Our valued sponsor

Is it possible to hack an iPhone if internet sharing is enabled on the phone?

Register now
You must login or register to view hidden content on this page.
Eh, perhaps one more naïve question – @0xDEADBEEF or anyone else familiar with Apple environment (sorry :( but I have almost no clue how the Apple sales and customer care network works):
Isn't it possible to come to some Apple Store or Service Center and say “Hi guys, I am a moron and allowed a real mess on my nice phone to arise; could you please get me rid of all this and reinstall the system?” and they reinstall the system from the scratch, wiping all (perhaps but ROM)? (Of course for some lump sum but probably for less than a new phone costs, not even mentioning the forensic analysis.)
It's apparently not a best solution for @clemens but just generally...
Now that you mention it, it would make a lot of sense for them to just reflash the OS when they get a customer device with exotic problems. They must have the tools to fully reinstall the system from scratch for their devices, not sure if they are willing though without 'proof' something exotic is happening. Next time I am in an Apple store I will try to find this out.

Some of their tools are hosted on gsx2.apple.com, but only authorized resellers or Apple personnel have access to it. Would be nice to know if anyone here has/had access to this portal and could tell us about the functionality. The scary part is that a lot of their (troubleshooting) tools is delivered over the network, so they can get most of the information they need by requesting it using your serial number.
 
It's very unlikely , probably just an app/setting .
You can analyze your shutdown.log file : Detecting iOS malware via Shutdown.log file
Automated tools : GitHub - KasperskyLab/iShutdown

You can get the files according to this tutorial: Documentation

Nice; but how one can be sure that the Sysdiagnose results/Shutdown.log file (I have looked here Detecting iOS malware via Shutdown.log file and at the tutorial) are not modified/generated by some code of the attacker? Kaspersky denote it as ”A lightweight method to detect potential iOS malware” – what it IMO really is...
 
  • Like
Reactions: 0xDEADBEEF
making a DNS is good, but what if the app has hard coded ip address.
that will avoid usage of Domain Name Server (Service).
on the other hand, making a separate WiFi and analyzing logs with WireShark would do the trick (hard work).

apple, and pretty much all vendors now a days, have a chain of bootloaders
integrity is not that easy to be compromised due to using very sophisticated math procedures for digital signature (RSA)

in order to run an app it has to be signed, unless signed with enterprise cert or xcode dev (which can be a vector to attack it)

earlier versions of Pegasus were residing in RAM (not in flash), and restart of device would wipe it clear.

anything is possible, but lets be realistic.

also, use lock down mode...another level of protection
 
Nice; but how one can be sure that the Sysdiagnose results/Shutdown.log file (I have looked here Detecting iOS malware via Shutdown.log file and at the tutorial) are not modified/generated by some code of the attacker? Kaspersky denote it as ”A lightweight method to detect potential iOS malware” – what it IMO really is...
They would need to bypass kpp and other protection measures . And they would need to hook diagnose functions , which also introduces more footprints and would it make more easily detectable .
 
They would need to bypass kpp and other protection measures .
:) Sorry – with kpp you mean kernel patch protection? (AFAIK, iOS is built on a Mach microkernel... how it can work there?)
And they would need to hook diagnose functions , which also introduces more footprints
Well... iOS is Unix-like, so the Shutdown.log file is just a dump of kernel messages; with the root privileges you can modify anything there anytime in not a much traceable way, IMO... (but I might be completely wrong as I am only guessing about iOS using some general Unix knowledge).
 
Last edited:
Interesting comments.

Yes, it's possible, viable and doable. No, there isn't a physical possesion requirement. Whether it happened, depends on an examination results.

The investigation will provide more intelligence if you tunnel complete device traffic thru a server and analyze that traffic - setup a local VPN with own DNS for start. Be advised that SIM should be disabled and WLAN used exclusively in order to segregate.

In the end, assume compromise and establish sanitary cordon - dispose devices and associated SIM. Change iCloud. Transfer data from offline source.

After I allowed someone to use my mobile network through internet sharing on my iPhone, I feel that both my phone and my brand new Apple Watch Ultra 2 are acting strangely.

The man only had access for 5 minutes MAX, and it was only internet sharing—he did not have the phone in his hand.

Of course, it could just be a coincidence.

Indiferrent probability. May be a coincidence, may be an attack.

So you mean it is not possible to do so in 5 minutes with a iphone from an average guy hanging around in the local gym?

Why do you assume it's a random and average male person if a name of the thread implies nefarious aspect?

He came over to me one morning and said his phone had no network anymore, assuming his data was used up, and asked if I could share my internet with him. I said that I could, but only for 5 minutes, no more. I see him every morning... but never talk to him.

Your OCT content implies that you are aware and critical. What GYM doesn't have a WLAN for members? Probability is now more towards focused action.

Why would a person - assumed attacker - need to be an Israeli agent - maybe you are targeted for kidnaping because you are rich?

If the attacker has root privileges on the device, they could potentially embed the code deeply enough to survive a factory reset.

When a telehone device acts as hotspot, it's a routing and switching function that connects two protocols - 802.11 and any cellular connectivity (3G/4G/5G) on OSI layers 2 and 3, beside DHCP.

Compared to any other switches and routers, traffic passing thru by MAC or IP address does not employ more hardware resources as there is no traffic inspection.

DHCP is a program with root privilege and functions as a delegator of NATed addresses - from private networks scope 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 - that can't be routed via public networks.

A DHCP will assign an address to WLAN client where the traffic packets will be masqueraded by kernel mapping - in order to allow the access to public network and disguise the origin.

Theoreticaly, DHCP and its communication with kernel can have a vulnerability.

When that person's device got NATed address from your device hotspot function, its public address - delegated by provider was discovered. But, nowadays, CGNAT - a carrier grade NAT exist - so there isn't significant risk as your device won't share a directly accesssable public address.

Perhaps, in a scenario where you are not mapped with a device, you may (have been) be a target for permanent identification and location - IMEI/IMSI set or via previous, deployment of a complex payload.

There are malicious payloads for iPhone/iPad that require physical access - also, there are payloads that can be deployed via WLAN as they require network as an attack vector. Beware that security is a relative and that black swans do exist - even if everybody praise something - such as ssh - assume that it's compromised.
 
why would an attacker register a domain name instead of using ip address?
they can even get a cert for ip address (more difficult, but possible).

so, if you are actually doing something i really think you should do entire network monitoring (easier said than done, but chatgpt can help in examining the log)
 
why would an attacker register a domain name instead of using ip address?
they can even get a cert for ip address (more difficult, but possible).

so, if you are actually doing something i really think you should do entire network monitoring (easier said than done, but chatgpt can help in examining the log)
I agree with you. If you can create your own proxy and configure DPI, you’ll have everything you need to perform thorough network analysis. You can then bring this data to a networking expert to examine your PCAPs.

Simply put, an attacker will use domains instead of IP addresses for multiple reasons. One reason, as you mentioned, is the ease of obtaining a certificate. In most offensive engagements, using an IP address would be avoided because proxy logs showing an IP address and a path are immediate red flags for analysts. From most attacks I’ve observed, an IP address is rarely used for long-term C2 communication. However, some less mature threat actors might use an IP address for initial access by hosting a malicious payload and connecting via IP. This approach is more common in non-targeted attacks, as malicious domains are blocked much faster than malicious IPs.

Every serious threat actor either registers or buys popular TLDs or uses existing CDN services for cloud fronting. Think of services like Cloudflare, Azure, and even Discord, to maintain control over compromised devices. No system administrator is likely to block Cloudflare or Azure IP ranges/domains, making it a very effective way to fly under the radar and bypass potential blacklisting.

For reference, you can take a look at the Pegasus IoCs here: investigations/2021-07-18_nso at master · AmnestyTech/investigations

I setup a DNS server as suggested here, there are no unusual / external connections to see, that means I can be almost sure that nothing happened and the "strange behaviour" is more or less just a coincident or just iPhone problem?
Good to read that you have not noticed anything weird. My advise would be to continue using your own DNS resolver and keep checking the logs. You could export the queries and extract the unique domains from them, then run these domains through a threat intelligence platform with a free API, such as AlienVault or Abuse.ch. Alternatively, you could invest some time in manually reviewing the list to reduce the number of false positives.

You could also attempt to use this free forensics tool I have found: Mobile Verification Toolkit.
 
It is actually quite simple and the best answer to who might want to hack your phone that would be based on your threat model.

If this was not government entity could be a low-skilled but well-funded competitor. Apple zero days are expensive as others pointed out so they would be expecting high return from you or this operation. Think what is valuable and if it is connected to your Apple gear.

If this was (serious) government entity they wouldn't need to do any data sharing or physical access at all. Through a remote exploit they can break into your device (apple/android) and through things like SS7 or IMSI catcher can locate, track (globally) and intercept (mostly locally). If for example you have multiple mobile devices they can detect that through the mobile cells connection and then target and subsequently spy on each one.

A higher skilled/funded competitor will have same or in some instances better per-subject surveillance technology than most 3 letter agencies. Hence they would be able to do it remotely and wouldn't need (obvious) physical interaction especially when you are dealing with high networth individuals with many zeros at stake.

Analyzing can be good but also pointless/time+resource waste. Malware could stay dormant for months only to be activated once or twice on a specific date or time or when you pass a specific location or specific device with specific advertising ID passes you by etc.

If your business is connected to these devices you probably should evaluate your opsec. If you have only personal things connected then buying new gear is the easiest and stress-free way to handle the situation. As if government entity wants a peek in your personal stuff they will be successful either through your devices or installing hidden cameras etc. And when they can't do it relatively simply you can be sure to become a target ("why does this person have such high security what are they hiding" type of thing). All of why a good threat model and quality execution of opsec is crucial even for entirely white businesses and their operators.
 
  • Like
Reactions: mraleph
Lesson: when you go to the gym, lift weights, don’t waste time with your phone.

“Good value” as an answer to the thread.
Well, when I read it first, I have come to the conclusion that there is an useful wisdom behind. I stand on it.
BTW, note that the post has 6 positive evaluations, including from the thread author. ;)
 
The strangest thing happened to me a couple of days ago, there was a pop up on my pc screen asking me to accept/deny a certificate with validity for a year or so. I should have taken a screenshot but I clicked deny so quickly it was gone. What was worrying is that it had my name and id number, country listed. When I click on the domain (smm2dot de) that send it, it appears not allowed and whois doesn't have any info.
I am thinking to remove my files and do a full reinstall here....:rolleyes:
 
The strangest thing happened to me a couple of days ago, there was a pop up on my pc screen asking me to accept/deny a certificate with validity for a year or so. I should have taken a screenshot but I clicked deny so quickly it was gone. What was worrying is that it had my name and id number, country listed. When I click on the domain (smm2dot de) that send it, it appears not allowed and whois doesn't have any info.
I am thinking to remove my files and do a full reinstall here....:rolleyes:
Is it somehow related to some iPhone hack? If not, please open a new thread for this case. Thanks.
 
I have followed this thread with great interest and I hope many others will read it. It's incredible that it is "so easy" to access other people's iPhones if you just have a bit of knowledge and are bold enough.

I hope this serves as a warning to everyone reading the thread not to allow internet sharing with people you don't know.
 
  • Like
Reactions: jafo and Forester