iOS MITM AttackTechnology and effects          sieg.in        1
sieg.in   2
Boot validation• CA – Apple Certificate Authority• SIGN – Signature                    sieg.in          3
Files Protection       sieg.in     4
Classic provisioning         sieg.in       5
Actual provisioning        sieg.in       6
Why we can’t create fake signature?Because “Apple Root CA” fingerprint hardcoded into iOS and have to   be 61:1E:5B:66:2C:...
SSLsieg.in   8
Certificate Authority StorageFew from 186 are quite interesting :    – C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLA...
Certificate authentication            sieg.in          10
I want my CA in your iOS           sieg.in         11
Ways to install CA in iOSo Safario Email attachmento MDMWith configuration profile  Can be installed with Safari        ...
Attack  sieg.in   13
Mobileconfig containsWiFi settings (pass, SSID) for “Gate”CAProxy Settings, if we want victim’s traffic even it has lef...
Mobileconfig installation           sieg.in          15
Looks bad =(    sieg.in    16
Let’s take a look on default CA list...                  sieg.in             17
COMODO trial certificate• You only need valid admin@yourdomain.com  mail for confirmation• Can be used for signing        ...
How to sign    sieg.in   19
Looks much better       sieg.in      20
SSL DefeatedBut we want more      sieg.in      21
How to get files from device             sieg.in           22
Elcomsoft Phone Password Breaker               sieg.in         23
Once again    sieg.in   24
What’s in backup?•   SMS•   Private photo•   Emails•   Application data•   And more …                       sieg.in   25
Files doneBut we want more      sieg.in      26
Apple Push Notification Service              sieg.in             27
Fake! Fake! Fake!       sieg.in      28
Wipe Tragedy (act 1/1)          sieg.in        29
SummaryUser only have to tap ‘Install’ two times to makeus able to :  – Sniff all his SSL traffic (cookies,passwords, etc)...
sieg.inal@sieg.in @siegin    sieg.in   31
Upcoming SlideShare
Loading in …5
×

Troshichev i os mitm attack

3,331 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,331
On SlideShare
0
From Embeds
0
Number of Embeds
2,226
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Troshichev i os mitm attack

  1. 1. iOS MITM AttackTechnology and effects sieg.in 1
  2. 2. sieg.in 2
  3. 3. Boot validation• CA – Apple Certificate Authority• SIGN – Signature sieg.in 3
  4. 4. Files Protection sieg.in 4
  5. 5. Classic provisioning sieg.in 5
  6. 6. Actual provisioning sieg.in 6
  7. 7. Why we can’t create fake signature?Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60 sieg.in 7
  8. 8. SSLsieg.in 8
  9. 9. Certificate Authority StorageFew from 186 are quite interesting : – C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA – C=JP, O=Japanese Government, OU=ApplicationCA – C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root… sieg.in 9
  10. 10. Certificate authentication sieg.in 10
  11. 11. I want my CA in your iOS sieg.in 11
  12. 12. Ways to install CA in iOSo Safario Email attachmento MDMWith configuration profile Can be installed with Safari sieg.in 12
  13. 13. Attack sieg.in 13
  14. 14. Mobileconfig containsWiFi settings (pass, SSID) for “Gate”CAProxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6)iCloud backup (enable it, if not) sieg.in 14
  15. 15. Mobileconfig installation sieg.in 15
  16. 16. Looks bad =( sieg.in 16
  17. 17. Let’s take a look on default CA list... sieg.in 17
  18. 18. COMODO trial certificate• You only need valid admin@yourdomain.com mail for confirmation• Can be used for signing sieg.in 18
  19. 19. How to sign sieg.in 19
  20. 20. Looks much better sieg.in 20
  21. 21. SSL DefeatedBut we want more sieg.in 21
  22. 22. How to get files from device sieg.in 22
  23. 23. Elcomsoft Phone Password Breaker sieg.in 23
  24. 24. Once again sieg.in 24
  25. 25. What’s in backup?• SMS• Private photo• Emails• Application data• And more … sieg.in 25
  26. 26. Files doneBut we want more sieg.in 26
  27. 27. Apple Push Notification Service sieg.in 27
  28. 28. Fake! Fake! Fake! sieg.in 28
  29. 29. Wipe Tragedy (act 1/1) sieg.in 29
  30. 30. SummaryUser only have to tap ‘Install’ two times to makeus able to : – Sniff all his SSL traffic (cookies,passwords, etc) – Steal his backup (call log, sms log, photos and application data) – Send him funny push messages or just wipe device sieg.in 30
  31. 31. sieg.inal@sieg.in @siegin sieg.in 31

×