A newly uncovered iOS vulnerability could have allowed attackers to remotely sabotage and brick iPhones with just a single line of code. Apple fixed the flaw, which was hidden deep within its internal messaging system.
App developer and security researcher Guilherme Rambo has helped Apple discover and fix a serious vulnerability related to Darwin notifications, a low-level interprocess communication mechanism in Apple’s operating systems.
No special privileges were needed to send and receive Darwin notifications, and no mechanism verified the sender. They were available as a public API. Any process on iOS, including sandboxed apps, could send these notifications for basic updates and status changes.
Despite very limited data that could be transferred, the researcher realized that Darwin notifications can interfere with system operations because certain components respond to them in ways that can disrupt normal device functionality.
Rambo first demonstrated a proof of concept, an app named “EvilNotify.”
It could cause the device to display specific icons in the status bar, such as for “liquid detection,” trigger Display Port connection status in the Dynamic Island, and block system-wide gestures for pulling down Control Center, Notification Center, and Lock screen.
The nefarious app could also disregard Wi-Fi and force the system to use the cellular connection instead, lock the screen, and trigger the device to enter a “restore in progress” mode, among other things.
“Since I was looking for a denial-of-service attack, this last one (“restore in progress” mode) seemed to be the most promising, as there was no way out of it other than by tapping the “Restart” button, which would always cause the device to reboot,” the researcher noted.
A single line of code was all it needed to include in the app to cause this crash.
The notifications worked even when the app was not in the foreground, meaning that the device would reboot repeatedly. Rambo also created a “VeryEvilNotify” widget extension that would effectively soft-brick an iOS device, requiring an erase and restore from backup.
“I suspect that if the app ended up in the backup and the device was restored from it, the bug would eventually be triggered again, making it even more effective as a denial of service,” Rambo said.
The researcher disclosed the issue to Apple on June 26th, 2024. Apple acknowledged the bug and fixed it in subsequent security update releases. “Sensitive notifications now require restricted entitlements,” reads the explanation provided by Apple to the researcher.
Rambo confirmed that “more and more processes began adopting the new entitlement for restricted notifications, and with the release of iOS 18.3, all issues demonstrated in my PoC were addressed.”
The researcher was awarded a $17,500 bug bounty.
Your email address will not be published. Required fields are markedmarked