Zero-click or one-click remote exploits targeting Apple FaceTime or iMessage attract increasing attention, but neither real world vulnerabilities nor the attack surfaces in such targets were fully studied and analyzed in the past. In this talk, we will share reverse engineering results of FaceTime, with a focus on the process of the initialization and connection of a FaceTime call. Along with the attacker-controlled data propagation path, we will discuss different attack surfaces for FaceTime. In particular, besides trivial denial of service issues, we will describe a number of vulnerabilities in FaceTime (and other relevant components), including memory corruption flaws such as heap and stack overflow and out-of-bounds read issues, and develop and demonstrate PoC exploits that can lead to a fully-controlled Objective C ISA pointer or program counter (PC) in FaceTime, affecting both Mac OS and iOS.
Tao Huang is a Security Researcher in Pangu Lab and has extensive experience in both development and security research. He is currently working on macOS, iOS vulnerability research, iOS App application auditing, and malicious sample analysis.
Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON.