Privacy Please

S6, E257 - How Apple’s New Chip Rewrites Mobile Security

Cameron Ivey

Share episode

Send us a text

We unpack how Apple’s Memory Integrity Enforcement changes the rules of mobile security by rebuilding memory architecture, not just adding guardrails. We weigh who should upgrade now, what this means for Android, and why people remain the biggest risk.

• memory corruption explained with apartment analogy
• why NOP sleds and heap sprays fail under MIE
• tags, type segregation, and synchronous checks at runtime
• market-share vs design: Apple, Windows, Android trade-offs
• Pegasus, zero-click exploits, and threat profiles
• game hacking parallels: reading vs corrupting memory
• should you upgrade: high-risk users vs everyday users
• why architecture-level security beats bolt-on tools


Support the show

SPEAKER_01:

Alrighty then, ladies and gentlemen, welcome back to another episode of Privacy Please. Cameron Ivy here with Gabe Gums. And uh it's another week, another another thing happening. We got a pretty interesting topic to talk about today, Gabe, but before we get into it, how how are things on your end? How's uh how's life? Life's decent. No complaints. How are things on your end? Good. Just uh staying afloat in this crazy terrible economy.

SPEAKER_00:

In this economy, who can afford to stay afloat?

SPEAKER_01:

In this economy?

SPEAKER_00:

This economy, who could afford to feel terrible? I mean, and the rich get richer, right? So this economy, who could afford to get richer? Oh, that's right. Forgot about it. That's right.

SPEAKER_01:

Wait a minute. Um, all right, so there was a big thing, so let's dive in. Um there was a big thing that happened with Apple recently. Um, so Apple announced a new security feature in Apple or iPhone 17, which is called Memory Integrity Enforcement, M I E. It's built directly into the new A19 chip, and everybody's you know, security experts. Uh, I want to get your expert opinion, but security experts are calling it the biggest leap forward in mobile security in over a decade. Um so let's talk a little bit about what that actually is. So before we dig into that, Gabe, let's give the listeners a little history on what for the last 25 years, I think it was, um even uh uh Microsoft, you know, iPhone, whatever it is, people have been hacking into those using something called uh memory corruption.

SPEAKER_00:

Yeah.

SPEAKER_01:

Uh what is that what does that exactly mean?

SPEAKER_00:

So it means that so let's break it down quite simply. When when you're attempting to uh take over a system, there's different ways that you can go about that. One of the simpler ways is you can just get access to the users that have access, right? So like you know, you become the administrator. Um, but in other cases, you need you need to get you you you need to be able to get to that level, right? Like you don't even start out as the administrator, you might start out as a lower level, a level privileged user of the system. And so essentially, you need to get your malicious code onto the machine. Whether that getting the malicious code onto the machine is for the purpose of like getting again, like elevating your privilege or just like getting a foothold onto a device, you have to get your malicious code onto the system. And one of the more practical and reliable ways to do that over the last two and a half decades has been to yeah, use memory corruption techniques to corrupt memory that is either in use or not in use for that matter, but the memory on the system and put your malicious code into that memory. And so then when the system accesses that memory, it accesses your malicious code. Right. And so essentially what MIE memory integrity enforcement is doing, as the name suggests, is it's gonna make it more difficult for you to corrupt that memory. Um and hell, memory corruption attacks, you know, go back even before, well, I guess certainly uh hacking and slash cracking. So even like early video game cracking, like, you know, relied on similar techniques where the game, when it started up, would look within a certain space in memory to check if information you entered, like the serial number, was valid. And so you could crack games by getting the memory to always return a true statement when it checked that memory. Like, so corrupting memory has been a cracker and a hacker's like essential tool for a long time. I'll give the listeners one more slightly technical one and we'll we'll kind of get back to it. But this is why it's been it's such, it's it's such kind of it's it is really a big deal. Like, I'm inclined to agree that this is one of the more like legitimately useful security advancements in a very long time. And thankfully, it's not just some you know security product one needs to go buy. Like doing this, building this into the infrastructure is definitely going to change the game. So there's another um attack technique called a you know a knob sled. Um it's called a no operation side so noop sled, knob sled, no p, it stands for no operation, right? So it's an instruction that tells your processor, in this case the A9 processor, to do nothing. And then sled, right? It's a slide or a runway. And so when you put those two things together, what you get is you get this sequence of do nothing instructions. So a list of do nothing instructions in a row, and they almost act like a runway leading right to your malicious code. And so why is this necessary and how does it work? So, like when you corrupt memory bugs inside of machines, you don't always know where that corruption might land in memory. Because in memory, there's you and I were talking offline about this, you can use an apartment analogy. Every apartment is a different memory block. So when you get an application to overflow its memory buffer, you might not know where it's gonna overflow into. So you might flood apartment 1A, and you're trying to figure out where that spill is gonna land because you want to put your malicious code in apartment 2B, but you don't know what it is. So no operation sleds essentially allow you to put it at the all the way at the end of this memory block. And then no matter where in this block it lands, it will find your malicious code. So memory integrity enforcement completely breaks shit like this, too, which is huge. Memory integrity enforcement will break every single no operation sled, which is a sign like that's a lot. That that is just again, that is a common tool in the tool belt of the average attacker cracker, right? But here's how it breaks it every every apartment now has a unique tag. So you would need to span multiple tagged apartments somehow, but they all uniquely tag, so the system knows these aren't these aren't related. They also what they also segregate them by type. And so each memory is now segregated by type. So if you try moving data types across them, that's also gonna fail. There's now synchronous checking, so any mismatch in those taggings, et cetera, is gonna cause it to fail. So, like this, I do have to agree, apologies for the the propellerhead rant there, but this is a significant, this is a significant advancement in in security. And it's simply through changing fundamentally how the architecture of memory works. And this is what this is what I think is really important for all of security to pay attention to. We can't just keep trying to build more security tools and slap them on top of already broken infrastructure. We've got to change the very infrastructure.

SPEAKER_01:

So are you saying from what I was hearing you say, with this new development for the iPhone, is it more of like instead of just putting up guardrails or band-aids, they've actually done, they've built something smarter. Yes. Right?

SPEAKER_00:

Yeah. Okay. They've completely changed how memory works and is allocated on the chip as opposed to trying to build something on top of it that maybe checks before it goes into memory or checks after it, as it checks while it's running. We have tons of security tools that do all those things. But ultimately, none of them solve the problem, which is that the memory environment itself should have been able to protect itself. The apartment building shouldn't allow you to punch through the hole in 1A and get to 1B and essentially give you a way to throw your malicious code in there. It should have never allowed for that.

SPEAKER_01:

That's crazy. What was it? Give give me a real-world example, like a simple example of why someone wouldn't hack into an iPhone. Well, actually, that's a silly question. I know why they want to steal all your information.

SPEAKER_00:

You want to steal your information? There's there are you know, there's that technology, Pegasus, that is sold um largely to governments as a spying tool. Um that's true. It allows it allows uh allows you to to execute remote code and land completely unknown onto devices like iPhones. It it closes a lot of holes, it closes a lot of windows for attack. Um it I without question, in my professional opinion, the iPhone 17 might just be one of the most secure phones in the market now. Yeah. Yeah. Well, I'm glad I have one. Well, good for you. I I um it's a struggle because like I'm a big fan of the Android phone platform, huge fan. Um, it it allows for a lot more flexibility, allows for greater privacy control, but it's really difficult to turn like privacy without security is nothing. So Yeah.

SPEAKER_01:

Well, while we're on that subject, like we were talking about offline. Let let me let me set you up here. Because I think uh the general public would think, okay, Apple has always had that reputation, and maybe it's the reputation that is kind of maybe people just don't understand. And but for the longest time, I always thought, at least personally, that Apple has always been a very safe like operating system, you know, it was very hard to quote unquote hack. And it was always like a consistent kind of thing. When you look at Microsoft or Android, those were there were more holes there. And because I think of the flexibility like you were talking about, does that I mean, is there is there a misconception there with the Apple thing over these years when it comes to privacy?

SPEAKER_00:

There is a little bit of um a little bit of oversubscribing to that, maybe. I don't know if it's a misconception, it is it is a true statement, but maybe for not all the reasons people have thought, right? So, and maybe not as as as greatly to the degree as those have thought. Some of it is just about attack service. And so, you know, if you want to have the greatest impact, let's say you're a terrorist, you yeah, whoa, whoa, whoa, whoa. Don't negotiate with them. Don't at them and don't negotiate with them. But you you might not spend time planning an attack against a town with 500 people. You might plan an attack against a town with five million people, and so part of the the security has always been uh a market share relationship. Yeah there are there were always a larger number of Windows end users to go after, right? Like from a ransomware perspective, et cetera, right? Like there were always just more of those to go after. So if I'm writing exploits and I'm trying to throw as wide of a net as I can, yeah, you know, I go after I I go into the city with more people, I go into the f the pond with more fish. So that has definitely always been part of it. No two ways about it. Okay. Um, but there is also part of it has been some of the design choices and some of the and some of the the overall technology choices has made some of those platforms more secure than others. Yes. Um Apple devices definitely have have uh have enjoyed better security based on some of the fundamental decisions. But some of those fundamental decisions were easier to make also because Apple controls its hardware and its software ecosystem. When you buy a Mac, you buy a hardware device and you buy that operating system. When you buy Windows, you can buy it separately as just software, or you can go buy a Lenovo, a Dell, an Acer, right? Like those are all different hardware. And Microsoft has to get their technology, their operating system has to run across an ungodly number of different types of hardware. Pretty much an infinite number of different types of hardware has to be able to run Windows. Apple does have the luxury of controlling the hardware ecosystem of their platforms. So it only has to run on a limited. So you get to, you already start out by controlling your attack surface a bit more. And so, you know, the the consumer notion that Apple is a quote more secure platform isn't untrue. But, you know, the nuances that I just described might better help understand why that that statement is is not just about security. Because if the numbers flipped overnight and more people, you know, ended up with MacBooks in their home than than Acer's and Lenovos, then that that paradigm could shift just like that.

SPEAKER_01:

But you know, it's probably not not always. I got some deeper questions I want to ask. Um, but before we do that, you did mention something about like video game corruption, I believe. And it may or may not have mentioned cracking video games, of which I may or may not have had some history with that in my Can I Okay, well, I want to I wanna dig in that because um I'm always curious for context, if anyone listening is a gamer, you would understand um like a game like uh Destiny 2. Destiny 2, we've had to deal with I I couldn't play it anymore because there were so many hackers that would uh corrupt the game to cheat, basically. My my question to you, like you've hacked games in the past because you're an ethical hacker. What's the motive? Like, why is it just to like make games just to see what you can do with them? Is it the curiosity? Like, what is the reason to hack a game? Is it to piss off other people? Like, what's what's the motive there?

SPEAKER_00:

I mean, you're you're definitely asking a super subjective question. I can tell you for myself, it it was always curiosity. It was always curiosity. Um even the ones that I I cracked, um, I paid for them. I I legitimately wanted to understand. I was, you know, I came across you know some things in like Frac magazine that that taught you how to do it. I was like, oh my God, this looks awesome. I have to, I had a I like I have to understand this. I want to figure this out. Um, I don't I'm super hyper competitive, so for me, there's not a lot of fun in actually cheating, right? Like winning by cheating doesn't do it for me. But I think like that differs, right? Because, you know, there's also a whole other level of competitors that will absolutely cheat to win, because you know, like that's why people dope. Like, because they're they're hyper competitive, but in a different way. Like, I I get very competitive, and for me, cheating just wouldn't satisfy me in the same way. Like it just wouldn't, it just wouldn't satisfy me. Like, I'd rather lose go home, get better, come back and whoop that ass again, right?

SPEAKER_01:

I agree. I mean, that's yeah, because that the the whole point of like games that are hard is is like that grind of like that's the fun part about it. That because it almost relates to life in general, like the grind of life, yeah, the journey and the growth and like getting better at something instead of just skipping to the end, and then you're like, well, fuck, I beat it. Now what? Like that was you know, like what's the point of that? Uh I don't know. Cheating in games is interesting, but hacking them and um out of curiosity to explore and see what you can do is kind of more interesting for sure. Yeah.

SPEAKER_00:

But okay. So some of the so some of the attacks that that some of the some of the the uh the hacking that you saw like in Destiny 2 was also very much based on on memory type attacks, right? So like some of them read memory locally so that they could do things like go through walls, etc. Right? Like if you just write space memory, yeah.

SPEAKER_01:

Basically, you have a gun that doesn't like you don't even have to aim, it just you know, like crazy things like that, yeah.

SPEAKER_00:

Right, right, right, right, right.

SPEAKER_01:

They'll have like a uh a rocket launcher or something where like a uh hand cannon that's a rocket launcher, just something crazy that they so think about it this way: like the game needs to know where you are in the world.

SPEAKER_00:

Right? And so you can be behind a wall. And I don't know you're behind that wall, but the game needs to know that you're there. And so like that information about where you are is in memory. Ah okay. Yeah, that makes sense. And so if I can read that memory, like forget even corrupting it. If I can just read it and know, like, ah, Cameron's there.

SPEAKER_01:

Like Okay, yeah, because there's point there's actually points in the game where you can you have a radar that shows you where people are. Yeah.

SPEAKER_00:

So there's probably a way that people cheat to have that radar always on. And that and that legitimate functionality that is used to even show you like where your teammates is, is the same legitimate functionality that you can try and and and exploit. Like it that that that information is stored in memory, like ah, and it updates memory as Cameron moves. Like, ah, Cameron's a position blank, flank, yeah, and if I can read that position, then yeah.

SPEAKER_01:

The other ways that you know that someone's cheating in that game is when they glitch, they will physically glitch where you can't even hit them because they're always moving in a weird in a weird way.

SPEAKER_00:

Probably messing with memory also. Like the memory thinks it was here, and then all of a sudden it's like, no, it was over here. Like, wait, yeah.

SPEAKER_01:

So you're basically just poking holes and making, yeah. It's an okay, that's another good analogy, then the video game one. Um so do you, Gabe, if you're let's say you're an Android user, you're an iPhone user, you've had it for a while, is this is this type of new update from Apple, is this worth upgrading for?

SPEAKER_00:

I think that's an individual assessment. I think everyone's gonna have to make that assessment on an individual basis, and here's the primary reason why. Um it's really about threat profile, right? So who you are and what were you worried about in the first place? So the average user was already pretty safe. They were already pretty safe if they are on an iPhone, and even if they're on an i Android, they're pretty safe. Um, the bonus that you're gonna get here is a little bit more of maybe like military grade security. Uh arguably, however, if privacy matters to you, you can never be secure enough.

unknown:

Okay.

SPEAKER_00:

Privacy matters, you can never be secure enough. But for the average user, is it worth dropping the cash and upgrading? I don't know that it is, because it's a lot of cash. Like it's expensive. Now, if you're a high risk person, if you are an activist, a journalist, an executive, um, you know, maybe at a publicly traded company, a cybersecurity company, then yeah, I think if you fall into the high-risk category, people, it's worth it. That that dropping an extra two G's to do this is absolutely worth it. I I think so. I do believe so. Um it does depend on your own threat profile.

unknown:

Yeah.

SPEAKER_00:

Well, I tell would I tell my mom to go upgrade to the 17? No, I don't think she needs to worry about it. Do I think um, you know, if if you are if you were journalists at all, should you? Yes, 100% you should.

SPEAKER_01:

You hear that journalists? Go upgrade. Yeah. Okay, so I don't think we've ever seen a history of Android or Microsoft or whatever kind of following suit with what Apple does. Maybe they do in their own way. Do you feel like Android would follow suit with a feature like this that's built internally to the phone?

SPEAKER_00:

Uh so I have to plead a tiny bit of ignorance. I'm not certain if they do not have uh I don't so they actually I think I know the answer. So I'm still gonna plead a little bit of ignorance. That's fine. We don't know everything, Gabe, and it's okay. Well, because here's the thing much like my Apple analogy and you know the iPad versus a Windows laptop, Android phones have the same challenge. They use different chips. Samsung uses a different chip than Huawei, then you know whoever else makes other Android phones, then the Google phone, they're all different chips. This security feature is built into the A9 chip. So if any of those other Samsung phones are already using the A9 chip, which I don't think they are, I think it's exclusive to Apple, then they would get the benefit of this. Um, do I expect to see this come to Android phones? I would hope so, but it would require the chips that they're using to adopt these features. So this isn't just a matter of updating the Android software layer. This is a matter of updating the chip that the Android software sits on top of. This is again where Apple has that advantage. They control the ecosystem of their hardware and their software.

SPEAKER_01:

Do they also? I haven't looked it up and maybe we don't know, but I'm pretty sure this MIE feature is probably proprietary to them. Is what you're saying, maybe? It is proprietary to that chip. That chip, okay. Interesting. I guess maybe, and I I'm gonna play the dumb person here because, well, I'm not playing it. Sometimes I am it. And I'm okay with admitting it. How I mean when you learn Yeah, I mean, well, you know, I can always research, but um No, I meant by admitting that we do not know things. Yeah, honestly, I don't um I I learn in the action sometimes. I'm not I'm not a huge reader, but anyways. How how does I mean everybody's got their own individual phones? How does one hack? How do how do you like not get hacked in the first place? Is this something when someone's in passing, or do they hack through your network? Is there multiple ways to do it? Like, what does that look like? What should people be looking out for?

SPEAKER_00:

Are some attacks that don't require any interactions from you at all? Someone can simply sessage to your iPhone. Got it. That you do not even have to interact with, and it will so basically like a phishing email, but to your except one you don't even have to open. And so those types of attacks do exist. Those types of again, those are the kinds of things that like Pegasus is designed for. It is it is designed to uh to be able to to that efficiently and silently um infiltrate someone's mobile device. And every year there's a competition called Pwn to Own, PWN number two own. And they give out large prize money for these no interaction remote code execution exploits, like I just described, the remote code execution exploit, something that you can execute remotely that does not require in any interactivity, that will on the black market, gray market, and the otherwise I guess one should only call it a gray market, but on both the gray market and the black market of exploits, these things sell in the six to seven digit range. And what's likely to happen is MIE is probably only going to drive the price of that up. If you're able to discover attacks, remote, no interaction, remote code attacks against an iPhone 17, that that's worth easily seven seven figures and above.

SPEAKER_01:

Damn, I missed this earlier, and that might have helped me uh better understand the research, but it was saying that they did six real attack chains that all failed with the new chip. So I guess you kind of named some of those chains, correct?

SPEAKER_00:

Yeah, yeah, like no operation sledge. Yeah, there's there's different kinds. Absolutely. There's heap spraying attacks where you essentially just you you try and throw your payload across multiple different parts of it. Yeah, yeah. There's there there are different, there are different uh some of them aren't even corruption necessarily. Some of them are just you know getting unauthorized access to it, reading parts of memory that you aren't supposed to have access to read, right? Like again, back to that analogy of the apartments. Like you're not even supposed to be able to peek into the apartment and know what's in there. But knowing what's in there gives me information.

SPEAKER_01:

Now, with all that being said, Gabe, this is a great feature, good step ahead for mobile security for sure. But the number one thing that you gotta remember, people, is that it doesn't fix people.

SPEAKER_00:

No.

SPEAKER_01:

Because the people that have the phone could still make the mistakes. Yeah.

SPEAKER_00:

Yeah, yeah, yeah, yeah, yeah, yeah. There's uh you can build a better mouse trap, but Mother Nature will build a better mouse. Mouse rat. That's right. That's right. Cocaine mouse.

SPEAKER_01:

Oh man, I can't. Well, you've lived in New York, so you've probably seen some monsters. Definitely seen cocaine mouse. There's no two ways about it. Like, what's the biggest size you've ever seen, like of a rat? I mean.

SPEAKER_00:

Nose to tail, my my forearm, easy. Like we're sure that wasn't splinter, right? No, I mean I'm not sure, but you ever seen that video of pizza rat in New York City? That dude's just fucking No. He's yeah, he's dragging a whole slice of pizza up a flight of New York City stairs subway stairs, like middle of rush hour. Like, just like people are just like, as you were, sir. At your slice.

SPEAKER_01:

What's going on, Frank?

SPEAKER_00:

You would push it. No, that's just just Frank. He's just at getting a slice. Slice!

SPEAKER_01:

I love that. Um, any other any other points we want to lay out that we didn't touch on?

SPEAKER_00:

No, this is this is one of those more interesting security. Like, you don't get a lot of these like really big leaps in security that happen like that. There's been tons of breaches this week we could have reported on, etc. But this one is game-changing. It's game changing from a privacy perspective, too. Again, who should who should be taking note? You know, journalists of the world, anyone with serious privacy worries, they definitely, definitely, you might want to highly think about and or investing in uh in this in this technology. Yeah, you think Trump has an iPhone 17? Um I don't know. I I don't know at all, actually. I I hope he has I hope he has something very secure. Uh I mean I know our I know the US government began adopting things like Blackberries, secure Blackberries back when Obama entered office and moved away from proprietary um black phones. Uh I don't know. I presume that I presume that at that level there's probably different phones for different purposes. I would imagine and would hope so.

SPEAKER_01:

Yeah, that's true. I mean, this would this the this MIE uh chip, it took five years to develop. Uh apparently they kind of did it in quiet. Yeah. So I mean, um, it's pretty fascinating. And we'll see if uh others will follow suit, or I'm sure hackers will find a way in and then they're gonna have to adapt and grow just like everything else.

SPEAKER_00:

That's the thing about making architectural changes. It it this makes it exponentially harder. This isn't this isn't just a basic cat and mouse game any longer. Like it completely changes how the apartment building is even built. So, you know, again, just boring a hole through the wall isn't enough anymore. Like, it just it changes the nature of not just what you have to attack, but how you have to attack it. It's huge. It's yeah, it's not this is not an incremental advancement at all, not in security. Security and proof and privacy. This is beyond incremental, this is exponential.

SPEAKER_01:

There you have it on privacy, please. Appreciate it, Gabe. Appreciate you. See you guys next week.

People on this episode

Head Shot

Cameron Ivey

Host
Head Shot

Gabe Gumbs

Host