The document summarizes a security audit performed on an iPhone. The researcher was able to gain root access to the iPhone using a default password for OpenSSH. They then analyzed over 2000 property list files, converting them to XML and searching for personal information like names, phone numbers, emails and call logs. The researcher extracted a significant amount of private data and notes that with malicious intent, data could also have been deleted or erased without a trace. Recommendations include changing default passwords, limiting app access to data, and not leaving wireless connections active when not in use.
1. Mobile Privacy and Security
With the iPhone
James Wernicke
April 28, 2007
2. Goal and Objectives
Demonstrate weaknesses in accepted mobile
security and privacy practices.
Evaluate the security and privacy features of the
iPhone.
Perform a security audit on an iPhone.
Develop a security application for the iPhone for
general users.
Objectives – Background – Specifications – Security Audit - Conclusion
3. Background
Mobile devices are ubiquitous in today‟s society.
3G networks and unlimited data plans continue to
rise in popularity.
Objectives – Background – Specifications – Security Audit - Conclusion
4. Background
Mobile malware is becoming more prevalent.
Stolen information includes emails, text messages,
contact lists, and browser history.
Objectives – Background – Specifications – Security Audit - Conclusion
5. Background
No operating system is completely safe.
Platforms are more familiar and easier to hack.
Objectives – Background – Specifications – Security Audit - Conclusion
6. Background
The iPhone is no exception.
Source: http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf
Objectives – Background – Specifications – Security Audit - Conclusion
8. iPhone Specifications
Communications
GSM/EDGE, UMTS/HSDPA, Wi-Fi (802.11 b/g), Bluetooth
2.1 + EDR, and USB 2.0
Display
3.5-inch widescreen Multi-Touch display
Recording
3-megapixel camera, auto-focus, VGA recording up to 30
fps, geotagging
Storage
8, 16, or 32 GB
Power
Up to 300 hours standby, 12 hours talk, 9 hours Wi-Fi, 10
hours video, 30 hours audio
Support for most common file formats.
Objectives – Background – Specifications – Security Audit - Conclusion
9. Software
iPhone OS
File system is “sandboxed” to protect critical system files
from third-party software.
Key pieces of information stored in SQLite databases.
Apps
Thousands of apps for personal information management,
remote access and entertainment.
No (official) firewall or anti-virus software.
App development is open, but App Store checks apps for
malicious code before release.
Jailbreaking
Unlocks restrictions on the iPhone to allow full UNIX
functionality.
As a negative consequence, it also removes safeguards.
Objectives – Background – Specifications – Security Audit - Conclusion
10. Test Subject
The iPhone was heavily used containing
information including:
Email
Contacts
Calendar
Web browsing history
Stored Wi-Fi networks
Pictures and videos
Maps
Apps
Jailbroken iPhone OS version 2.3.2
Objectives – Background – Specifications – Security Audit - Conclusion
11. iPhone Security Audit
1. Scan for transmissions.
2. Probe for information and possible
vulnerabilities.
3. Attempt to exploit vulnerabilities to gain
control.
4. If successful, attempt to find and retrieve
valuable information.
Objectives – Background – Specifications – Security Audit - Conclusion
12. Scanning and Probing Tools
Ethereal
Captures and analyzes data packets transmitted over the
air.
Useful for determining what type of traffic a user is
transmitting (HTTP, FTP, SFTP)
Nmap
Probes an interface for details about its operating system
and ports.
Objectives – Background – Specifications – Security Audit - Conclusion
13. Exploiting Vulnerabilities
192.168.0.73 found to be iPhone OS.
Port 22 (OpenSSH) found open on it.
OpenSSH installs with „alpine‟ as default password.
Successfully penetrated device using default
password.
bash-4.0$ ssh root@192.168.0.73
root@192.168.0.73’s password:
iPhone:~ root# _
Time to look for some information…
Objectives – Background – Specifications – Security Audit - Conclusion
14. Property Lists
Property lists are often used to store a user's
settings, and information about applications.
<dict>
<key>Name</key>
<string>James Wernicke</string>
<key>Age</key>
<integer>29</integer>
</dict>
The iPhone uses these files to store virtually all
personal information.
Passcode is stored encrypted in the Keychain.
Objectives – Background – Specifications – Security Audit - Conclusion
16. Analyzing Property Lists
Converted to XML format using plutil.
private/var/mobile/Library/Preferences/mobile$ plutil -convert xml1
.GlobalPreferences.plist
Converted 1 files to XML format
private/var/mobile/Library/Preferences/mobile$ cat .GlobalPreferences.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AppleKeyboards</key>
<array>
<string>en_US</string>
</array>
<key>AppleKeyboardsExpanded</key>
<integer>1</integer>
<key>AppleLanguages</key>
<key>SBFormattedPhoneNumber</key>
<string>1 (858) 603-5873</string>
<key>TVOutStatus</key>
<integer>-1</integer>
</dict>
</plist>
Objectives – Background – Specifications – Security Audit - Conclusion
17. Analyzing Property Lists
Personal information can then be found and
extracted.
private/var/mobile/Library/Preferences/mobile$ grep
PhoneNumber .*
.GlobalPreferences.plist:
<key>SBFormattedPhoneNumber</key>
/private/var/mobile/Library/Preferences/mobile$ plutil -
key SBFormattedPhoneNumber .GlobalPreferences.plist
1 (858) 603-5873
Objectives – Background – Specifications – Security Audit - Conclusion
18. Analyzing Property Lists
Personal information can then be found and
extracted.
private/var/mobile/Library/Preferences/mobile$ grep
PhoneNumber .*
.GlobalPreferences.plist:
<key>SBFormattedPhoneNumber</key>
/private/var/mobile/Library/Preferences/mobile$ plutil -
key SBFormattedPhoneNumber .GlobalPreferences.plist
1 (858) 603-5873
Objectives – Background – Specifications – Security Audit - Conclusion
19. Analyzing Property Lists
Over 2000 property lists were found on the test
iPhone.
Analyzing each by hand would be very expensive.
Program developed to find property lists,
convert them to XML, search for common
keywords, and retrieve their values.
plister.sh
plbackup.sh
plist2xml.sh
keyfinder.sh
Future development to lead to security app.
Objectives – Background – Specifications – Security Audit - Conclusion
20. Results
Found identifying information about the device
passively by monitoring air traffic.
Found open ports through probes.
Gained root access to system through SSH exploit.
Collected personal information.
Name, phone number, and birthday
Contact list and calendar
Emails, text messages, and call logs
Browsing history and bookmarks
Pictures, songs and videos
Could have also destroyed data including erasing
my tracks.
Objectives – Background – Specifications – Security Audit - Conclusion
21. Recommendations & Lessons Learned
Open up the iPhone OS to security vendors.
Use discretion when allowing apps to access
personal information.
NEVER leave the default password active on your
OpenSSH server.
Do not leave connections (3G, Wi-Fi, Bluetooth)
active when not in use.
Do not use unprotected wireless networks.
22. References & Secondary Research
Pew Research Center. Internet & American Life Project. 2009. Survey. http://www.pewinternet.org/.
CTIA. A Generation Unplugged. s.l. : Harris Interactive, 2008. Research Study.
http://files.ctia.org/pdf/HI_TeenMobileStudy_ResearchReport.pdf.
Radwanick, Sarah. The 2009 U.S. Digital Year in Review. s.l. : comScore, 2010. p. 13, Whitepaper.
http://www.comscore.com/Press_Events/Presentations_Whitepapers/2010/The_2009_U.S._Digital_Year_in_Review.
Gostev, Alexander. Mobile Malware Evolution: An Overview, Part 3. SECURELIST. [Online] September 29, 2009. [Cited:
April 1, 2010.] http://www.viruslist.com/analysis/?pubid=204792080.
Weiss, Gregg. Staggering iPhone App Development Statistics Unveiled at Macworld 2010. prMac.com. [Online]
February 3, 2010. [Cited: April 1, 2010.] http://prmac.com/release-id-10499.htm.
Hughes, Neil. Piper: 15.8M US iPhone sales in 2010, even without Verizon. AppleInsider. [Online] January 6, 2010. [Cited:
April 1, 2010.]
http://www.appleinsider.com/articles/10/01/06/piper_15_8m_us_iphone_sales_in_2010_even_without_verizon.html.
Cheng, Jacqui. The truth about the iPhone's sales numbers. Ars Technica. [Online] January 23, 2008. [Cited: April 1,
2010.] http://arstechnica.com/apple/news/2008/01/the-truth-about-the-iphones-sales-numbers.ars.
Rubicon Consulting. The Apple iPhone: Successes and Challenges for the Mobile Industry. 2008.
http://rubiconconsulting.com/downloads/whitepapers/Rubicon-iPhone_User_Survey.pdf.
Seriot, Nicolas. iPhone Privacy. 2010. Technical Report. http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf.
Pwn2Own 2010: iPhone hacked, SMS database hijacked. ZDNet. [Online] March 24, 2010. [Cited: April 1, 2010.]
http://blogs.zdnet.com/security/?p=5836.
A look back at the iTunes App Store - Part I: Explosive Growth. Edible Apple. [Online] July 8, 2009. [Cited: April 1, 2010.]
http://www.edibleapple.com/a-look-back-at-the-itunes-app-store-part-i-explosive-growth/.
24. Sandboxing Rules
(version 1) (allow file-write*
(deny default) (regex "^/private/var/tmp/UpdatedSnapshots/$"))
; Sandbox violations get logged to syslog via kernel logging. ; Permit reading and writing in the App container
(debug deny) (allow file-read*
(allow sysctl-read) (regex "^/private/var/mobile/Applications/
; Mount / umount commands XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX(/|$)"))
(deny file-write-mount file-write-umount) (allow file-write*
; System is read only (regex "^/private/var/mobile/Applications/
(allow file-read*) XXXXXXXX-XXXX-XXXX-XXXX-
(deny file-write*) XXXXXXXXXXXX/(tmp|Library|Documents)(/|$)"))
; NOTE: Later rules override earlier rules. (allow process-exec
; Private areas (regex #"^/private/var/mobile/Applications/
(deny file-write* XXXXXXXX-XXXX-XXXX-XXXX-
(regex "^/private/var/mobile/Applications/.*$")) XXXXXXXXXXXX/.*.app(/|$)"))
(deny file-read* ; Allow Address book access via filesystem
(regex "^/private/var/mobile/Applications/.*$")) ; This is an SQLite3 database - there is room to make the rules
; SQLite uses /private/var/tmp tighter
; TBR: <rdar://problem/5805879> SQLite doesn’t honor (allow file-write*
; the TMPDIR environment variable (regex "^/private/var/mobile/Library/AddressBook(/|$)"))
(allow file-write* (allow file-read*
(regex "^/private/var/tmp(/|$)")) (regex "^/private/var/mobile/Library/AddressBook(/|$)"))
(allow file-read* ; Allow keyboard db access via filesystem
(regex "^/private/var/tmp(/|$)")) ; This is a custom file format. There is room to make the rules
; TBR: <rdar://problem/5806524> tighter
(allow process-exec (allow file-write*
(regex "^/private/var/tmp$")) (regex "^/private/var/mobile/Library(/Keyboard)?(/|$)"))
; TBR: <rdar://problem/5830139> (allow file-read*
25. Sandboxing Rules
(regex "^/private/var/mobile/Library(/Keyboard)?(/|$)")) ; (allow network-outbound)
; Pictures, but not other media ; (to unix-socket "/private/var/run/asl_input"))
; Allow photo access via filesystem. There is room to make the rules (allow network*)
tighter ; To allow crash reporter / exceptions to kill the process
(deny file-write* (allow signal (target self))
(regex "^/private/var/mobile/Media(/|$)"))
(deny file-read*
(regex "^/private/var/mobile/Media/"))
(allow file-write*
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))
(allow file-read*
(regex "^/private/var/mobile/Media/com.apple.itunes.lock_sync$"))
(allow file-write*
(regex "^/private/var/mobile/Media/DCIM(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Media/DCIM(/|$)"))
(allow file-read*
(regex "^/private/var/mobile/Media/Photos(/|$)"))
; Mach lookups. There is room to make the rule tighter.
(allow mach-lookup)
;; (global-name "PurpleSystemEventPort")
;; (global-name "com.apple.CARenderServer")
;; (global-name "com.apple.eventpump")
;; (global-name "com.apple.springboard.migserver")
;; (global-name "com.apple.system.notification_center"))
(deny process-fork)
; For ASL logs - /var/run/asl_input (XXX: socket can now be named)
26.
27.
28.
29.
30. More Results
Type Results Google Maps Yes
Call logs 100 Voicemail 0
SMS 120 Password No
Contacts 1511 Plists/XML Yes
Email 512 Phone Info Yes
Calendar 3188 Video 0
Notes 1 Podcasts 0
Pictures 27 Speed Dials Found
Songs 2359 VPN List of trusted networks found
Web History Yes Bluetooth Enabled
Bookmarks Some GPS No
Cookies Bank of America File hashes Yes
App Info Yes YouTube Found recently viewed videos
Recent weather page plus
HTML Facebook