Monday, January 1, 2018

identityservicesd: What If Anyone Can Be You?

Khaos Tian (tweet):

Remember that super convenient, magical feature that allows you to send SMS on your Mac through your phone? It turned out the “it just works” part is only possible because your phone will just process any command send to it asking it to send SMS from the current number. And our beloved personal assistant, Siri? It’s also a dummy that just processes command without checking the command is from you. Both daemons don’t verify message origin and process the request when IDS delivered the request to them.

[…]

How are we suppose to separate individual identity away from the device that suppose to be your identity? Should individual be blamed for things their device did without the owner’s knowledge? I mean, with the SMS issue, one can literally put words in other’s mouth. All records will show the messages were sent by the owner of the device when the reality is that the device send those without the owner’s consent. The SMS is even logged on the victim’s device which cannot be achieved with traditional SMS spoofing techniques.

[…]

I found the IDS bypass issue on Dec 15th, then spent Dec 16th on scoping the affected daemons. Since I don’t want to do all the work free for Apple, I sent product-security an email asking about if I can get an invitation to join their security bounty program so I can report this one with some guarantee of the submission will be a bounty submission. […] Then the next day they fixed the issue from server side and said nope again.

Previously: Explanation of HomeKit Vulnerability.

1 Comment RSS · Twitter

[…] identityservicesd: What If Anyone Can Be You?, Explanation of HomeKit […]

Leave a Comment