iOS Kernel Exploitation Trainings, 0-days and Students reselling them

Some people who have no background in iOS exploitation cannot understand why I used 0-day vulnerabilities in my classes instead of old bugs and why I am angry that ONE student of hundred was reselling them.

Most of the people questioning the legitimacy of my anger have never prepared a training course themselves. They do not understand that collecting material and writing it all together. Thinking up an agenda. Writing demo code, finding some demo vulnerabilities. And and and… takes multiple months of work. At the end of this work you do one training and what you get for that seems much on the first view but they do not take into account the costs for the hotel, the costs for travelling, the costs of printing material, the cost for food and many other costs. So that at the end of the day the payment per preparation+training day is very small compared to having e.g. worked on one auditing project for 2 months.

In the case of iOS it is even worse because we have to buy enough iPads for multiple trainings beforehand so that we can keep them on a jailbreakable version. Because in iOS you cannot simply downgrade and install an old firmware. This means doing the first iOS training will leave you with nearly 0 profit.

This means the only way to financially benefit from doing trainings is to repeat these training courses. So you have to reuse the material. But the problem with that is that people will not sign up for courses if you promise to teach them about iOS 7 when iOS 8 is already out. So you have to adjust your training material all the time. Apple and iOS is a really quick moving target with every year a new major version out. But security features also change between minor versions so you have to adjust for that, too. You have to create new examples or change old ones. So in order to not have to change all the stuff again and again you mix in some 0-day vulnerabilities that will stay alive even after you do the training.

When I do this I only use information leak 0-day vulnerabilities, because I do not want to hand my students memory corruptions or similar bugs that could be used immediately to break into other people’s systems. However even the information leak 0-days and the fact that I guide my students in the course to discover them for themselves is a good lesson inside the course. When I do this I introduce these parts with the message: “the following bugs are not mentioned on slides, because we do not want to give them out/let Apple know about them”. So far only one student considered that to be an invitation to take these bugs and make money out of them by reselling them and distributing them to the whole world. (Said student took even more like code from the training and linked it without permission in his commercial product, but that is not the topic here…)

So to summarize this: You cannot compare iOS training courses to other courses where you can just install an old version of the OS / software and use old bugs. For iOS you have to deal with the problem that you need to offer bugs that work with relatively new versions of the OS. And when a student makes these bugs publicly known he just destroyed weeks of work for you, because you have to find a solution to the problem. In my case I was relatively lucky because Apple needed 7 months to actually kill the problems, so I could easily reuse the bugs.

But that is not all. The fact that this guy stole the bug and disclosed it to the world had a negative impact on our training sales. I had people come up to me and say: “Yeah I did not sign up for your class, because I believe after you got burned by that guy, you will not show us good stuff anymore.”

So maybe people will realize that taking material from a training to enrich yourself has negative consequences for the trainer and destroys his work of weeks. And it also disrupts his possibility to sell further trainings. So yes I am angry at people who want to destroy my business.

But the story does not end here. The student who took the bugs did not stop there. The jailbreak he released had code in it to make it unusable for my further training courses. It took about one EXTRA week to work through the heavy obfuscation that they used to change the jailbreak to apply the correct kernel patches and not destroy the kernel’s mach-o header in memory. So he did not only take my stuff to create this jailbreak, he also deliberately designed this jailbreak so that I cannot make use of it in trainings. This is just malicious and makes me wonder if disrupting my business was an original goal of his.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s