incident Response services coupled with digital forensics. Keywords to search for include Digital Forensics, Incident Response, Mobile Forensics, and Incident Response Specialists. Often, you will find skilled professionals who can either assist you or refer you to someone who can.

However, the likelihood of you being targeted is quite small. I understand your concern, as I would be cautious in this situation too. Often, setting up your own DNS or a private network where you can perform Deep Packet Inspection (DPI) to monitor for unusual activity can be sufficient. Why? Your network never lies. If an attacker has compromised your device, there must be a way for them to communicate with the outside world. By creating a network with extensive logging and ensuring every connection on your device passes through it, you can perform some network forensics. Depending on your experience, you might not have the skills for a deep dive, but this will help you collect evidence if you decide to consult a specialist. And who knows, maybe the data will show that nothing suspicious is happening.

 

[Forester]

Restoring the system to a vulnerable state could provide only a temporary solution. It’s safe to assume that any adversary who has already targeted your device might have gathered specific information that could make future attacks easier.

For sure.

Additionally, spyware on iOS has been known to trick users into believing a device has been turned off, while still operating in the background. So some behaviour has been observed in regards to tricking users the phone is in certain state while it is not.

Wow.

I’m not entirely familiar with the exact processes at a file system level during a factory reset on an iPhone. However, I imagine that malicious code could be hidden in a system partition that is not wiped during the reset.

The only comment from me:
If any writable partition is not wiped during the reset then I do not call this operation safe.
My imagination about the factory reset was “everything is wiped except some ROM (not EPROM) and then the necessary applications and settings are restored, probably partially via download” (like if you are installing some free OS from a “net” ISO image).

If the attacker has root privileges on the device, they could potentially embed the code deeply enough to survive a factory reset.

In the case that you have described, definitely.

But I find this pretty hard to pull off, since Apple has a lot of integrity checks integrated, especially since the latest spyware campaigns.

Yes. But – who knows

But even in most enterprise environments I am used to just swapping devices when an attack has occurred and then sending the device back to the vendor. So I would always advise to get a fresh device and not touch the compromised device as there is some juicy information on there that could help find the narrative of the attack.

I second this.

I understand your concern, as I would be cautious in this situation too.

So would I, naturally.

Often, setting up your own DNS or a private network where you can perform Deep Packet Inspection (DPI) to monitor for unusual activity can be sufficient. Why? Your network never lies. If an attacker has compromised your device, there must be a way for them to communicate with the outside world. By creating a network with extensive logging and ensuring every connection on your device passes through it, you can perform some network forensics. Depending on your experience, you might not have the skills for a deep dive, but this will help you collect evidence if you decide to consult a specialist. And who knows, maybe the data will show that nothing suspicious is happening.

An excellent analysis and recommendation!

 

[Forester]

Eh, perhaps one more naïve question – @0xDEADBEEF or anyone else familiar with Apple environment (sorry but I have almost no clue how the Apple sales and customer care network works):
Isn't it possible to come to some Apple Store or Service Center and say “Hi guys, I am a moron and allowed a real mess on my nice phone to arise; could you please get me rid of all this and reinstall the system?” and they reinstall the system from the scratch, wiping all (perhaps but ROM)? (Of course for some lump sum but probably for less than a new phone costs, not even mentioning the forensic analysis.)
It's apparently not a best solution for @clemens but just generally...