Marc Smeets Hacknet security conference

September 9, 2009

HACKNET 2009

iPown Overview of iPhone security

IT ADVISORY

1

What will we be talking about?

l A little iPhone background

l Known security issues with the iPhone

-  Misc. fixed and non fixed

-  Unlocking / jail breaking

-  Forensics on stored data

l Putting it together

2

iPhone background

l  3 generations, first released in July 2007

l  Smart phone, running iPhone OS based on regular OS X => UNIX

l  32-bit ARM CPU @ 600MHz, 32GB, WiFi UMTS/HSDPA Q-band GSM, GPS, Bluetooth

l  Around 21 million units sold

l  Each country one official telcom provider

l  3rd party apps available in AppStore* 1.5 billion ‘purchases’

*AppStore heavily regulated by Apple

3

iPhone background – making it corporate

l  In beginning mainly consumer oriented

l  Apple wants the businesses, businesses want the iPhone Latest software update ‘corporate’ support

-  Exchange (2007), CalDAV, IMAP, LDAP

-  Cisco VPN (also present in precious version)

-  Hardware encryption (3Gs only)

-  Remote wipe functionality

-  Configuration profiles

l  But management tools not yet sufficient (as competitors)

4

Known security issues

5

Known security issues - fixed

l  Bypassing PIN code and access parts of phone

-  Tap Emergency call, double tap home button. You are now in the Favorites section. From here you can call everybody, access email, access web sites, etc.

l  Every app runs as root

l  mDNSResponder service runs by default

l  SMS exploit issue as presented at BlackHat Vegas 2009

-  Not only for iPhone, also Android and Windows Mobile

-  Authors presented fuzzing framework for communication between CommCenter daemon and SMS application

6

Known security issues – not fixed

l  “i-Phone-home” by PinchMedia http://i-phone-home.blogspot.com/2009/07/pinchmedia-anatomy-of-spyware-vendor.html

l Default framework for developers Includes: UDID, model, SW version, country, telephone nr

7

Known security issues – not fixed

l Local accounts default passwords root : alpine mobile : dottie

l 2 days after release

l 16 sec cracking

8

Known security issues – not fixed

l Two big issues not fixed by Apple

-  Unlocking and Jailbreaking attempts

-  iPhone forensics from physical access

9

Unlocking and Jailbreaking

10

Unlocking and jailbreaking

l The problem : 1. iPhone comes locked to 1 telcom provider 2. iPhone comes jailed to run only allowed apps from AppStore

l People want freedom of choice … or just other apps

l Hackers provide a solution

l Yellowsn0w, PwnageTool, ultrasn0w, redsn0w, etc.

11

Unlocking and jailbreaking

l  Unlocking* Results in no more SIM lock. Any provider is accepted by phone.

l  Jailbreaking Results in no more only Apple approved software, hurray!

l  Proces: 1. Reboot iPhone into Device Firmware Upgrade (DFU) mode 2. Load modified firmware to bypass Apple’s restrictions 3. Install new Installer.app to easily add non Apple-apps

*Psst… Apple doesn’t really care…

12

Unlocking and jail breaking

l Booting into DFU mode

l Documented feature for restoring crashed iPhones

l  iTunes can restore all types of firmware (baseband, OS, etc.)

13

Unlocking and jail breaking

l Update running RAM disk

l Circumvent signed booting mechanism

l Upload new firmware / IPSW

14

Unlocking and jail breaking

l Custom firmware has new Installer.app

l  Installing SSH is advised so you can add files to iPhone

l Now you start adding new software, ringtones, etc.

15

iPhone forensics from physical access

16

iPhone forensics from physical access

l Great work done by Jonathan Zdziarski !

l Main question: what data does your iPhone store?

l Gaining access for forensics (in 2 min.):

-  DFU mode

-  Upload custom firmware

-  SSH over WiFI or USBMUX Make iPhone image to work with

17

iPhone forensics from physical access

l  So what does your iPhone store?

1. The usual:

-  Address book, email, photos (with GeoTags), call history, etc.

2. The expected (from a forensic point of view):

-  Deleted photo’s, browser cache, details on pairing with devices, etc.

3. The non expected:

-  Deleted voicemail, deleted sms, entered locations with Google maps, detailed call history, etc.

18

iPhone forensics – where does it store Cont.

l  Disk layout: / : boot partition -ro /private/var : user data ( linked /var to /private/var )

l  SQLite databases store data

l  Binary Property lists store settings, properties and meta data. It is a binary xml file, read/write with plutil.

l  Many DB’s in /var/mobile/Library and /var/root/Library, i.e.: AddressBook.sqlitedb : All contact details CallHistory.db : recent history in DB, full history in file Calendar.sqlitedb : all past eand upcoming events sms.db : all(!) text messages, deleted stay Keychain.db : contain all passwords as normal keychain

(AES 256)

19

iPhone forensics – where does it store Cont.

l Sqlite3 SMS.db “select * from messages;” | grep TAN

20

iPhone forensics – where does it store Cont.

21

iPhone forensics – encrypted disk

l  “Fortunately we have this awesome encrypted disk feature in the newest 3Gs!”

l  Technically yes, in practice … no

l  Disk is encrypted but the iPhone decrypts for you on the fly. It is iTunes’ decision to encrypt backup or not !? Password is stored in the iPhone and decrypts when data sending to iTunes

l  DFU mode, connect to system and run tool to overwrite password section in KeyChain DB. Connect to iTunes. iTunes still thinks its encrypted but there is no password. Hit backup and look in ~/Library/Application Support/MobileSync/Backup

22

Putting the things together – a.k.a. attacking over the network

23

Putting the things together – a.k.a. attacking over the network

l What we need: 1. IP level access 2. OS level access 3. Data level access

l How it is possible: 1. Full public IP access via 3G 2. Jailbroken and OpenSSH installed 3. it’s UNIX and we know where to look

24

Putting the things together – a.k.a. attacking over the network

l May I remind you that people are lazy and don’t think of security !!

l 1. don’t change default passwords

l 2. don’t bother to upgrade once jailbroken

25

Putting the things together – a.k.a. attacking over the network

26

Putting the things together – a.k.a. attacking over the network

327 of 599 = 55% -> people that have jailbroken + ssh running 119 of 327 = 36% -> people that are lazy

119 of 599 = 19% of identified mobile phones are jailbroken iphones where you can login with default password

27

Putting the things together – a.k.a. attacking over the network

28

Putting the things together – attack scenarios

l  We haven’t even talked about application level exploits (e.g. Safari browser)

l  Anybody who can have your iPhone for a few minutes

l  Two-factor authentication for e-banking

l  Full user tracking with custom i-Phone-home

l  Staged attack into corporate network, its UNIX!

l  Ransomware??

l  SPAM?

l  Do businesses have possibilities for limiting usages of iPhone by their employees? No, employees will try to jailbreak and install stuff.

29 © 2007 EDP Auditors N.V., a Dutch limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the Netherlands.

Marc Smeets KPMG IT Advisory ICT Security & Control The Netherlands +31 651 366 680 smeets.marc@kpmg.nl

Thank you for listening!