I just published the slides of my #OBTS v8.0 talk about Apple's #C1 baseband. Our C1 #binja loader is now available on GitHub, and you can find a recording on YouTube.
#OBTS
My slides from #OBTS (BlueNoroff's Clues w/ @birchb0y) and the @objective_see #WeTalks (Slide Hustle) are now up. They are keynotes, so feel free to download. Additionally, I'm working on my first tutorial on building slides - coming soon. Enjoy!
https://notes.crashsecurity.io/notes/b/77D4564F-2261-4F93-9575-16109CCE988B/Keynotes
Feeling FOMO because I was at one cool thing over the weekend that prevented me from being at two other cool things #OBTS and #NoKings. But on the bright side it looks like the protests went amazingly well. Super excited to see what actions come out of the connections people made while joyfully speaking their minds.
Ticket to #OBTS 8 acquired!
Missed every previous instance of it due to conflicts. Not this time!
Objective by the Sea slides/recordings are posted to their site. Check it out for great research on all things macOS security.
You can find the recording of my #OBTS talk about iPhone basebands and Apple Location Services on YouTube: https://youtu.be/DqOOggWDtes
Exciting! My talk recording just dropped from #OBTS v7! ๐ฃ๏ธโจ Learn how to patch diff on Apple with #Ghidra, #ghidriff, and #ipsw: "Patch Different on *OS": https://www.youtube.com/watch?v=Ellb76t7nrc
I was pointed at Apple Blocks plugin by @droe for @binaryninja during #OBTS conference ๐๏ธ and I totally recommend using it ๐ค#mahalo @droe and the #obts24 crowd ๐๐ https://github.com/droe/binja-blocks
"Mirror Mirror: Restoring Reflective Code Loading on macOS" (Patrick Wardle)
TL;DR In-memory execution is possible on macOS and used by bad actors. However, Apple has decided not to let processes see the memory of other processes as a privacy protection. Current detection will have to focus on what bad actors do after in-memory code execution. #detectionengineering
"Unveiling the Apple CVE-2024-40834 - A "shortcut" to the bypass road" (Marcio Almeida)
Users can build automations called shortcuts and even send them to other users or share them. ๐ He demonstrated one attack vector where you could persist malware via adding code to the .zshrc file. I'm sure there are many more. There aren't a lot of guardrails on what these shortcuts can do.
For enterprises, I would consider banning shortcuts entirely if you can.
#detectionengineering
"Mac, whereโs my Bootstrap?. What is the bootstrap server and how can you talk to it?" (Brandon Dalton & Fitzl Csaba)
You can detect common classes of XPC exploits by looking at the code signing info on both sides of the connection. #detectionengineering
Code here: https://github.com/Brandon7CC/mac-wheres-my-bootstrap
"Tripwires in the Dark: Developing Behavior Detections for macOS" (Colson Wilhoit)
Mac malware is increasing and is increasingly targeted across verticals. Behavioral detection is an important part of defense. Detecting malware based on behaviors (i.e. this command ran then this command after it) is much more reliable than brittle indicators like IP addresses or hashes. (Though those detections have their place too.)
Colson and Elastic have released some rules here that might be useful for your org: https://github.com/elastic/detection-rules/tree/main/detection_rules
#detectionengineering #obts #obtsv7
"A Better Way - YARA-X, Mach-O Feature Extraction, and Malware Similarity" (Jacob Latonis & Greg Lesnewich)
Things I learned:
Imports stored inside macho binaries are rebuilt via finite state automa.
A pocket attribution guide for the DPRK. Enjoy the blurry picture of the slide below.
And . . . cool tools. Yara-X (written by Jacob) can parse macho files. So now we can build yara rules including dylib hashes (similar to imphashes for windows) and entitlement hashes. #detectionengineering
"iPhone Backup Forensics" (Kinga Kieczkowska)
Bunch of useful stuff here, but also a spy tip: you can guess a person's location by profiling their apps. Apps like parking payment can be very localized.
"Apple's not so Rapid Security Response" (Mykola Grymalyuk)
I have to admit, I didn't know much about RSRs. The July 2023 patch that broke everything was related to . . . how RSRs changed version numbers. RSRs added a letter to the OS version. Which was unexpected in user agents.
"Triangulating TrueType Fonts On macOS: Reconstructing CVE-2023-41990" (Aleksandar Nikolic )
Fonts are so much more complicated than I thought. To handle low-resolution displays, fonts could specify how they should be displayed when they scaled up and down. This complicated code allowed for an out-of-bounds memory write.
"Unraveling Time: Understanding Time Formats in iOS Sysdiagnose for Security Forensics" (Lina Wilske)
Things I learned:
Sysdiagnose logs use multiple timestamp formats. Like way too many formats.
You can enable baseband logging for more granular timezone changes, but you have to re-enable every 21 days.
"Endless Exploits: The Saga of a macOS Vulnerability Exploited Seven Times" (Mickey Jin)
Things I learned:
installd is for third party .pkg files
system_installd is for Apple-signed .pkg files
my idea for detection (not tested yet, ymmv) - installd writing to system volumes #detectionengineering
https://objectivebythesea.org/v7/talks.html#Speaker_6
https://github.com/jhftss/jhftss.github.io/blob/main/res/slides/Endless%20Exploits.pdf
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst