- Pairing an iOS device to a host (computer running iTunes) gives that host significant access to data on the iOS device and requires connecting the unlocked iOS device to a host over USB
- Once paired, that host (or another host that has stolen its pairing record) can access significant amounts of user personal data from the iOS device over USB and Wi-Fi through the com.apple.mobile.file_relay and com.apple.mobile.house_arrest lockdown services
- These services will not return user data files that are encrypted and locked by iOS Data Protection but the files returned by file_relay are not protected by iOS Data Protection and do include significant amounts of personal user data that would otherwise be encrypted in iTunes encrypted backups ("Encrypt Backup" is enabled)
- The com.apple.mobile.file_relay service is not used or referenced by any public Apple software so its intended client software is unknown outside of Apple
- Apple released a [Knowledge Base article](https://support.apple.co
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"encoding/hex" | |
"fmt" | |
"log" | |
"io" | |
"os" | |
"golang.org/x/sys/unix" | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* Lambda | |
* | |
* QTJava, a Java extension made available to Java applets has some | |
* parameter validation problems when calling native memory copying | |
* methods. This allows us to read and write out of the bounds of our | |
* heap allocated QTObject. With some tricks, we are able to turn | |
* this into a write4 primative allowing us to write arbitrary values | |
* to chosen locations. Insert the shellcode in a writable and | |
* executable page, spam the stack with that address, and owned. |