Security researcher, SEAR.
Apple SEAR is hiring offensive security researchers!
We’re looking for talented researchers across multiple areas of security.
Check out the job description here:
https://jobs.apple.com/en-us/details/200623813-2911/offensive-security-researcher?team=SFTWR
If you’re interested in low level systems like RTOS, firmware, coprocessors, embedded components, or microkernels, my team would especially like to hear from you.
Feel free to reach out if you have any questions.
@fay59 I can attest that reverse-engineering one is definitely very slow and one is very fast. 🙃
Are you interested in bleeding-edge microarchitecture offensive security research, with a concrete impact on user security?
We have just opened a Microarchitecture Security Internship position at Apple, in SEAR LASER! ❤️🔥
Apply here: https://jobs.apple.com/en-us/details/200624069/microarchitecture-security-internship
After more than 9 years, this is my last week at Computest. I've had a great time here, especially in Sector 7, the security research team we started 5 years ago. Highlights for me are winning Pwn2Own with our 0-click Zoom RCE, our last-minute trips to Miami and Tokyo for other Pwn2Own events, and speaking at Black Hat USA, DEF CON, WHY2025 & MCH2022 and so many other places. I am very grateful for getting the chance to do this work, but now it is time for me to do something else and find some new challenges! 🔥
@matthijskooijman Ben je nog bezig?
@FlorentE_ That’s great, thank you!
First talk is done! I think it went quite well.
Next one is tomorrow at 19:00 (probably, it has been moved around a lot already) in Andromeda.
Made it to #WHY2025!
Last time we had to give 3 presentations, which was a bit much. So this time we’re doing 3 presentations again of course…
@eloy Others I recognise from memory:
H4s = Gzip
iVBOR = PNG
MII = X.509 certificate
@Catfish_Man Reminds me of my previous car, which had translated “dismiss” (to close an alert) into a word meaning “refuse”.
So every time it told me “drive carefully, it’s freezing outside” I had to tell it I refused!
Today on our blog we have a guest post from René Ammerlaan about multiple vulnerabilities he found in Ruckus Unleashed. The most impressive part was how he chained some of them together to go from access to the guest WiFi network to RCE on the controller itself!
@fj My dad used to work in that building. 🙂 He wasn’t involved in this project, but he did work on nanoscience. Getting to operate an electron microscope while visiting him there was really cool.
@rosyna Yes, at a minimum a few days, sometimes months after they publish the advisory.
@fay59 Just like the iPhone 9 right?
About 5 years ago, I reported a vulnerability in iOS allowing apps to spoof the app name when requesting to add a VPN profile. The app could just specify whatever text to show there.
Yesterday, two writeups were posted about other TCC prompts trusting the apps triggering them too much:
https://wts.dev/posts/tcc-who/
https://rambo.codes/posts/2025-05-12-a-privacy-mechanism-that-backfired
It does surprise me that Apple invests so much effort into their sandbox and permission system with the assumption that apps might be malicious, but then keeps messing up the UI around these features.
@0xabad1dea Yeah, I agree. It’s probably the Apple PR department wanting to emphasize how “highly sophisticated” and “rare” these attacks are compared to other malware.
@0xabad1dea @lorenzofb It does seem to line up with how they describe it here:
https://support.apple.com/en-us/102174
(The page has a Dutch translation as well but I’m not sure if they translate the notification emails too.)
@still dm-verity might not even be enough. You can still mount an overlay over or mount a different filesystem inside a dm-verity mount.
I’ve seen a couple of devices that put a r/w overlay on /etc (I guess because making that directory read-only would be too hard). That also allows for easy persistence despite the dm-verity.
If you want to restrict what executables are started to those on dm-verity mounts you need something like XPin from Tesla:
@eloy I am curious how many call their page “captive wifi” instead of “captive portal”, because every time I see it named that I wonder if I’m actually in prison.
@eloy Not just free, they even gave you backdated certificates to avoid stricter rules!
