Time Travel: 2014

Chapter 183 Time Regression Vulnerability (continued)

This has to do with the way negative numbers are represented in binary.

Because Unix uses binary storage.

Binary data is executed during execution 00...0-1

The actual operation is: (1) 00...0-1 (ps: there are 61 0s in the ellipsis)

The result obtained is 11...1 (ps: there are 61 1's in the ellipsis)

In this case 0-1≠-1

The number obtained is actually 2 to the 64th square -1.

There are many examples similar to this in the computer world.

For example, the result of adding two positive numbers is 0.

Lin Hui remembered that when he used to play ACM, he often encountered the kind of programming problems that were quite painful.

Ostensibly, two numbers are required to be added.

The requirements sound simple.

But the test data encountered when running program tests are all very large numbers.

However, data overflow must be considered during actual operation.

In short, the computer world.

A wonderful world.

In Unix, you will encounter a similar situation when performing difference when the timestamp is 0.

When the timestamp time in the Apple phone is set to 0, restart the phone.

The time returned by the mobile phone's query mechanism when querying through time difference is not a time before timestamp 0.

Instead, a very large time will be returned.

The function's time is infinite, but the system's time is 0.

In this case, the time before querying will be wrong.

The consequences of making an error are very direct and the entire system will stop working.

That is, the phone becomes bricked immediately.

Of course, although this loophole exists.

However, it is very troublesome for users with normal brain circuits to trigger this vulnerability in a secure network environment.

If the user wants to trigger this vulnerability.

First, users need to open "Date and Time" under "General" settings.

Here the user must first turn off the "automatically set time" function before the option to manually set the time will appear.

The next thing the user has to do is the time of sliding selection.

Since there is no year option, the only way users can change it is to slide the date.

After a very troublesome operation, the time can be set to January 1, 1970.

But this alone will not trigger this vulnerability.

After the time is set to January 1, 1970.

The user needs to proceed to the next step: shut down and restart.

At this point, the steps to brick your iPhone are complete.

If you follow this operation, the phone will always be stuck in the interface where the logo just appeared when the Apple phone was turned on.

It sounds like this vulnerability is difficult to trigger!

Is there any value in such a hard-to-trigger vulnerability?

Of course there is value.

I'm afraid of someone taking advantage of me on purpose.

The same goes for things like loopholes.

For ordinary users, this vulnerability is nothing.

But for technicians who are interested in making trouble, a lot can be done through such a silly loophole.

When an iOS device is connected to a public network, the iOS system will use the Network Time Protocol service to calibrate the time zone and time.

If a hacker sends a malicious Network Time Protocol attack to calibrate the iOS system time to UTC 0, then all user devices will be affected by this bug and will be unable to use the device after restarting the device.

NTP (Network Time Protocol) is one of the oldest network transport protocols.

Its purpose is to transmit the time of precise timing devices such as atomic clocks to every networked device through the network, thereby providing the most accurate time synchronization capability.

Even the Network Time Protocol protocol itself has taken into account the possibility of tampering with time.

However, for a long time, network attacks using the Network Time Protocol as the entry point have been common.

Although Lin Hui is not very good at this type of operation, it is easy for hackers to do.

After all, even people like Lin Hui who are not specialized in IT security know how to implement the above-mentioned operations.

Find a public place and set up an open WiFi without a password.

Then parse Apple's Network Time Protocol request to the IP controlled by itself (IP here refers to the IP address).

Specifically, how does a Network Time Protocol attack operate?

First, forge a copy of data to a server.

The server will respond automatically.

Instead, send a large number of response messages to a specific IP.

And there is a very large multiple relationship between this data and the data the victim finally receives.

Through a large amount of data blocking attack, the victim's network bandwidth can be instantly affected, and even the victim's network can be directly paralyzed.

In this case, when the user connects the iPhone to this WiFi, it becomes bricked once it is restarted.

All in all, this vulnerability may not seem like much to an average user.

But for some technicians with evil intentions.

This vulnerability is easy to exploit.

And this vulnerability is serious.

There is only one solution for mobile phones that encounter this vulnerability:

Disassemble the machine and cut off the power.

After disassembling the iPhone, you need to disconnect the battery from the motherboard.

And leave it for a period of time to allow the power in the internal capacitor to be fully consumed.

Then connect the battery again and turn on the phone, so that iOS can return to normal working state.

The principle is simpler. By completely cutting off the power, the timing function of the internal electronic components of the iPhone is cleared, and all relevant data is reset to zero.

This bug can be eliminated after restarting.

Of course, this is just a temporary escape from this BUG.

But if you change the time, or the time is modified again to January 1, 1970, this problem will occur again.

Although it looks simple. But it’s actually very difficult. After all, not so many people are good at dismantling mobile phones.

And the disassembly itself has also caused damage to the iPhone itself.

In short, this incident had a great impact. Lin Hui remembered that this incident had a very bad impact in his previous life.

This loophole in the past life covers a wide range.

Almost covers system versions: iOS 8.0 -iOS 9.3 beta 3

(For devices equipped with 64-bit processors)

Although the official version of iOS 8 has not been released yet.

But the iOS 8 beta version already exists.

There is no reason why the bugs that exist in the official version do not exist in the beta version.

However, out of caution, Lin Hui found a spare iPhone 5s.

Lin Hui remembered that he seemed to have bought this when he bought a bunch of computers not long ago.

Tsk tsk tsk.

Use an intact phone to test the "brick bug".

To be honest, the cost of testing vulnerabilities is a bit high.

But this cost is nothing compared to the rewards that will be obtained.

Apple's security personnel are not fools either.

The value of Lin Hui’s submission of vulnerabilities is unclear.

After flashing to iOS8 beta version.

Lin Hui was tested.

Lin Hui also videotaped the test process.

Pass some testing.

Lin Hui discovered that the loophole that caused the system to become bricked when restarting after changing the time still existed.

It makes sense to exist.

It would be abnormal if it didn't exist.

As long as the bottom layer of Apple mobile phone is involved with Unix.

This vulnerability will always exist.

Tap the screen to use advanced tools Tip: You can use left and right keyboard keys to browse between chapters.

You'll Also Like