 |
| iPhone manufacturer vulnerable to Log4Shell exploit |
Security researchers investigating the Log4Shell vulnerability claim to have used it on various devices such as iPhones and Tesla devices.
According to screenshots shared online, changing the name of an iPhone or Tesla car into a private vulnerability chain is enough to trigger a query from an Apple or Tesla server that the server at the other end is vulnerable to the Log4Shell vulnerability.
During the demonstration, the researchers converted the device name into a string, sent the server to a test URL and took advantage of the behavior that was triggered by the security hole.
After changing the name, the incoming traffic displays the URL of the IP address requested by Apple. In short, the researchers got Apple and Tesla servers to access the URLs of their choice.
The iPhone experience comes from a Dutch security researcher. Provided the screenshots are original, it shows the behavior - remote resource loading - which should not be possible for the device name text.
This proof of concept has led to numerous reports that Apple and Tesla are vulnerable to exploitation. Even if the show was shocking. But it is not yet clear how useful it is to cybercriminals.
In theory, an attacker could infect vulnerable servers by hosting malicious code through URLs. But a protected network can prevent such attacks at the network level.
And there is no broader indication that this method could lead to a greater penetration of Apple or Tesla systems.
However, it reminds us of the complexity of technical systems that always depend on code from third-party libraries.
New vulnerability in iPhone rename
The Log4Shell exploit affects an open source Java tool called log4j, which is widely used to log application events.
Although the number of affected devices is unclear. But researchers estimate that there are millions of them, including unidentified systems, that rarely experience such attacks.
The full scope of the exploit is still unknown. However, digital forensics platform Cado reports that it has detected servers attempting to use this method to install code for the Mirai botnet.
Log4Shell is more dangerous because it is relatively easy to use. The vulnerability works by tricking the application into interpreting a piece of text as a link to a remote resource and trying to get the resource instead of saving the text in writing. All the compromised device needs to do is register a special string of characters in its application log.
This creates potential vulnerabilities in many systems that accept user input where the message text can be stored in logs.
The log4j vulnerability was first discovered on a Minecraft server and could be hacked by an attacker via chat messages.
An update to the log4j library has been released to mitigate this vulnerability. However, due to the challenges of extensive enterprise software updates, it takes a long time to fix all vulnerable devices.