Google Project Zero hackers are back with another exploit for iOS 10. Their latest exploit deals with WiFi and here’s how it works.
What is OneRing?
OneRing is a new exploit developed by Google Project Zero hacker Lagini Maineb. This exploit was tested on an iPhone 7 running iOS 10.2 and allows you to achieve read-write access to the kernel memory.
Apart from A10 devices, It can still be used on A8 and A9 devices with some modifications.
A7 devices are incompatible because they rely on USB rather than PCI Express for host-wifi communication.
Here’s how this exploit works.
- Connect a SoftMAC WiFi dongle to your computer (having a SoftMAC device is necessary for this attack).
- Compile “hostapd”.
- Modify and configure the settings according to your device and firmware version.
- Assemble the backdoor shellcode by running “assemble_backdoor.sh”.
- Assemble the remaining code chunks.
- Run “hostapd”.
- Connect the target device to this WiFi network.
- Run “attack.py”.
- Get R/W access.
Can this be turned into a jailbreak?
Yes, this can be used to develop a jailbreak compatible up till iOS 10.3.3 firmware, at least in theory.
According to jailbreak developer Siguza, OneRing can also be used to develop an untether for existing jailbreak tools such as extra_recipe. It can also be combined with Xerub’s KPPless to develop a new jailbreak altogether.
There are a lot of powerful exploits publicly available for iOS 10 right now but no developer is working on them. Therefore, I don’t know how this is going to change the status quo for the better.
For more iOS security updates, follow us on Facebook and Twitter.