TaggartFeb 22

Really solid breakdown of how known spyware does the thing we all worry about: hiding camera/mic indicators.

An important note I think is that this capability requires kernel-level access to hook Springboard (iOS's UI controller) and hide those indicators. In other words, something your Facebook app cannot do.

https://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/

How Predator Spyware Defeats iOS Recording Indicators

An analysis documenting how a commercial spyware sample, Predator, operates post-compromise.

Show threadAndrew ZonenbergFeb 22

@mttaggart why are mic/camera indicators, if present, software controllable at all?

A proper design will power gate the mic or camera in hardware when disabled and use that power rail or the enable signal directly to drive the LED. Compromised software could still start recording without user consent but it would not be possible to hide the indication.

Show threadnorklerFeb 25
@azonenberg @mttaggart The JAMF article really should have mentioned that there’s a new hardware security feature that makes this attack no longer possible. On newer iPhones and iPads, the indicator lights are handled by the display controller and a “secure eXclave”.
Show threadAndrew ZonenbergFeb 25

@norkler @mttaggart If it's software at some level, it's still possible to potentially compromise even if there is no currently known attack vector to gain execution there.

If it's physically hardwired to the power rail for the mic/camera, there's no bypassing it without soldering and cutting wires.

(Also IMO having the mic-hot LED active when Siri is listening would be a feature, not a bug)

Show threadnorklerFeb 25
@azonenberg @mttaggart I agree that that would be optimal, but since the “LED” is just pixels on the display, I’m guessing pure hardware isn’t trivial (especially when dealing with brightness, etc., which might add software-controllable attack vectors even if it’s hardware-controlled). iPhone 16+ and iPad Pro M4+ indicator light feature appears to run the software handling the light at a higher privilege level than the kernel (some sort of hypervisor?) so even a kernel compromise can’t stop it.
Show threadAndrew Zonenberg

@norkler @mttaggart oh right, there's no hardware LED?

(this is something I miss about my new pixel, all of my previous phones had an actual RGB indicator light that would show if you had pending messages etc when the display was off)

Feb 25 at 2:34pmWeb
Show threadnorklerFeb 25
@azonenberg @mttaggart Correct, only Macs have the hardware LED (for the camera only)
Show threadAndrew ZonenbergFeb 25
@norkler @mttaggart what was it, alexa devices? I remember seeing something that actually had a hardware listening/muted indicator state and being very pleased that a piece of corporate spyware would do something actually right from a privacy perspective