SN 1028: AI Vulnerability Hunting - The End of Jailbreaking
2Digest
This podcast episode covers a range of cybersecurity topics. It begins with a discussion of the Pwn2Own 2025 hacking competition, highlighting successful exploits against various systems and the increasing focus on escaping virtual machines. Next, it examines PayPal's patent application for a system to detect fraudulent websites, raising concerns about the patenting of such a technology. The episode then explores the decline of iOS jailbreaking due to significant architectural changes in iOS 14 and beyond. A major section details the growing threat of SVG files used in phishing attacks due to their ability to embed and execute JavaScript. The use of AI in vulnerability hunting, by both ethical hackers and malicious actors, is also discussed. Listener feedback covers topics such as blocking Encrypted Client Hello (ECH) in enterprise environments, the limitations of AI in code review, and the effectiveness of Windows Sandbox. Finally, the podcast includes recommendations for classic science fiction films and advertisements for Bitwarden and DeleteMe.
Outlines
Introduction: Cybersecurity Threats & Classic Sci-Fi
Introduces Pwn2Own 2025 results, PayPal's domain patent, the decline of iOS jailbreaking, SVG phishing attacks, and AI vulnerability hunting, along with a mention of classic sci-fi movies.
Pwn2Own 2025 & Virtual Machine Escapes
Details the results of the Pwn2Own 2025 competition, emphasizing successful exploits and the increasing focus on escaping virtual machines and containers.
PayPal's Fraud Detection Patent
Discusses PayPal's patent for a system detecting fraudulent websites via simulated checkouts, raising concerns about the patenting of this technology.
The End of Easy iOS Jailbreaking
Explores the perspective of a long-time iOS jailbreaker who has given up due to significant changes in iOS 14 and beyond, making kernel exploitation extremely difficult.
SVG Phishing Attacks & JavaScript Exploitation
Details the increasing use of SVG files in phishing attacks due to their ability to embed and execute JavaScript, bypassing security measures.
AI in Vulnerability Hunting & Conclusion
Discusses the use of AI in vulnerability hunting by both ethical hackers and malicious actors, and the potential for individuals to use AI to find vulnerabilities and earn bug bounties.
SVG Scripting Security Risks in Email & Mitigation
Discusses the increasing threat of malicious SVG files in phishing emails and how security companies are working to detect and mitigate these threats.
Bitwarden Password Manager Advertisement
Advertisement for Bitwarden password manager, highlighting its security features and ease of use.
Listener Feedback: ECH, AI, and Linux Dictation
Listener feedback on blocking ECH in enterprise environments, AI's role in code review, and a Linux dictation project.
AI Code Review Limitations & Listener Feedback
Further listener feedback on the limitations of AI in code review, highlighting the need for clear prompting and deep analysis.
Windows Sandbox & Unfiltered Internet Dangers
A listener shares their experience with the dangers of an unfiltered internet connection and the effectiveness of Windows Sandbox.
Movie Recommendation: "Colossus: The Forbin Project"
Discussion of the classic science fiction film "Colossus: The Forbin Project" and its relevance to current AI developments.
Classic Sci-Fi Movie Recommendations
Recommendations for classic science fiction films like "The Day the Earth Stood Still," "This Island Earth," and "Forbidden Planet."
DeleteMe Privacy Service Advertisement
Advertisement for DeleteMe, a service that helps remove personal information from data brokers.
AI Discovery of Zero-Day Vulnerability
Discussion of a recent instance where AI was used to discover a zero-day vulnerability in the Linux kernel's SMB implementation.
Keywords
Pwn2Own
Annual hacking competition showcasing exploits against various systems.
Zero-day exploit
Software vulnerability unknown to the vendor, with no patch available.
iOS Jailbreaking
Circumventing Apple's security restrictions on iOS devices.
SVG (Scalable Vector Graphics)
XML-based vector image format that can embed JavaScript for malicious purposes.
AI Vulnerability Hunting
Use of artificial intelligence to automate the process of finding software vulnerabilities.
Encrypted Client Hello (ECH)
Privacy-enhancing technology encrypting the TLS Client Hello handshake.
AI in Code Review
Using AI to analyze and review code for bugs and vulnerabilities.
Password Manager
Software that securely stores and manages user passwords.
Zero-Day Vulnerability
A software vulnerability unknown to the vendor and thus unpatched.
Large Language Models (LLMs)
Sophisticated AI models capable of understanding and generating human-like text.
Q&A
What were the key findings from the Pwn2Own 2025 competition?
Successful exploits against various systems, with a focus on escaping virtual machines and containers.
How are hackers exploiting SVG files?
Embedding malicious JavaScript code within SVG images, executing when the image is opened.
Why has iOS jailbreaking become so difficult?
Fundamental changes in iOS architecture make vulnerability exploitation significantly harder.
What is the role of AI in vulnerability hunting?
AI automates vulnerability discovery, used by both ethical hackers and malicious actors.
What is the design flaw in SVG that makes it vulnerable?
SVG's design allows embedding and execution of JavaScript code within the image file.
What are the primary security risks associated with SVG scripting in emails?
Credential theft and malware delivery via malicious JavaScript embedded in SVG images.
How does the use of AI in vulnerability research present both opportunities and challenges?
AI speeds up vulnerability discovery but is also accessible to malicious actors.
What are the key considerations when using AI for code review?
Clear prompting is crucial; AI may struggle with complex issues and require human oversight.
What is a "use after free" vulnerability?
Accessing memory after it has been freed, leading to unpredictable behavior or security breaches.
What are some classic science fiction films discussed and their relevance to AI?
Films like "Colossus: The Forbin Project" highlight themes of advanced technology and the potential consequences of unchecked technological advancement.
Show Notes
- Pwn2Own 2025, Berlin results.
- PayPal seeks a "newly registered domains" patent.
- An expert iOS jailbreak developer gives up.
- The rising abuse of SVG images, via JavaScript.
- Interesting feedback from our listeners.
- Four classic science fiction movies not to miss.
- How OpenAI's o3 model discovered a 0-day in the Linux kernel
Show Notes - https://www.grc.com/sn/SN-1028-Notes.pdf
Hosts: Steve Gibson and Leo Laporte
Download or subscribe to Security Now at https://twit.tv/shows/security-now.
You can submit a question to Security Now at the GRC Feedback Page.
For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.
Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit
Sponsors:
Table of contents
United States
