Finance and economics mentoring
New Horizons Paraguay
Ticker tape by TradingView

Is it possible to hack an iPhone if internet sharing is enabled on the phone?

Status
Not open for further replies.
Now that you mention it, it would make a lot︁ of sense for them to just reflash the OS when they get a customer device︂ with exotic problems. They must have the tools to fully reinstall the system from scratch︃ for their devices, not sure if they are willing though without 'proof' something exotic is︄ happening. Next time I am in an Apple store I will try to find this︅ out.

Some of their tools are hosted on gsx2.apple.com, but only authorized resellers or Apple︆ personnel have access to it. Would be nice to know if anyone here has/had access︇ to this portal and could tell us about the functionality. The scary part is that︈ a lot of their (troubleshooting) tools is delivered over the network, so they can get︉ most of the information they need by requesting it using your serial number.
 
Nice; but how one can be sure that the Sysdiagnose results/Shutdown.log file⁠ (I have looked here Detecting iOS malware via Shutdown.log file and at the tutorial) are⁤ not modified/generated by some code of the attacker? Kaspersky denote it as ”A lightweight method⁣ to detect potential iOS malware” – what it IMO really is...
 
making a DNS is good, but what if the app has hard coded ip address.‌
that will avoid usage of Domain Name Server (Service).
on the other hand, making a‍ separate WiFi and analyzing logs with WireShark would do the trick (hard work).

apple, and⁠ pretty much all vendors now a days, have a chain of bootloaders
integrity is not⁤ that easy to be compromised due to using very sophisticated math procedures for digital signature⁣ (RSA)

in order to run an app it has to be signed, unless signed with⁢ enterprise cert or xcode dev (which can be a vector to attack it)

earlier versions︀ of Pegasus were residing in RAM (not in flash), and restart of device would wipe︁ it clear.

anything is possible, but lets be realistic.

also, use lock down mode...another level︂ of protection
 
They would⁤ need to bypass kpp and other protection measures . And they would need to hook⁣ diagnose functions , which also introduces more footprints and would it make more easily detectable⁢ .
 
🙂 Sorry – with kpp you mean kernel patch protection? (AFAIK, iOS is built on‍ a Mach microkernel... how it can work there?)
Well... iOS is⁤ Unix-like, so the Shutdown.log file is just a dump of kernel messages; with the root⁣ privileges you can modify anything there anytime in not a much traceable way, IMO... (but⁢ I might be completely wrong as I am only guessing about iOS using some general︀ Unix knowledge).
 
Interesting comments.

Yes, it's possible, viable and doable. No, there isn't a physical possesion requirement.‌ Whether it happened, depends on an examination results.

The investigation will provide more intelligence if‍ you tunnel complete device traffic thru a server and analyze that traffic - setup a⁠ local VPN with own DNS for start. Be advised that SIM should be disabled and⁤ WLAN used exclusively in order to segregate.

In the end, assume compromise and establish sanitary⁣ cordon - dispose devices and associated SIM. Change iCloud. Transfer data from offline source.

Indiferrent probability. May be a coincidence, may be︃ an attack.

Why do you assume it's a random and average male person if︆ a name of the thread implies nefarious aspect?

Your OCT content implies that you are aware and︋ critical. What GYM doesn't have a WLAN for members? Probability is now more towards focused︌ action.

Why would a person - assumed attacker - need to be an Israeli agent︍ - maybe you are targeted for kidnaping because you are rich?

When a telehone device acts as hotspot,‌ it's a routing and switching function that connects two protocols - 802.11 and any cellular‍ connectivity (3G/4G/5G) on OSI layers 2 and 3, beside DHCP.

Compared to any other switches⁠ and routers, traffic passing thru by MAC or IP address does not employ more hardware⁤ resources as there is no traffic inspection.

DHCP is a program with root privilege and functions as a delegator of NATed addresses - from private networks scope 10.0.0.0/8, 172.16.0.0/12 and⁣ 192.168.0.0/16 - that can't be routed via public networks.

A DHCP will assign an address⁢ to WLAN client where the traffic packets will be masqueraded by kernel mapping - in︀ order to allow the access to public network and disguise the origin.

Theoreticaly, DHCP and︁ its communication with kernel can have a vulnerability.

When that person's device got NATed address︂ from your device hotspot function, its public address - delegated by provider was discovered. But,︃ nowadays, CGNAT - a carrier grade NAT exist - so there isn't significant risk as︄ your device won't share a directly accesssable public address.

Perhaps, in a scenario where you︅ are not mapped with a device, you may (have been) be a target for permanent︆ identification and location - IMEI/IMSI set or via previous, deployment of a complex payload.

There are malicious payloads for iPhone/iPad that require physical access - also, there are payloads that︇ can be deployed via WLAN as they require network as an attack vector. Beware that︈ security is a relative and that black swans do exist - even if everybody praise︉ something - such as ssh - assume that it's compromised.
 
I setup a DNS server as suggested here, there are no unusual / external connections‌ to see, that means I can be almost sure that nothing happened and the "strange‍ behaviour" is more or less just a coincident or just iPhone problem?
 
why would an attacker register a domain name instead of using ip address?
they can‌ even get a cert for ip address (more difficult, but possible).

so, if you are‍ actually doing something i really think you should do entire network monitoring (easier said than⁠ done, but chatgpt can help in examining the log)
 
I agree with you. If you can create your own proxy and configure DPI, you’ll have⁤ everything you need to perform thorough network analysis. You can then bring this data to⁣ a networking expert to examine your PCAPs.

Simply put, an attacker will use domains instead⁢ of IP addresses for multiple reasons. One reason, as you mentioned, is the ease of︀ obtaining a certificate. In most offensive engagements, using an IP address would be avoided because︁ proxy logs showing an IP address and a path are immediate red flags for analysts.︂ From most attacks I’ve observed, an IP address is rarely used for long-term C2 communication.︃ However, some less mature threat actors might use an IP address for initial access by︄ hosting a malicious payload and connecting via IP. This approach is more common in non-targeted︅ attacks, as malicious domains are blocked much faster than malicious IPs.

Every serious threat actor︆ either registers or buys popular TLDs or uses existing CDN services for cloud fronting. Think︇ of services like Cloudflare, Azure, and even Discord, to maintain control over compromised devices. No︈ system administrator is likely to block Cloudflare or Azure IP ranges/domains, making it a very︉ effective way to fly under the radar and bypass potential blacklisting.

For reference, you can︊ take a look at the Pegasus IoCs here: investigations/2021-07-18_nso at master · AmnestyTech/investigations

Good to read that you have not noticed anything weird. My advise would be to️ continue using your own DNS resolver and keep checking the logs. You could export the‌ queries and extract the unique domains from them, then run these domains through a threat‍ intelligence platform with a free API, such as AlienVault or Abuse.ch. Alternatively, you could invest⁠ some time in manually reviewing the list to reduce the number of false positives.

You could also attempt to use this free forensics tool I have found: Mobile Verification Toolkit⁤.
 
Thank you very much for all your input @0xDEADBEEF - I'm setting up lot's of‌ tools in the weekend still testing, researching and tracing. So far nothing suspicious, but let‍ it all run the rest of this week.
 
It is actually quite simple and the best answer to who might want to hack‌ your phone that would be based on your threat model.

If this was not government‍ entity could be a low-skilled but well-funded competitor. Apple zero days are expensive as others⁠ pointed out so they would be expecting high return from you or this operation. Think⁤ what is valuable and if it is connected to your Apple gear.

If this was⁣ (serious) government entity they wouldn't need to do any data sharing or physical access at⁢ all. Through a remote exploit they can break into your device (apple/android) and through things︀ like SS7 or IMSI catcher can locate, track (globally) and intercept (mostly locally). If for︁ example you have multiple mobile devices they can detect that through the mobile cells connection︂ and then target and subsequently spy on each one.

A higher skilled/funded competitor will have︃ same or in some instances better per-subject surveillance technology than most 3 letter agencies. Hence︄ they would be able to do it remotely and wouldn't need (obvious) physical interaction especially︅ when you are dealing with high networth individuals with many zeros at stake.

Analyzing can︆ be good but also pointless/time+resource waste. Malware could stay dormant for months only to be︇ activated once or twice on a specific date or time or when you pass a︈ specific location or specific device with specific advertising ID passes you by etc.

If your︉ business is connected to these devices you probably should evaluate your opsec. If you have︊ only personal things connected then buying new gear is the easiest and stress-free way to︋ handle the situation. As if government entity wants a peek in your personal stuff they︌ will be successful either through your devices or installing hidden cameras etc. And when they︍ can't do it relatively simply you can be sure to become a target ("why does︎ this person have such high security what are they hiding" type of thing). All of️ why a good threat model and quality execution of opsec is crucial even for entirely‌ white businesses and their operators.
 
Well, when I read it first, I have come to the conclusion⁠ that there is an useful wisdom behind. I stand on it.
BTW, note that the⁤ post has 6 positive evaluations, including from the thread author. 😉
 
The strangest thing happened to me a couple of days ago, there was a pop up on my pc screen asking me to accept/deny a certificate with validity for a year or so. I should have taken a screenshot but I clicked deny so quickly it was gone. What was worrying is that it had my name and id number, country listed. When I click on the domain (smm2dot de) that send it, it appears not allowed and whois doesn't have any info.
I am thinking to remove my files and do a full reinstall here....🙄
 
The strangest thing happened to me a couple of days ago, there was a pop‌ up on my pc screen asking me to accept/deny a certificate with validity for a‍ year or so. I should have taken a screenshot but I clicked deny so quickly⁠ it was gone. What was worrying is that it had my name and id number,⁤ country listed. When I click on the domain (smm2dot de) that send it, it appears⁣ not allowed and whois doesn't have any info.
I am thinking to remove my files⁢ and do a full reinstall here....🙄
 
WTF!!!???

YOLO! You KNOW what you have to do! Are you scared? 🙄
 
Is it somehow related︀ to some iPhone hack? If not, please open a new thread for this case. Thanks.︁
 
I have followed this thread with great interest and I hope many others will read‌ it. It's incredible that it is "so easy" to access other people's iPhones if you‍ just have a bit of knowledge and are bold enough.

I hope this serves as⁠ a warning to everyone reading the thread not to allow internet sharing with people you⁤ don't know.
 
Status
Not open for further replies.

JohnnyDoe.is is an uncensored discussion forum
focused on free speech,
independent thinking, and controversial ideas.
Everyone is responsible for their own words.

Quick Navigation

Forums

User Menu

Login
Community platform by JohnnyDoe © 2025 JohnnyDoe
Top Bottom