Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

799
-1

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
799
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. i S w w w. dinosec. com @d in os ec Raúl Siles raul@dinosec.com @raulsiles @dinosec March 8, 2014
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Outline Vulnerability research and markets Apple & iOS: State of the art – iPhone/iPad in business – SSA Can we manipulate the iOS update process? Vulnerability details: iOS 5, 6, 7… – Attacks Conclusions Credits
  3. 3. 3 Vulnerability Research & Markets Insider View
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Markets How security vulnerability information is managed and traded today? – Importance of (vuln) information systems for modern economy and society Who is going to potentially buy your cyber weapon? – Closed privileged groups • Black market: cyber criminals • Public markets: private security companies, governments, brokers… – Subscription fees: 25 zero-days per year for USD $2.5 million – What is it going to be used for? • Compromise all vuln systems w/o the public ever having knowledge of the threat • Vulns remain private for an average of 151 days (+100 exploits per year) – Real risk exposure: Assume you are already compromised NSSLabs – “The Known Unknowns” (Dec 5, 2013) – “International Vulnerability Purchase Program” (Dec 17, 2013) https://www.nsslabs.com/reports/known-unknowns-0 https://www.nsslabs.com/reports/ivpp
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. ‘Responsible’ disclosure & Conference disclosure Disclosure Options Do nothing – Assuming it is the best way to serve the community Coordinated disclosure (vendor) – Information about vulnerabilities is a valuable asset • Security researchers require compensation for time spent Full disclosure – Motivate vendors to act Sell it – Bug bounty (vendor) – Broker or directly to third-parties
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research For previous vulnerability research I followed… – Responsible and coordinated disclosure with vendors – But it was time to research the current vulnerability markets • Vulnerability was accepted and published in one of the vulnerability purchase programs • No real interest out of RCE, LPE and information disclosure (memory addresses) Vulnerability discovered in early 2012 (+2 years) – Remained private until now – Keeping it private (as far as I know) and verifying it is still not public requires lot of effort (specially over long periods of time) Why is this vulnerability released today? – You trust your government (country)… • What about its allies (e.g. NSA)? And others? – Rooted CON 5th anniversary! What if someone finds it meanwhile… or the vendor fixes it? – For how long a not very complex vulnerability can remain undisclosed? – Value of modern vulnerabilities and exploits is based on who knows about them How to provide details without disclosing too much?
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research & Disclosure Vendors do not take relevant issues seriously – "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013 “When should a researcher initially notify a vendor with no serious bug bounty before releasing an undisclosed vulnerability in a security conference?” (Community disclosure?) – It depends: vendor, bug, researcher, follow-ups… (“negotiate”) • Complexity, criticality, scope… • Evolution of security business landscape – Vulnerability disclosure policies are like assh*les… • …everyone has one! • The "Month and a Day Rule" (DinoSec 2014) – Similar to common law sentences – Vulnerability notified to Apple on February 6, 2014 (1M +1D)
  8. 8. 8 Apple & iOS: State of the Art
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (1/2) Your business or Apple business model? – Hardware, software, services & contents • App Store & iTunes Apple Q1 2014 financial results – Sales (quarter): 51M iPhones & 26M iPads – Revenue: $57.6 billion • $4.4 billion on iTunes/Software/Service – Net quarterly profit: $13.1 billion – 65 billion apps cumulative ($15 billion to developers) • 1 million apps cumulative in 24 categories https://www.apple.com/pr/library/2014/01/27Apple-Reports- First-Quarter-Results.html
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (2/2) iOS design, features, and architecture – https://www.apple.com/iphone/business/it/ – https://www.apple.com/ipad/business/it/ iOS security model (Feb’14) – Updates: System Software Authorization • A7 processor - Security Enclave coprocessor https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (1/2) To prevent devices from being downgraded – Older versions lack the latest security updates • “An attacker who gains possession of a device could install an older version of iOS and exploit a vulnerability that’s been fixed in the newer version” • Jailbreak? iTunes or wirelessly over the air (OTA) – Full copy of iOS or only the components required Connects to Apple’s installation authorization server – Crypto measurements for each part of installation bundle (LLB, iBoot, kernel & OS image), nonce & ECID (device unique ID)
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (2/2) Authorization server checks measurements against versions permitted by Apple – Allows only latest version for each device model • Narrow signing window (~24h) – Apple signs measurements, nonce and ECID • Per device (ECID) and per restore (nonce) Every firmware installation is remotely verified (signed) by Apple during every restore or upgrade – Started with iPhone 3G[S] & iOS 3 (using ECID only) • "Verifying restore with Apple...“ – iTunes “personalizes” the firmware file (ECID…): SHSH
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (1/3) SHSH blobs and APTickets – Signature HaSH (SHSH blobs) and nonce (APTicket) • Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w) TSS Center (Cydia), redsn0w,TinyUmbrella, iFaith… – MitM (& cache) signature server: gs.apple.com • Source: http://svn.saurik.com/repos/menes/trunk/cysts/ – The verifier was the Tatsu Signing Server (TSS) • Spidercab (Apple internal equivalent), running at ‘tatsu- tss-internal.apple.com’ (Apple VPN), is used to sign old versions... http://www.saurik.com/id/12 (iOS 3.x) http://www.saurik.com/id/15 (iOS 6.x)
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (2/3) SHSH blobs – SHA-1 hashes (160-bit digests) – iPhone Software (IPSW) file (ZIP file) • Build manifest: BuildManifest.plist – List of files and their content (+ Apple integrity signature) digests • “Personalization” process – Build manifest  TSS request  Apple  SHSH blobs  Replace files signature section with SHSH blobs APTickets – Introduced with iOS 5.x – Block of data with digest for all files used during boot • No IPSW file “personalization” any more (APTicket) • Contains a “nonce” (anti-replay mechanism - uncacheable)
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (3/3) Caching the uncacheable – Restore to very old iOS versions (no APTicket) – Downgrade tricks history • http://www.jailbreakqa.com/faq#32763 … – Exploits for reusing APTickets No way to downgrade from iOS 6.x to older versions on newer devices (as of April 2013) – Eligible older devices • iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor) – limera1n BootROM exploit (redsn0w can dump TSS info from device) • iPad2 – Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5 • iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version Requirement: TSS information previously saved
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Support Matrix http://iossupportmatrix.com
  17. 17. 17 Can We Manipulate the iOS Update Process? Without a new BootROM exploit
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Relevant iOS 5 Change Over the Air (OTA) – iOS software updates • Settings - General - Software Update – iTunes data sync & backup over Wi-Fi • iTunes 10.5+ – Options – Sync with this iPhone over Wi-Fi – iCloud backup • Settings - iCloud - Storage & Backup Apple fans behavior change: Getting rid of the USB cables
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS OTA Update Process HTTP (vs. HTTPS) – iOS software (IPSW) integrity verification – Software update server: http://mesu.apple.com Automatically used by iOS… – … or manually launched by the user • Settings - General - Software Update iOS software update (plist) file (XML format) – References (URLs) to all the current iOS version files • http://appldnld.apple.com
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Main iOS SW Update Files iOS software update (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml iOS software update documentation (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdateDocumentation/ com_apple_MobileAsset_SoftwareUpdateDocumentation.xml iOS 5.0 (GM) was not offered via OTA – iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA – iOS 5.0.1 was the first public OTA version
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5.x & 6.x
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Request HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: MobileAsset/1.0 Connection: close Content-Length: 0 HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4 Darwin/11.0.0 Content-Length: 0 Connection: close
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Response HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: close If it contains a date greater than the date from the last update, it will ask for the new content: GET.
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com Connection: close User-Agent: MobileAsset/1.0 HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive ...
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Assets</key> <array> <dict> <key>Build</key> ... <key>OSVersion</key> <string>7.0.4</string> ... <key>Certificate</key> <data> MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw== </data> <key>Signature</key> <data> LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w== </data> <key>SigningKey</key> <string>AssetManifestSigning</string> </dict> </plist> Same behavior with the iOS SW update documentation file
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Last-Modified: Date Can we manipulate the iOS update process?
  27. 27. 27 StarWars or Matrix?
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Man in the Middle (MitM) attacks – Do you remember the Wi-Fi network impersonation attacks from last year Rooted CON 2013? • http://www.dinosec.com/docs/RootedCON2013_Taddong_RaulSiles-WiFi.pdf • http://vimeo.com/70718776 iProxy – Python MitM tool • Twisted (https://twistedmatrix.com) – Event-driven networking engine (e.g. sslstrip) – Implements both StarWars and Matrix attacks • Multiple and flexible options Vulnerability Exploitation
  30. 30. 30 “These aren’t the updates you’re looking for”
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the HEAD request (timeout) – Fail: It sends a GET request – Block and/or drop the GET request (timeout) • Fail: Error message – When the user manually checks for updates – “Unable To Check for Update” Change the “Last-Modified” header of the HEAD response to the past – “These aren’t the updates you’re looking for” DEMO
  32. 32. 32 “This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Appleland and I show you how deep the rabbit-hole goes.”
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the “Last-Modify” header of the HEAD response to the future – Forcing a GET request Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future & provide a previous file – “You’re inside the Matrix” • No more updates up to that future date DEMO
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Software Update Files Repo
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7.x
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Request GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-us Connection: keep-alive User-Agent: MobileAsset/1.0 HEAD request removed from iOS 7 It discloses the date from the last update stored on the iOS device: THANKS iOS! 
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (304) If there is no new update from that date… HTTP/1.1 304 Not Modified Content-Type: application/xml Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Date: Mon, 20 Jan 2014 12:35:20 GMT Connection: keep-alive
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (200) If there is a new update from that date… HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive <?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <dict> ... <key>OSVersion</key> <string>7.0.4</string> ...
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Temporary vs. Permanent attacks
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the GET request (timeout) – Fail: Error message • When the user manually checks for updates • “Unable To Check for Update” Send a 304 response – “These aren’t the updates you’re looking for” • Change the “Last-Modified” header of the GET request to the future to get a 304 from Apple’s server • Change the GET response manually to 304 This 304 Jedi trick does not work for iOS 6 DEMO
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future – “You’re inside the Matrix” • No more updates up to that future date DEMO
  42. 42. 42 Conclusions
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Details Affects iOS 5.x - 7.x (up to the latest version) – iOS 5.0 released on October 12, 2011 – Vulnerability discovered on early 2012, between… • 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012) • It has survived multiple iOS versions: 5, 6 & 7 – Long time verifying it has not been fixed – Long time collecting iOS software update files (plist XML files) Targeted and very carefully planned attacks – Plenty of time to launch future attacks • Forever (persistent - Matrix) or between iOS updates (now) Stealthy attacks – The update freeze can be reverted back silently
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Limitations Cannot be used to downgrade to a previous version, but to remain on the current version Can by bypassed via iTunes – Different update check mechanism (HTTPS) – Temporarily, as iTunes does not change the iOS device update state if cancelled – What is the current iOS update user behavior? • iTunes or OTA
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Usage Outside the information security field… People complaining because they didn’t want to update from iOS 6 to iOS 7 – Huge user interface (GUI) change they didn’t like But their iOS device used +1Gb of space (e.g. 16Gb iPad) just to locally store the new iOS 7 update – New update is available – Download update – Install update “Unwanted iOS 7 occupying space on iOS 6 devices” Freeze the iOS device at iOS 6 and never get iOS 7 
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Exploitation Freeze the version of a target device and wait for the next succulent iOS update fixing a critical flaw Wait… that sounds like… goto fail; – Speculation: Released on February 21, 2014 (although it is older) • Without any public researcher recognition (Apple?) – For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) – in a hurry? – CVE-2014-1266 • Lack of proper certificate validation: DHE & ECDHE • https://www.imperialviolet.org/2014/02/22/applebug.html https://www.gotofail.com
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: History Vulnerability discovered on early 2012 – +2 years (or +750 days or +…) – Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from other researchers (March 2012), but not the early doc update files Vulnerability notified to Apple on February 6, 2014 – The "Month and a Day Rule“ (“Yes We Can” ) E-mails – Feb 6: Standard Apple automated response confirming reception – Feb 14: Apple asked for PoC for permanent disabling • Sent a detailed response clarifying the attack techniques • “Thanks for the clarification.” A victim iPad got a new update on March 1, 2014 – Last Saturday: “Apple has changed something on their servers!” • Without sending any notification to the researcher… • … and trying to break his demo at Rooted CON 2014
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: Today1…
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. We don’t learn from the past!  Vulnerability Fix(es) Why OTA SW updates didn’t use HTTPS by design? – Did Apple put too much trust on the IPSW integrity verification? • Lack of verification of the update contents (e.g. evilgrade, 2010) – Lack of verification of the update checks • Differentiate between update checks and update contents – httpS://mesu.apple.com & http://appldnld.apple.com • Caching responses for sensitive checks is probably not a good idea • Certificate pinning? – Performance impact? • Again, differentiate update checks from update contents – Conspiracy theory or… another developer ‘mistake’ • Design, implementation, Q&A, security testing… (Apple?) MDM solutions: Verify the latest version is applied
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Real Vulnerability Impact (1/2) How many people could I (or others knowing about this, e.g. NSA) have attacked using this ‘simple’ vulnerability? – During the last +2 years – Considering all the potential victims available worldwide • Some of them very relevant and managing very sensitive information – By freezing their device to an old & vulnerable iOS version… • Temporarily or permanently – … in order to exploit other iOS vulnerabilities, such as… • 197 vulnerabilities fixed in iOS 6.0 • 80 vulnerabilities fixed in iOS 7.0 • Other critical vulnerabilities fixed in intermediate iOS 5.x, 6.x & 7.x versions – More than 20 iOS lock screen bypass vulnerabilities between iOS 5.x-7.x – Ending up with the last goto fail in iOS 7.0.6 • Including multiple jailbreaks available meanwhile (wait for the next one…) – Silently, without the victim users noticing • And even with the option of stealthily reverting the attack back…
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Freezing iOS from iOS 6 to iOS 7…  Real Vulnerability Impact (2/2) … with one single exception, where the user might have noticed the lack of an iOS update
  52. 52. 52 This is the world we live in… … overly dependent on technology, highly sophisticated, but still immature and very vulnerable
  53. 53. 53 Produced by: Directed by: Casting by: IPSW Assistant: iOS5.0 & 5.0.1 files: (March 2012) Music by: Costume Designer: Credits Raúl Siles Mónica Salas E & E Apple Jorge Ortiz Jay Freeman (saurik) Jan Hindermann Siletes camisetasfrikis.es
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Questions?
  55. 55. 55 w w w. d in os ec. com @dinosec Raú l Siles rau l@d in os ec. com @rau ls iles

×