frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Open in hackernews

How a single line of code could brick your iPhone

https://rambo.codes/posts/2025-04-24-how-a-single-line-of-code-could-brick-your-iphone
189•sashk•7h ago

Comments

_rrnv•5h ago
Great work! This is my favourite type of vulnerability, simple, effective and brutal. Reminds me of a time two decades ago when with a friend from uni we theorised about a perfect server vulnerability where you’d exploit a machine by pinging it. And of course, two years ago it was in fact discovered as CVE-2022-23093.
Rygian•5h ago
Ping of death was already a thing two decades ago.

https://web.archive.org/web/19981206105844/http://www.sophis...

dgfitz•3h ago
This link doesn’t show me anything useful.
giantrobot•3h ago
Try scrolling down. On mobile (maybe because of ad blockers) Wayback pages have a full screen of white space above the page contents anymore for me. This happens on pretty much every Wayback page I've tried. It's also relatively recent and I'm not sure the exact cause.
jasongill•2h ago
Try https://insecure.org/sploits/ping-o-death.html
jasongill•2h ago
It was actually almost 3 decades ago, making me feel extremely old - the period right at the end of '96 and into mid '97 when this was a popular way to cause mischief via IRC was truly a magical time
anyfoo•24m ago
Hard to believe that during those times in IRC, you were used to automatically (and proudly) advertising your IP address, your exact client version, and the means for a direct connection to your client without any server in between (CTCP, literally “client-to-client protocol”). And all of that most often with no packet filter whatsoever, not even NAT, in between.

Everything was plaintext, including “authentication”, which was (at best) just asking the “ident server” on the same machine as your client who you claimed to be, which was considered sufficient because, after all, to run identd on its “privileged” low port meant you were an “administrator” (i.e. root of a unix machine).

chasd00•12m ago
Death on flaxxen wings
driverdan•1h ago
When I was in college circa 2001 we used to prank each other with the ping of death and other crash exploits. Also random IPs on the college network when we were bored. It was crazy how long it was around for and how easy it was to exploit.
NitpickLawyer•3h ago
Back in the dial-up days you could disconnect someone by adding ATH commands to a ping payload field.
brontitall•3h ago
Only if their modem didn’t implement the Hayes command set properly or you could otherwise control the per-character timing of the OS sending. It required a pause (1sec by default), “+++” with no pauses, another pause, _then_ the ATH command
wat10000•3h ago
Which was fairly common, as Hayes had a patent on those pauses.
brontitall•3h ago
Huh, TIL. I guess they might have used TIES

https://en.wikipedia.org/wiki/Time_Independent_Escape_Sequen...

NitpickLawyer•3h ago
I had an external USRobotics 56k modem, I was immune. But the many many "bulk" no-name modems were vulnerable. You could ping entire ranges of dial-up IPs and watch the results on big IRC channels. Uhmmm, allegedly :)
mycall•2h ago
Commas provided 2 second pauses
brontitall•2h ago
Only in the dial string to ATD, surely?
cryptoegorophy•3h ago
I remember you could brute force passwords by brute forcing in sequence single characters to access anyone’s disk on a giant dialup network. Crazy times.
bslanej•2h ago
I’m too lazy to look it up but there was some string you could send over IRC that would make some routers drop the connection immediately - if you pasted that string in a big channel you would see dozens of people immediately disconnect.
aaronmdjones•2h ago
An 0x01 control character (CTCP) followed by

    DCC SEND whatever 0 0 0
https://modern.ircdocs.horse/dcc#dcc-send

This caused the DCC ALG helper in ancient Linux kernels to close the connection, as they failed to parse 0 as a valid IP address. Users connecting to IRC servers over TLS were immune, as the ALG helper in the router could not observe the traffic.

This is what breaks DCC in general -- to use DCC on IRC while connecting to the server over TLS and behind a NAT, you must instruct your client to use a specific range of ports for DCC and preforward those ports to your machine in your router, as the ALG helper cannot mark the incoming connection as RELATED (and forward it through to you) as it cannot see the outgoing command that caused the incoming connection to occur. You must also instruct your client to determine the correct external IP address to advertise, as the ALG helper will be unable to rewrite it when the router does masquerading.

dado3212•5h ago
Neat, $17,500 is pretty good, I’m so used to these blog posts being for peanuts, or where companies fix the vulnerability but don’t pay out at all. Apple’s gotten better about this since 2019.
nativeit•4h ago
I read a comment under the story about the recent YouTube vulnerability where one could unmask the related Google account and its owner using the standard YouTube API (something similar to that anyway), and they explained a lot of lesser-known nuances in establishing values for bounties like these, and it helped explain a lot (not all) of the reasons for what might seem like low-ball/high-ball valuations on the surface. If I can find their comment I’ll post back, it was really insightful. That said, there are also plenty of examples of people just getting shafted.
sdeframond•4h ago
Probably one of those https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
croisillon•4h ago
is this the one: https://news.ycombinator.com/item?id=43025038
shrx•5h ago
> Looking into the binaries, SpringBoard was observing that notification to trigger the UI. The notification is triggered when the device is being restored from a local backup via a connected computer, but as established before, any process could send the notification and trick the system into entering that mode.

This should probably be reworked regardless if the patch described in the article was implemented.

jonplackett•5h ago
Anyone know how long ago that system would have been introduced?

It seems like such an obvious security concern. Maybe it was pre-AppStore? And more assumed trust in other apps?

plorkyeran•4h ago
The notification API is quite old (iOS 3). It's explicitly an untrusted API that you shouldn't use for something like showing the restore in progress UI, so I suspect that was something written quite a bit later. Widget extensions are iOS 14. There's older ways to run background tasks, but none of them would give the soft brick. Background fetch, for example, originally didn't run until after you launched an app for the first time after restarting.
MBCook•3h ago
Wasn’t it in OS X before that?
plorkyeran•44m ago
Documentation claims 10.6, which is the equivalent OS X version (both are the 2009 releases).
lilyball•5m ago
That's actually just for the block-based APIs like notify_register_dispatch(), the other notify APIs have no availability annotations at all.
duskwuff•2h ago
This is an internal broadcast notification API (akin to dbus on Linux), distinct from the API used to display notifications to the user.
plorkyeran•46m ago
Yes, I am aware. I'm not sure what makes you think I was talking about UI notifications?
bee_rider•20m ago
FWIW I also thought you meant UI notifications (the reason is: I’m dumb). But anyway, I found the point of clarification helpful even though it wasn’t strictly necessary.
lilyball•6m ago
Darwin notifications are so old they don't have any availability annotations (block-based darwin notification APIs like notify_register_dispatch() were introduced in macOS 10.6 / iOS 3.2, but the rest of them are declared as always available). They absolutely predate any notion of an AppStore, of being able to install apps without implicitly putting a lot of trust in the app to not be malicious.
brcmthrowaway•4h ago
Ultimately, does this require installing a sketchy app in the first place?
saagarjha•4h ago
Yes.
g-b-r•4h ago
Or a reputable one with that line of code included (in one of the updates, after having built a good reputation); maybe dormant until a certain date.
MBCook•3h ago
Or a bug in some good app that allows an attacker to execute the right thing.
piyuv•4h ago
Lots of credible apps use lots of dependencies. Find an abandoned one, get your code into it, …
urbandw311er•4h ago
Nice. I can only imagine what a crap day in the office it was when the iOS core team reviewed that one.
doesnt_know•3h ago
I get that it's potentially lower priority since a user needs to actively install a malicious app, but that timeline doesn't exactly feel me with confidence...
95014_refugee•2h ago
The exploit as described doesn't "brick" the device; that would require permanently disabling it. A tethered restore would be all that's required to recover in this case.
the__alchemist•2h ago
From observation, "brick" has evolved, as things do in language. In practice, it rarely means the traditional definition you refer to, but the softer one used here.
Kerbonut•2h ago
Almost like a "soft"-brick, if you would.
taneq•1h ago
You could say the device was pillowed. :D Although given the typical behaviour of old phone batteries, I guess that’s a little ambiguous.
codetrotter•2h ago
Also, although HN readers probably have many devices in their homes there are people out there who have only a phone and no computer. For them this would be pretty catastrophic. Hopefully they’d take their device to Apple or a third party technician
two_handfuls•43m ago
Ah yes, the Goebbels effect, also known as "A lie told a thousand times becomes the truth."
taneq•1h ago
“Bricking” isn’t a rigorously defined term, it’s more like “realtime” in the sense that it comes with an implicit “(for this particular user in this particular scenario)”. For most users a device is bricked if it doesn’t turn on and work when you press the power button. For most readers here, using dev tools to re-flash a bootloader would be fairly easy but if USB stops working it might be game over. I’m sure there are a few around who could de-cap an ASIC and circuit bend it back to life.
moduspol•2h ago
Doesn't this imply that third-party apps with their own notification schemes could be impersonated similarly? They wouldn't be able to brick the phone, obviously, but they could potentially trigger other actions.
andrekandre•1h ago

  > That single line of code was enough to make the device enter “Restore in Progress”.

  > as established before, any process could send the notification and trick the system into entering that mode.
sleep data, sleep...
e28eta•12m ago
I’m fascinated that they aren’t requiring an entitlement for all usage of setting & posting notifications through this API. A way to share 64 bits of information (at a time) to any process on the device? That is right in the wheelhouse of tracking a user across apps.

I don’t specifically know the types of things that you’d want to share across apps, but there’s a long history of cross process information channels being removed or restricted.

If the system is storing values for you, and isn’t keeping track of which app they came from, now you’ve got persistent storage across app deletion & re-install, as long as there isn’t a reboot in between.

I think you could easily use it to work around IDFA or IDFV resets, as a simple example.

Openrouter.ts – stupid simple client for strict outputs, price routing

https://gist.github.com/bholagabbar/3da99f59faf593970fe2a5d61c90d9d3
1•bholagabbar•3m ago•1 comments

Mutube – CLI tool for finding out if a YouTube video is a relative outlier

https://github.com/mutube-org/cli
2•ChaseRensberger•3m ago•0 comments

The group chats that changed America

https://www.semafor.com/article/04/27/2025/the-group-chats-that-changed-america
1•necubi•6m ago•0 comments

Label Obsession Grips Canada as Shoppers Shun American Products

https://www.wsj.com/world/americas/label-obsession-grips-canada-as-shoppers-shun-american-products-cc6332db
3•bookofjoe•14m ago•2 comments

Ask HN: CS Degrees, do they matter again?

4•platevoltage•18m ago•1 comments

Show HN: I Built ATS Master – A Tool to Help Job Seekers Optimize Their Resumes

https://atsmaster.com/
1•pradipkaity•18m ago•0 comments

A Common Pill May Shorten Life Expectancy by Nearly 6 Years

https://parade.com/health/common-pill-may-shorten-life-expectancy-according-to-doctors
2•amichail•24m ago•2 comments

A way to teach music online that doesn't suck

https://maestrocast.com
1•olinelson•34m ago•0 comments

The Mathematical Radio: Inside the Magic of Am, FM and Single-Sideband

https://press.princeton.edu/books/hardcover/9780691235318/the-mathematical-radio
1•teleforce•48m ago•0 comments

To 'Reclaim Future-Making', Amazon Workers Published Collection of SciFi Stories

https://afteramazon.world/
2•m463•52m ago•0 comments

Itsi is a feature-packed, high performance web and application server

https://itsi.fyi/
1•ksec•53m ago•0 comments

High-tech sticker can identify real human emotions

https://phys.org/news/2025-04-high-tech-sticker-real-human.html
1•PaulHoule•58m ago•0 comments

QLCodec – Makes Quick Look play video and audio formats not supported by macOS

https://github.com/Oil3/QLCodec
4•mickelsen•1h ago•0 comments

Visual Transistor-level Simulation of the 6502 CPU

http://www.visual6502.org/
3•tanelpoder•1h ago•1 comments

Presentation Slides with Markdown

https://sli.dev
1•sadeshmukh•1h ago•0 comments

Logical Replication from Postgres to Iceberg

https://www.crunchydata.com/blog/logical-replication-from-postgres-to-iceberg
3•craigkerstiens•1h ago•0 comments

Major offshore wind developer has stopped activities in United States

https://finance.yahoo.com/news/rwe-stopped-offshore-wind-activities-064323305.html
5•MilnerRoute•1h ago•0 comments

Tic Tac Toe Rubik's Cube / Sticker Mod [video]

https://www.youtube.com/watch?v=AD2BhbWSphM
1•peterburkimsher•1h ago•0 comments

Montana's Housing Miracle Strikes Twice

https://www.sightline.org/2025/04/25/montanas-housing-miracle-strikes-twice/
3•bilsbie•1h ago•0 comments

Nvidia didn't just raise prices–they deleted an entire GPU tier

https://old.reddit.com/r/pcmasterrace/comments/1k7gq5w/nvidia_didnt_just_raise_pricesthey_deleted_an/
3•LorenDB•1h ago•0 comments

Creating Bluey: Tales from the Art Director

https://substack.com/home/post/p-160039885
1•cfcfcf•1h ago•0 comments

Home Depot's $20B Secret Garden

https://www.wsj.com/business/home-depot-gardens-plants-flowers-hot-peppers-1792df6b
2•JumpCrisscross•1h ago•0 comments

Grafana GitHub Actions Security Incident

https://www.stepsecurity.io/blog/grafana-github-actions-security-incident
7•varunsharma07•1h ago•0 comments

Scientists Develop Urinal That Doesn't Splash

https://scitechdaily.com/century-old-problem-finally-solved-scientists-develop-urinal-that-doesnt-splash/
2•rguiscard•1h ago•2 comments

The Fiasco at the National Security Council

https://www.theatlantic.com/politics/archive/2025/04/national-security-council-fiasco/682595/
4•cmurf•1h ago•1 comments

Why the new pope won't be welcome in China

https://www.spectator.co.uk/article/why-the-new-pope-wont-be-welcome-in-china/
6•suraci•1h ago•1 comments

"OpenAI Is Not God" – The DeepSeek Documentary [video]

https://www.youtube.com/watch?v=Lo0FDmSbTp4
1•tkgally•1h ago•1 comments

Show HN: I made a web-based, free alternative to Screen Studio

https://www.screenrecorder.me
34•johnwheeler•1h ago•14 comments

They're on the Varsity Influencer Team

https://www.nytimes.com/2025/04/27/business/unc-student-athlete-influencers.html
1•belter•1h ago•0 comments

Remembering George A. Miller (2012)

https://www.psychologicalscience.org/observer/remembering-george-a-miller
1•dang•1h ago•0 comments