iOS Kernel Exploitation Trainings, 0-days and Students reselling them

Some people who have no background in iOS exploitation cannot understand why I used 0-day vulnerabilities in my classes instead of old bugs and why I am angry that ONE student of hundred was reselling them.

Most of the people questioning the legitimacy of my anger have never prepared a training course themselves. They do not understand that collecting material and writing it all together. Thinking up an agenda. Writing demo code, finding some demo vulnerabilities. And and and… takes multiple months of work. At the end of this work you do one training and what you get for that seems much on the first view but they do not take into account the costs for the hotel, the costs for travelling, the costs of printing material, the cost for food and many other costs. So that at the end of the day the payment per preparation+training day is very small compared to having e.g. worked on one auditing project for 2 months.

In the case of iOS it is even worse because we have to buy enough iPads for multiple trainings beforehand so that we can keep them on a jailbreakable version. Because in iOS you cannot simply downgrade and install an old firmware. This means doing the first iOS training will leave you with nearly 0 profit.

This means the only way to financially benefit from doing trainings is to repeat these training courses. So you have to reuse the material. But the problem with that is that people will not sign up for courses if you promise to teach them about iOS 7 when iOS 8 is already out. So you have to adjust your training material all the time. Apple and iOS is a really quick moving target with every year a new major version out. But security features also change between minor versions so you have to adjust for that, too. You have to create new examples or change old ones. So in order to not have to change all the stuff again and again you mix in some 0-day vulnerabilities that will stay alive even after you do the training.

When I do this I only use information leak 0-day vulnerabilities, because I do not want to hand my students memory corruptions or similar bugs that could be used immediately to break into other people’s systems. However even the information leak 0-days and the fact that I guide my students in the course to discover them for themselves is a good lesson inside the course. When I do this I introduce these parts with the message: “the following bugs are not mentioned on slides, because we do not want to give them out/let Apple know about them”. So far only one student considered that to be an invitation to take these bugs and make money out of them by reselling them and distributing them to the whole world. (Said student took even more like code from the training and linked it without permission in his commercial product, but that is not the topic here…)

So to summarize this: You cannot compare iOS training courses to other courses where you can just install an old version of the OS / software and use old bugs. For iOS you have to deal with the problem that you need to offer bugs that work with relatively new versions of the OS. And when a student makes these bugs publicly known he just destroyed weeks of work for you, because you have to find a solution to the problem. In my case I was relatively lucky because Apple needed 7 months to actually kill the problems, so I could easily reuse the bugs.

But that is not all. The fact that this guy stole the bug and disclosed it to the world had a negative impact on our training sales. I had people come up to me and say: “Yeah I did not sign up for your class, because I believe after you got burned by that guy, you will not show us good stuff anymore.”

So maybe people will realize that taking material from a training to enrich yourself has negative consequences for the trainer and destroys his work of weeks. And it also disrupts his possibility to sell further trainings. So yes I am angry at people who want to destroy my business.

But the story does not end here. The student who took the bugs did not stop there. The jailbreak he released had code in it to make it unusable for my further training courses. It took about one EXTRA week to work through the heavy obfuscation that they used to change the jailbreak to apply the correct kernel patches and not destroy the kernel’s mach-o header in memory. So he did not only take my stuff to create this jailbreak, he also deliberately designed this jailbreak so that I cannot make use of it in trainings. This is just malicious and makes me wonder if disrupting my business was an original goal of his.

Pangu Jailbreak Team keeps on lying

You might have seen my previous blogpost from yesterday exposing how Pangu wanted to pay me with stolen Apple property for my silence about them stealing my work.

It was expected that they would fire back in some way. So they publish more of the conversation between me and @windknown. As you can see from this conversation I told him that I will never ever trust him again if they go forward with releasing stuff based on my work. And what follows is his desperate attempt to pay me with stolen property or money for the bugs they had already taken.

But Pangu and some others keep on bringing up these bugs and that they have been taken from the training. They ignore the far bigger issue that code from the training that does not come with a license that would allow it, was directly linked into their jailbreak. I repeatedly have proven this to be fact, although they did try to hide it by using obfuscation. And even in the ppuntether binaries it is easily visible that they used my code, because they forgot to strip the symbols.

Of course the Pangu posting goes on claiming that they only looked for these cables, because I asked them todo so for my iBoot work etc… Only problem with that lie is that I do not work on iBoot vulnerabilities. Also if it were true why didn’t I take them up to the offer to just pay me off with money and a cable. Yes why? Maybe because I had no interest at all in the cable. Maybe because I did not want to have anything todo with stolen property.

They also claim again that they did not offer to buy vulnerabilities from me for the jailbreak which is a lie. Actually right after the training when @windknown was asking me to come to his hotel room (there are several witnesses for this) this was all he wanted to talk about. He wanted to buy vulnerabilities/exploits from me for Pangu. But at that time I did not know the name. Keeping that in mind “Pangu” never actually paid for the training. Instead some other company did.

I really don’t know what deep problem Pangu has to admit that they offered multiple parties money to buy vulnerabilities. Maybe it is a “cultural thing” as @windknown used as excuse, maybe they really want/need the world to believe that this is all their own work…
Maybe… Or maybe they really never bought a vulnerability because despite their offers no one wanted to sell to them.

Furthermore Pangu claims I am delusional for saying that one of their friends asked during the QA session of my talk if I could provide evidence. I do not know in what world they are living. But there were several hundred people in the SyScan audience who heard him say that he is a friend of Pangu and that they wanted to know if I had any evidence. Everyone around this guy could see that he was on the phone/or chatting with someone while asking this question.

Keep repeating your lies Pangu …

Just keep repeating …

Jailbreaking, China and Playing the Racial Discrimination Card

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.

A number of people might know that not long ago I gave a talk titled “iOS 678 Security – A study in fail” at SyScan 2015. Within this talk I was exposing the really bad security track record of Apple Security since the iOS 6 jailbreak in early 2013. I showed in detail how Apple kept ignoring vital elements of the exploitation chains, which made succeeding jailbreaks easier, because they could reuse previous techniques developed by the evad3rs. I also showed how Apple repeatedly failed to fix the same vulnerabilities over and over again, which again helped a lot in the development of the iOS 7.x and iOS 8.x jailbreaks. I ended my presentation (as previously announced) with a discussion of the new phenomenon that iOS jailbreaks are coming from China since mid-2014. As part of this discussion I was comparing previous jailbreaks that were all made by western security researchers and hackers with those new Chinese ones. During that talk i exposed a number of things that the guys behind Pangu did not want to see exposed to the public so they wrote a big blogpost accusing me of racial discrimination to distract people from the presented facts.

During the talk I was presenting a number of facts about previous jailbreaks.

  • previous jailbreaks were made by people from western countries
  • these jailbreakers used methods for jailbreaking that tried hard to not violate copyrights, contracts, software licenses, which severely limited them
  • they were releasing a lot of open source code for other iOS researchers to use
  • they applied kernel patches like task_for_pid0 in their jailbreaks to be completely open for other researchers that need to have access to the kernel
  • they did not get paid (“sponsored”) but tried to get by with donations
  • they basically made peanuts compared to information security companies who used their work to offer professional iOS consultings, forensics, etc…
  • and I also mentioned how this all combined made them decide to move away to different targets

After presenting the past of jailbreaking I switched over to the new breed of jailbreaks that all come from China.

  • I mentioned that all jailbreaks since then came from Chinese hackers – which is a fact
  • I mentioned that these new jailbreaks are financed by Chinese app stores, which is a fact and kinda admitted by Pangu and TaiG and easily visible from the fact that they bundle these app stores. However Pangu wants to stress that this is not payment but “sponsoring” and they make fun of the one million USD number that I mentioned. Well I remember a conversation with a leading Pangu member in his hotel room where he told me when he was trying to buy vulnerabilities from me: “you know these numbers they are rumoring about how much evad3rs made? They are real.” Also the offer of “up to 1 mio sponsoring” was sent by email to several different people involved in iOS jailbreaking by different Chinese companies in 2012/2013.
  • I mentioned that Chinese jailbreakers have been trying to buy/acquire vulnerabilities to achieve jailbreaks. This is a fact I know, because different teams repeatedly tried to buy from me and I also show a Twitter discussion on my slides that shows that Pangu offered 100k USD dollars to another jailbreaker. It is questionable how they can afford that if they really only get “sponsored” to buy new iDevices. But it is also questionable how they can afford to organize security conferences in expensive chinese hotels when they only get these small amounts.
    And btw. here are Twitter DMs from the Pangu member that attended my training in which he basically admits that he talked about buying/selling vulnerabilities for/to Pangu, something Pangu has officially stated to never do.
    Pangu_Offering_Money_To_Buy_Stolen_Vulnerabilities_After_The_Fact
  • BTW: The people behind TaiG even have a website were they ask the community to share vulnerabilities – they do not even try to hide it
  • I continued to state that Chinese jailbreaks have been using shady methods like “stolen” enterprise certificates in their jailbreaks. Which was then disputed by Pangu. They claim those enterprise certificates were neither stolen nor leaked and they would be so cheap that they could simply buy them. But stating that they basically admitted in public that they have signed/would sign an iOS Enterprise Development Program contract with Apple to get a cert and then violate the contract by using it in a jailbreak. I do not know if admitting that in public was a good idea considering the amount of lawyers Apple has.
  • I then stated that so far Chinese jailbreaks have incorporated a lot of code written by other people that was either public or private and they did not take into consideration that things like software licenses exist. For example they took software from my training that does not come with a license that would allow world wide distribution. They have also taken code from planetbeing that was put on GitHub without a license, which makes it kinda unfree. Pangu keeps mentioning that they did not sign an NDA for my training and somehow believe that makes it okay to take actual software (not mere vulnerabilities) written by me and release it under their own name.
  • The next thing I discussed was how lucky the Chinese jailbreakers were that Apple did repeatedly fail to fix vulnerabilities, which allowed them to reuse the same stuff over and over again.
  • I then stated that a lot of the techniques and vulnerabilities (chains) they used were initially invented and discovered by westerners like the evad3rs or myself, which is a fact. Keep in mind that most of their initial code execution and incomplete code signing exploits are just the bugs from evasi0n/evasi0n7 that Apple repeatedly did not fix correctly.

I then closed that chapter with a description of what the new breed of jailbreakers have done for the community so far.

  • I explained that so far they have not released any code that would help other researcher to get into it, like previous jailbreakers did. (So far they only discussed some of the vulnerabilities they used after Apple finally fixed them)
  • I stated that Chinese jailbreaks have been heavily obfuscated to the point that they even bought commercial grade obfuscation software for it, which is a simple fact.
  • I said that they intentionally removed kernel patches like task_for_pid0 to stop other researchers from using their jailbreaks as basis for their own work. This is however only true for Pangu, who even have the code to do the patch in their jailbreak, but intentionally not call it. The people behind TaiG however do apply the patch, which shows that they are more open.
  • I also stated the fact that both Pangu and TaiG apply kernel patches in a destructive way. TaiG e.g. does overwrite the beginning of the kernel’s TEXT segment in memory and Pangu just trashes the kernel’s mach-o header in memory. This is most probably done because this header is required by other researcher’s to reconstruct the kernel binary from memory and I already established that Pangu does not want other researchers to be able to perform their work.

To summarize this I was presenting a number of facts about previous and current jailbreaks. There was no racial discrimination in my talk. I was merely pointing out facts that are observable by anyone who takes a look at the details. And yes I called Chinese people Chinese.

However since the blog post from Pangu that was written to discredit me I get pestered by some Chinese people who accuse me of racial discrimination and threaten me or my family. Fact is I have nothing against Chinese people in general. Actually I have a number of close Chinese friends who would die laughing if I told them that someone accused me of being racist towards China. Nevertheless I cannot stand people who want to be called security researchers, while they base all their work on shady and questionable methods. I also hate the fact that Pangu believes they can get away with openly lying to everyone, because they believe I have no proof for any of my claims. They even let one of their friends ask in the QA session of my talk at SyScan if I had physical proof for some of the things, so that they could get away with claiming that this is not true…

And because of this unbelievable behaviour on their part and their repeated attempts to make me look like the one having done wrong, I decided to do something that I normally would not have done (if they hadn’t actually attacked me like this in public). If you take a look at the picture below you will see that this is a lightning cable. The special thing about this lightning cable is that it is offering a serial connection to newer iOS devices that is otherwise not available. This is something that helps during the development of kernel/iBoot exploits (if you already have some working exploits). Security researchers like Ramtin Amin have created similar cables by reversing the protocol. The cable you see here however is not one of those. The photo of the cable you see here was sent to me by a member of Pangu who bragged about his friend having gotten a cable. He also told me that I should not discuss this on e.g. Twitter, because that would make getting these cables harder and harder. Apparently these cables are stolen from Apple or Apple partners and the penalty for this has been getting harsher, which made it more difficult to acquire.

PANGUCABLE

While the person of Pangu did only say that “his friend” has gotten the cable, he later wanted to pay me off with such a cable after he realized that I was absolutely not okay with Pangu taking my vulnerabilities and my software without a license, as you can see here.

Pangu_Wanting_To_Pay_Me_By_Stolen_Apple_Lightning_Debugging_Cable

I think all this combined clearly shows that the people behind Pangu do not care about intellectual property, they do not care about software licenses, they do not care about violating contracts (with Apple) and they even traffic stolen goods.

You have to decide for yourself if you think these people deserve to be called “security researchers” instead of shady hackers. You also have to decide for yourself if you consider them to be a trustworthy party to provide future jailbreaks for devices that contain your personal and private data like your nude pictures 😛

I am curious what kind of response we will get from Pangu now that I have provided evidence.

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.