—------------------------------
—------------------------------
"Shortcuts" is an application within the Apple ecosystem meant to help automate lots of functions within the OS of devices (iOS, iPadOS, visionOS, MacOS). It can perform basic functions within the device using a node based programming system.
Using physical, unlocked access, a user can deploy a malicious shortcut file to gather potentially sensitive information and files from a device, including things such as GPS Coordinates, Parked car location, Networking information (Device and connected network), Full Contacts table (Numbers, Names, Emails, Addresses). These are all easily obtainable, and deployment speed can be optimized utilizing keystroke injection tools such as the Hak5 Rubber Ducky or the O.MG cable.
Certain types of information requires a user to accept a prompt, however this prompt does not require any authentication past physically touching the accept button.
With a few enabled settings, Shortcuts is able to use the SSH client on the iPhone within its node language. This allows the use of Shortcut variables and information within the SSH commands sent by iPhones. This enables the ability to send potentially sensitive information over SSH. This information can be collected ultizing a custom SSH server.
Settings -> Shortcuts -> Advanced -> Allow Running Scripts
Shortcuts can also leverage SSH command outputs as node instructions. This allows Shortcuts to use the output from the remote SSH server to determine further instructions.
A normal SSH server behaves like so:
input command:whoami output: NAME
While with a custom SSH server, an attacker can specify the output
input command:whoami output: ATTACKER SPECIFIED OUTPUT
This output can then be used as a variable within the node language used by shortcuts. For example If SSH Has Does/Does Not Response: DEFINED ACTION
This creates the opportunity to use SSH responses as a command and control system. SSH responses can also be used as a string for the node language, for example openlink: SSH RESPONSE
It is also possible to attach malicious shortcut files to the automation function of shortcuts, this automates the process of running the file for certain actions, for example, when iMessages is opened: Run Malicious shortcut enabling a level of presistence.
(Thank you SkepticSeptic for the grammer checks)
