SlideShare a Scribd company logo
1 of 55
1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
i S w w w. dinosec. com
@d in os ec
Raúl Siles
raul@dinosec.com
@raulsiles
@dinosec
March 8, 2014
2
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Outline
Vulnerability research and markets
Apple & iOS: State of the art
– iPhone/iPad in business
– SSA
Can we manipulate the iOS update process?
Vulnerability details: iOS 5, 6, 7…
– Attacks
Conclusions
Credits
3
Vulnerability Research & Markets
Insider View
4
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Markets
How security vulnerability information is managed and traded today?
– Importance of (vuln) information systems for modern economy and society
Who is going to potentially buy your cyber weapon?
– Closed privileged groups
• Black market: cyber criminals
• Public markets: private security companies, governments, brokers…
– Subscription fees: 25 zero-days per year for USD $2.5 million
– What is it going to be used for?
• Compromise all vuln systems w/o the public ever having knowledge of the threat
• Vulns remain private for an average of 151 days (+100 exploits per year)
– Real risk exposure: Assume you are already compromised
NSSLabs
– “The Known Unknowns” (Dec 5, 2013)
– “International Vulnerability Purchase Program” (Dec 17, 2013)
https://www.nsslabs.com/reports/known-unknowns-0
https://www.nsslabs.com/reports/ivpp
5
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
‘Responsible’ disclosure & Conference disclosure
Disclosure Options
Do nothing
– Assuming it is the best way to serve the community
Coordinated disclosure (vendor)
– Information about vulnerabilities is a valuable asset
• Security researchers require compensation for time spent
Full disclosure
– Motivate vendors to act
Sell it
– Bug bounty (vendor)
– Broker or directly to third-parties
6
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Research
For previous vulnerability research I followed…
– Responsible and coordinated disclosure with vendors
– But it was time to research the current vulnerability markets
• Vulnerability was accepted and published in one of the vulnerability purchase programs
• No real interest out of RCE, LPE and information disclosure (memory addresses)
Vulnerability discovered in early 2012 (+2 years)
– Remained private until now
– Keeping it private (as far as I know) and verifying it is still not public requires lot of
effort (specially over long periods of time)
Why is this vulnerability released today?
– You trust your government (country)…
• What about its allies (e.g. NSA)? And others?
– Rooted CON 5th anniversary!
What if someone finds it meanwhile… or the vendor fixes it?
– For how long a not very complex vulnerability can remain undisclosed?
– Value of modern vulnerabilities and exploits is based on who knows about them
How to provide details without disclosing too much?
7
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Research & Disclosure
Vendors do not take relevant issues seriously
– "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013
“When should a researcher initially notify a vendor with no serious
bug bounty before releasing an undisclosed vulnerability in a
security conference?” (Community disclosure?)
– It depends: vendor, bug, researcher, follow-ups… (“negotiate”)
• Complexity, criticality, scope…
• Evolution of security business landscape
– Vulnerability disclosure policies are like assh*les…
• …everyone has one!
• The "Month and a Day Rule" (DinoSec 2014)
– Similar to common law sentences
– Vulnerability notified to Apple on February 6, 2014 (1M +1D)
8
Apple & iOS: State of the Art
9
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iPhone/iPad in Business (1/2)
Your business or Apple business model?
– Hardware, software, services & contents
• App Store & iTunes
Apple Q1 2014 financial results
– Sales (quarter): 51M iPhones & 26M iPads
– Revenue: $57.6 billion
• $4.4 billion on iTunes/Software/Service
– Net quarterly profit: $13.1 billion
– 65 billion apps cumulative ($15 billion to developers)
• 1 million apps cumulative in 24 categories
https://www.apple.com/pr/library/2014/01/27Apple-Reports-
First-Quarter-Results.html
10
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iPhone/iPad in Business (2/2)
iOS design, features, and architecture
– https://www.apple.com/iphone/business/it/
– https://www.apple.com/ipad/business/it/
iOS security model (Feb’14)
– Updates: System Software Authorization
• A7 processor - Security Enclave coprocessor
https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
11
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
System Software Authorization (1/2)
To prevent devices from being downgraded
– Older versions lack the latest security updates
• “An attacker who gains possession of a device could install an
older version of iOS and exploit a vulnerability that’s been fixed
in the newer version”
• Jailbreak?
iTunes or wirelessly over the air (OTA)
– Full copy of iOS or only the components required
Connects to Apple’s installation authorization server
– Crypto measurements for each part of installation bundle
(LLB, iBoot, kernel & OS image), nonce & ECID (device
unique ID)
12
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
System Software Authorization (2/2)
Authorization server checks measurements against
versions permitted by Apple
– Allows only latest version for each device model
• Narrow signing window (~24h)
– Apple signs measurements, nonce and ECID
• Per device (ECID) and per restore (nonce)
Every firmware installation is remotely verified
(signed) by Apple during every restore or upgrade
– Started with iPhone 3G[S] & iOS 3 (using ECID only)
• "Verifying restore with Apple...“
– iTunes “personalizes” the firmware file (ECID…): SHSH
13
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Apple iOS Downgrade (1/3)
SHSH blobs and APTickets
– Signature HaSH (SHSH blobs) and nonce (APTicket)
• Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w)
TSS Center (Cydia), redsn0w,TinyUmbrella, iFaith…
– MitM (& cache) signature server: gs.apple.com
• Source: http://svn.saurik.com/repos/menes/trunk/cysts/
– The verifier was the Tatsu Signing Server (TSS)
• Spidercab (Apple internal equivalent), running at ‘tatsu-
tss-internal.apple.com’ (Apple VPN), is used to sign old
versions...
http://www.saurik.com/id/12 (iOS 3.x)
http://www.saurik.com/id/15 (iOS 6.x)
14
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Apple iOS Downgrade (2/3)
SHSH blobs
– SHA-1 hashes (160-bit digests)
– iPhone Software (IPSW) file (ZIP file)
• Build manifest: BuildManifest.plist
– List of files and their content (+ Apple integrity signature) digests
• “Personalization” process
– Build manifest  TSS request  Apple  SHSH blobs  Replace
files signature section with SHSH blobs
APTickets
– Introduced with iOS 5.x
– Block of data with digest for all files used during boot
• No IPSW file “personalization” any more (APTicket)
• Contains a “nonce” (anti-replay mechanism - uncacheable)
15
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Apple iOS Downgrade (3/3)
Caching the uncacheable
– Restore to very old iOS versions (no APTicket)
– Downgrade tricks history
• http://www.jailbreakqa.com/faq#32763 …
– Exploits for reusing APTickets
No way to downgrade from iOS 6.x to older versions
on newer devices (as of April 2013)
– Eligible older devices
• iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor)
– limera1n BootROM exploit (redsn0w can dump TSS info from device)
• iPad2
– Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5
• iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version
Requirement: TSS information previously saved
16
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS Support Matrix
http://iossupportmatrix.com
17
Can We Manipulate the iOS Update
Process?
Without a new BootROM exploit
18
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Relevant iOS 5 Change
Over the Air (OTA)
– iOS software updates
• Settings - General - Software Update
– iTunes data sync & backup over Wi-Fi
• iTunes 10.5+
– Options – Sync with this iPhone over Wi-Fi
– iCloud backup
• Settings - iCloud - Storage & Backup
Apple fans behavior change: Getting rid of the USB cables
19
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS OTA Update Process
HTTP (vs. HTTPS)
– iOS software (IPSW) integrity verification
– Software update server: http://mesu.apple.com
Automatically used by iOS…
– … or manually launched by the user
• Settings - General - Software Update
iOS software update (plist) file (XML format)
– References (URLs) to all the current iOS version files
• http://appldnld.apple.com
20
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Main iOS SW Update Files
iOS software update (plist) file
– http://mesu.apple.com/assets/
com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml
iOS software update documentation (plist) file
– http://mesu.apple.com/assets/
com_apple_MobileAsset_SoftwareUpdateDocumentation/
com_apple_MobileAsset_SoftwareUpdateDocumentation.xml
iOS 5.0 (GM) was not offered via OTA
– iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA
– iOS 5.0.1 was the first public OTA version
21
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 5.x & 6.x
22
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 5 & 6: HEAD Request
HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
User-Agent: MobileAsset/1.0
Connection: close
Content-Length: 0
HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4
Darwin/11.0.0
Content-Length: 0
Connection: close
23
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 5 & 6: HEAD Response
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: close
If it contains a date greater than the
date from the last update, it will ask
for the new content: GET.
24
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 5 & 6: GET Req & Resp
GET /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
Connection: close
User-Agent: MobileAsset/1.0
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: keep-alive
...
25
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 5 & 6: GET Req & Resp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Assets</key>
<array>
<dict>
<key>Build</key>
...
<key>OSVersion</key>
<string>7.0.4</string>
...
<key>Certificate</key>
<data>
MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw==
</data>
<key>Signature</key>
<data>
LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w==
</data>
<key>SigningKey</key>
<string>AssetManifestSigning</string>
</dict>
</plist>
Same behavior with the iOS SW update documentation file
26
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Last-Modified: Date
Can we manipulate the iOS update process?
27
StarWars or Matrix?
28
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
29
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Man in the Middle (MitM) attacks
– Do you remember the Wi-Fi network impersonation
attacks from last year Rooted CON 2013?
• http://www.dinosec.com/docs/RootedCON2013_Taddong_RaulSiles-WiFi.pdf
• http://vimeo.com/70718776
iProxy
– Python MitM tool
• Twisted (https://twistedmatrix.com)
– Event-driven networking engine (e.g. sslstrip)
– Implements both StarWars and Matrix attacks
• Multiple and flexible options
Vulnerability Exploitation
30
“These aren’t the updates you’re looking for”
31
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
StarWars Attack
Block and/or drop the HEAD request (timeout)
– Fail: It sends a GET request
– Block and/or drop the GET request (timeout)
• Fail: Error message
– When the user manually checks for updates
– “Unable To Check for Update”
Change the “Last-Modified” header of the HEAD
response to the past
– “These aren’t the updates you’re looking for”
DEMO
32
“This is your last chance. After this, there is no turning back. You take
the blue pill - the story ends, you wake up in your bed and believe
whatever you want to believe. You take the red pill - you stay in
Appleland and I show you how deep the rabbit-hole goes.”
33
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Matrix Attack
Change the “Last-Modify” header of the HEAD
response to the future
– Forcing a GET request
Change the contents of the GET response
– Fail: The response contents are signed
– Replay attacks?
Change the “Last-Modify” header of the GET
response to the future & provide a previous file
– “You’re inside the Matrix”
• No more updates up to that future date
DEMO
34
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS Software Update Files Repo
35
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 7.x
36
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 7: GET Request
GET /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-us
Connection: keep-alive
User-Agent: MobileAsset/1.0
HEAD request removed from iOS 7
It discloses the date from the last
update stored on the iOS device:
THANKS iOS! 
37
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 7: GET Response (304)
If there is no new update from that date…
HTTP/1.1 304 Not Modified
Content-Type: application/xml
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Date: Mon, 20 Jan 2014 12:35:20 GMT
Connection: keep-alive
38
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
iOS 7: GET Response (200)
If there is a new update from that date…
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>
...
<plist version="1.0">
<dict>
...
<key>OSVersion</key>
<string>7.0.4</string> ...
39
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Temporary vs. Permanent attacks
40
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
StarWars Attack
Block and/or drop the GET request (timeout)
– Fail: Error message
• When the user manually checks for updates
• “Unable To Check for Update”
Send a 304 response
– “These aren’t the updates you’re looking for”
• Change the “Last-Modified” header of the GET request to the
future to get a 304 from Apple’s server
• Change the GET response manually to 304
This 304 Jedi trick does not work for iOS 6
DEMO
41
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Matrix Attack
Change the contents of the GET response
– Fail: The response contents are signed
– Replay attacks?
Change the “Last-Modify” header of the GET
response to the future
– “You’re inside the Matrix”
• No more updates up to that future date
DEMO
42
Conclusions
43
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Details
Affects iOS 5.x - 7.x (up to the latest version)
– iOS 5.0 released on October 12, 2011
– Vulnerability discovered on early 2012, between…
• 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012)
• It has survived multiple iOS versions: 5, 6 & 7
– Long time verifying it has not been fixed
– Long time collecting iOS software update files (plist XML files)
Targeted and very carefully planned attacks
– Plenty of time to launch future attacks
• Forever (persistent - Matrix) or between iOS updates (now)
Stealthy attacks
– The update freeze can be reverted back silently
44
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Limitations
Cannot be used to downgrade to a previous
version, but to remain on the current version
Can by bypassed via iTunes
– Different update check mechanism (HTTPS)
– Temporarily, as iTunes does not change the iOS
device update state if cancelled
– What is the current iOS update user behavior?
• iTunes or OTA
45
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Usage
Outside the information security field…
People complaining because they didn’t want to
update from iOS 6 to iOS 7
– Huge user interface (GUI) change they didn’t like
But their iOS device used +1Gb of space (e.g. 16Gb
iPad) just to locally store the new iOS 7 update
– New update is available
– Download update
– Install update
“Unwanted iOS 7 occupying space on iOS 6 devices”
Freeze the iOS device at iOS 6 and never get iOS 7 
46
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Exploitation
Freeze the version of a target device and wait for the next succulent
iOS update fixing a critical flaw
Wait… that sounds like… goto fail;
– Speculation: Released on February 21, 2014 (although it is older)
• Without any public researcher recognition (Apple?)
– For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) – in a hurry?
– CVE-2014-1266
• Lack of proper certificate validation: DHE & ECDHE
• https://www.imperialviolet.org/2014/02/22/applebug.html
https://www.gotofail.com
47
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Disclosure: History
Vulnerability discovered on early 2012
– +2 years (or +750 days or +…)
– Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from
other researchers (March 2012), but not the early doc update files
Vulnerability notified to Apple on February 6, 2014
– The "Month and a Day Rule“ (“Yes We Can” )
E-mails
– Feb 6: Standard Apple automated response confirming reception
– Feb 14: Apple asked for PoC for permanent disabling
• Sent a detailed response clarifying the attack techniques
• “Thanks for the clarification.”
A victim iPad got a new update on March 1, 2014
– Last Saturday: “Apple has changed something on their servers!”
• Without sending any notification to the researcher…
• … and trying to break his demo at Rooted CON 2014
48
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Vulnerability Disclosure: Today1…
49
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
We don’t learn from the past! 
Vulnerability Fix(es)
Why OTA SW updates didn’t use HTTPS by design?
– Did Apple put too much trust on the IPSW integrity verification?
• Lack of verification of the update contents (e.g. evilgrade, 2010)
– Lack of verification of the update checks
• Differentiate between update checks and update contents
– httpS://mesu.apple.com & http://appldnld.apple.com
• Caching responses for sensitive checks is probably not a good idea
• Certificate pinning?
– Performance impact?
• Again, differentiate update checks from update contents
– Conspiracy theory or… another developer ‘mistake’
• Design, implementation, Q&A, security testing… (Apple?)
MDM solutions: Verify the latest version is applied
50
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Real Vulnerability Impact (1/2)
How many people could I (or others knowing about this,
e.g. NSA) have attacked using this ‘simple’ vulnerability?
– During the last +2 years
– Considering all the potential victims available worldwide
• Some of them very relevant and managing very sensitive information
– By freezing their device to an old & vulnerable iOS version…
• Temporarily or permanently
– … in order to exploit other iOS vulnerabilities, such as…
• 197 vulnerabilities fixed in iOS 6.0
• 80 vulnerabilities fixed in iOS 7.0
• Other critical vulnerabilities fixed in intermediate iOS 5.x, 6.x & 7.x versions
– More than 20 iOS lock screen bypass vulnerabilities between iOS 5.x-7.x
– Ending up with the last goto fail in iOS 7.0.6
• Including multiple jailbreaks available meanwhile (wait for the next one…)
– Silently, without the victim users noticing
• And even with the option of stealthily reverting the attack back…
51
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Freezing iOS from iOS 6 to iOS 7… 
Real Vulnerability Impact (2/2)
… with one single exception, where the user
might have noticed the lack of an iOS update
52
This is the world we live in…
… overly dependent on technology,
highly sophisticated, but still immature
and very vulnerable
53
Produced by:
Directed by:
Casting by:
IPSW Assistant:
iOS5.0 & 5.0.1 files:
(March 2012)
Music by:
Costume Designer:
Credits
Raúl Siles
Mónica Salas
E & E
Apple
Jorge Ortiz
Jay Freeman (saurik)
Jan Hindermann
Siletes
camisetasfrikis.es
54
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
Questions?
55
w w w. d in os ec. com
@dinosec
Raú l Siles
rau l@d in os ec. com
@rau ls iles

More Related Content

Viewers also liked

Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]RootedCON
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...RootedCON
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...RootedCON
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...RootedCON
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]RootedCON
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...RootedCON
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...RootedCON
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...RootedCON
 
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]RootedCON
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]RootedCON
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]RootedCON
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...RootedCON
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedCON
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]RootedCON
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]RootedCON
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...RootedCON
 
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]RootedCON
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...RootedCON
 
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...RootedCON
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...RootedCON
 

Viewers also liked (20)

Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
Javier Saez - Una panorámica sobre la seguridad en entornos web [rootedvlc2]
 
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
Jose Selvi - Adaptando exploits para evitar la frustración [RootedSatellite V...
 
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
Cesar Lorenzana & Javier Rodríguez – Por qué lo llaman APT´s, cuando lo que q...
 
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
Pablo San Emeterio - How to protect your hot pics with WHF [RootedSatellite V...
 
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
David Pérez y José Pico - I wanna jam it wid you [RootedSatellite Valencia]
 
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
Alberto Cita - Skype Sin Levita. Un análisis de seguridad y privacidad [Roote...
 
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
Jorge Bermúdez - Botnets y troyanos: los artículos 197 y 264 CP llevados a la...
 
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
Jose M Mejia - Usando computación paralela GPU en malware y herramientas de h...
 
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
Chema Alonso - Dorking, Pentesting & Hacking con Android Apps [rootedvlc2]
 
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
Leonardo Nve - Explotando cambios en servidores DNS [RootedSatellite Valencia]
 
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]Layakk - Atacando 3G Vol. 2 [rootedvlc2]
Layakk - Atacando 3G Vol. 2 [rootedvlc2]
 
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
Jorge Ramió - RSA cumple 36 años y se le ha caducado el carné joven [Rooted C...
 
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
RootedSatellite Valencia - Charla inaugural [RootedSatellite Valencia]
 
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
Cesar Lorenzana - Picoletos en Rootedland [RootedSatellite Valencia]
 
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
 
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...Lorenzo Martínez  - Cooking an APT in the paranoid way [RootedSatellite Valen...
Lorenzo Martínez - Cooking an APT in the paranoid way [RootedSatellite Valen...
 
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
Aladdin Gurbanov – Magnetic Road [Rooted CON 2014]
 
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
Pablo San Emeterio López & Jaime Sánchez – WhatsApp, mentiras y cintas de vid...
 
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...
Roberto Baratta – Monetización de seguridad: de más con menos a más con nada ...
 
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
Juan Vazquez & Julián Vilas – Tú a Barcelona y yo a Tejas, a patadas con mi S...
 

Similar to Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? Blueboxer2014
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Building the Internet of Everything
Building the Internet of Everything Building the Internet of Everything
Building the Internet of Everything Cisco Canada
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsVince Verbeke
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)Vince Verbeke
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
8 steps to a long term mobile strategy
8 steps to a long term mobile strategy 8 steps to a long term mobile strategy
8 steps to a long term mobile strategy Kony, Inc.
 
Internet of Everything (IoE): Driving Industry Disruption
Internet of Everything (IoE): Driving Industry DisruptionInternet of Everything (IoE): Driving Industry Disruption
Internet of Everything (IoE): Driving Industry Disruptionimec
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsKenny Huang Ph.D.
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applicationsiphonepentest
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)sandhibhide
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Solutia Oracle Management Cloud - Oracle Cloud Day April, 11th 2019
Solutia Oracle Management Cloud  - Oracle Cloud Day April, 11th 2019Solutia Oracle Management Cloud  - Oracle Cloud Day April, 11th 2019
Solutia Oracle Management Cloud - Oracle Cloud Day April, 11th 2019Martin Stufi
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 

Similar to Raul Siles - iOS: Regreso al futuro [Rooted CON 2014] (20)

200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds? 200:1 - Do You Trust Your Mobile Security Odds?
200:1 - Do You Trust Your Mobile Security Odds?
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Building the Internet of Everything
Building the Internet of Everything Building the Internet of Everything
Building the Internet of Everything
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
8 steps to a long term mobile strategy
8 steps to a long term mobile strategy 8 steps to a long term mobile strategy
8 steps to a long term mobile strategy
 
Internet of Everything (IoE): Driving Industry Disruption
Internet of Everything (IoE): Driving Industry DisruptionInternet of Everything (IoE): Driving Industry Disruption
Internet of Everything (IoE): Driving Industry Disruption
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy Considerations
 
Evaluating iOS Applications
Evaluating iOS ApplicationsEvaluating iOS Applications
Evaluating iOS Applications
 
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)SIM Portland IOT - Sandhi Bhide - (09-14-2016)
SIM Portland IOT - Sandhi Bhide - (09-14-2016)
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Android vs ios
Android vs iosAndroid vs ios
Android vs ios
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Solutia Oracle Management Cloud - Oracle Cloud Day April, 11th 2019
Solutia Oracle Management Cloud  - Oracle Cloud Day April, 11th 2019Solutia Oracle Management Cloud  - Oracle Cloud Day April, 11th 2019
Solutia Oracle Management Cloud - Oracle Cloud Day April, 11th 2019
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Recently uploaded (20)

Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

  • 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. i S w w w. dinosec. com @d in os ec Raúl Siles raul@dinosec.com @raulsiles @dinosec March 8, 2014
  • 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Outline Vulnerability research and markets Apple & iOS: State of the art – iPhone/iPad in business – SSA Can we manipulate the iOS update process? Vulnerability details: iOS 5, 6, 7… – Attacks Conclusions Credits
  • 3. 3 Vulnerability Research & Markets Insider View
  • 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Markets How security vulnerability information is managed and traded today? – Importance of (vuln) information systems for modern economy and society Who is going to potentially buy your cyber weapon? – Closed privileged groups • Black market: cyber criminals • Public markets: private security companies, governments, brokers… – Subscription fees: 25 zero-days per year for USD $2.5 million – What is it going to be used for? • Compromise all vuln systems w/o the public ever having knowledge of the threat • Vulns remain private for an average of 151 days (+100 exploits per year) – Real risk exposure: Assume you are already compromised NSSLabs – “The Known Unknowns” (Dec 5, 2013) – “International Vulnerability Purchase Program” (Dec 17, 2013) https://www.nsslabs.com/reports/known-unknowns-0 https://www.nsslabs.com/reports/ivpp
  • 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. ‘Responsible’ disclosure & Conference disclosure Disclosure Options Do nothing – Assuming it is the best way to serve the community Coordinated disclosure (vendor) – Information about vulnerabilities is a valuable asset • Security researchers require compensation for time spent Full disclosure – Motivate vendors to act Sell it – Bug bounty (vendor) – Broker or directly to third-parties
  • 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research For previous vulnerability research I followed… – Responsible and coordinated disclosure with vendors – But it was time to research the current vulnerability markets • Vulnerability was accepted and published in one of the vulnerability purchase programs • No real interest out of RCE, LPE and information disclosure (memory addresses) Vulnerability discovered in early 2012 (+2 years) – Remained private until now – Keeping it private (as far as I know) and verifying it is still not public requires lot of effort (specially over long periods of time) Why is this vulnerability released today? – You trust your government (country)… • What about its allies (e.g. NSA)? And others? – Rooted CON 5th anniversary! What if someone finds it meanwhile… or the vendor fixes it? – For how long a not very complex vulnerability can remain undisclosed? – Value of modern vulnerabilities and exploits is based on who knows about them How to provide details without disclosing too much?
  • 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research & Disclosure Vendors do not take relevant issues seriously – "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013 “When should a researcher initially notify a vendor with no serious bug bounty before releasing an undisclosed vulnerability in a security conference?” (Community disclosure?) – It depends: vendor, bug, researcher, follow-ups… (“negotiate”) • Complexity, criticality, scope… • Evolution of security business landscape – Vulnerability disclosure policies are like assh*les… • …everyone has one! • The "Month and a Day Rule" (DinoSec 2014) – Similar to common law sentences – Vulnerability notified to Apple on February 6, 2014 (1M +1D)
  • 8. 8 Apple & iOS: State of the Art
  • 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (1/2) Your business or Apple business model? – Hardware, software, services & contents • App Store & iTunes Apple Q1 2014 financial results – Sales (quarter): 51M iPhones & 26M iPads – Revenue: $57.6 billion • $4.4 billion on iTunes/Software/Service – Net quarterly profit: $13.1 billion – 65 billion apps cumulative ($15 billion to developers) • 1 million apps cumulative in 24 categories https://www.apple.com/pr/library/2014/01/27Apple-Reports- First-Quarter-Results.html
  • 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (2/2) iOS design, features, and architecture – https://www.apple.com/iphone/business/it/ – https://www.apple.com/ipad/business/it/ iOS security model (Feb’14) – Updates: System Software Authorization • A7 processor - Security Enclave coprocessor https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
  • 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (1/2) To prevent devices from being downgraded – Older versions lack the latest security updates • “An attacker who gains possession of a device could install an older version of iOS and exploit a vulnerability that’s been fixed in the newer version” • Jailbreak? iTunes or wirelessly over the air (OTA) – Full copy of iOS or only the components required Connects to Apple’s installation authorization server – Crypto measurements for each part of installation bundle (LLB, iBoot, kernel & OS image), nonce & ECID (device unique ID)
  • 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (2/2) Authorization server checks measurements against versions permitted by Apple – Allows only latest version for each device model • Narrow signing window (~24h) – Apple signs measurements, nonce and ECID • Per device (ECID) and per restore (nonce) Every firmware installation is remotely verified (signed) by Apple during every restore or upgrade – Started with iPhone 3G[S] & iOS 3 (using ECID only) • "Verifying restore with Apple...“ – iTunes “personalizes” the firmware file (ECID…): SHSH
  • 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (1/3) SHSH blobs and APTickets – Signature HaSH (SHSH blobs) and nonce (APTicket) • Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w) TSS Center (Cydia), redsn0w,TinyUmbrella, iFaith… – MitM (& cache) signature server: gs.apple.com • Source: http://svn.saurik.com/repos/menes/trunk/cysts/ – The verifier was the Tatsu Signing Server (TSS) • Spidercab (Apple internal equivalent), running at ‘tatsu- tss-internal.apple.com’ (Apple VPN), is used to sign old versions... http://www.saurik.com/id/12 (iOS 3.x) http://www.saurik.com/id/15 (iOS 6.x)
  • 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (2/3) SHSH blobs – SHA-1 hashes (160-bit digests) – iPhone Software (IPSW) file (ZIP file) • Build manifest: BuildManifest.plist – List of files and their content (+ Apple integrity signature) digests • “Personalization” process – Build manifest  TSS request  Apple  SHSH blobs  Replace files signature section with SHSH blobs APTickets – Introduced with iOS 5.x – Block of data with digest for all files used during boot • No IPSW file “personalization” any more (APTicket) • Contains a “nonce” (anti-replay mechanism - uncacheable)
  • 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (3/3) Caching the uncacheable – Restore to very old iOS versions (no APTicket) – Downgrade tricks history • http://www.jailbreakqa.com/faq#32763 … – Exploits for reusing APTickets No way to downgrade from iOS 6.x to older versions on newer devices (as of April 2013) – Eligible older devices • iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor) – limera1n BootROM exploit (redsn0w can dump TSS info from device) • iPad2 – Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5 • iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version Requirement: TSS information previously saved
  • 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Support Matrix http://iossupportmatrix.com
  • 17. 17 Can We Manipulate the iOS Update Process? Without a new BootROM exploit
  • 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Relevant iOS 5 Change Over the Air (OTA) – iOS software updates • Settings - General - Software Update – iTunes data sync & backup over Wi-Fi • iTunes 10.5+ – Options – Sync with this iPhone over Wi-Fi – iCloud backup • Settings - iCloud - Storage & Backup Apple fans behavior change: Getting rid of the USB cables
  • 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS OTA Update Process HTTP (vs. HTTPS) – iOS software (IPSW) integrity verification – Software update server: http://mesu.apple.com Automatically used by iOS… – … or manually launched by the user • Settings - General - Software Update iOS software update (plist) file (XML format) – References (URLs) to all the current iOS version files • http://appldnld.apple.com
  • 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Main iOS SW Update Files iOS software update (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml iOS software update documentation (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdateDocumentation/ com_apple_MobileAsset_SoftwareUpdateDocumentation.xml iOS 5.0 (GM) was not offered via OTA – iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA – iOS 5.0.1 was the first public OTA version
  • 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5.x & 6.x
  • 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Request HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: MobileAsset/1.0 Connection: close Content-Length: 0 HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4 Darwin/11.0.0 Content-Length: 0 Connection: close
  • 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Response HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: close If it contains a date greater than the date from the last update, it will ask for the new content: GET.
  • 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com Connection: close User-Agent: MobileAsset/1.0 HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive ...
  • 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Assets</key> <array> <dict> <key>Build</key> ... <key>OSVersion</key> <string>7.0.4</string> ... <key>Certificate</key> <data> MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw== </data> <key>Signature</key> <data> LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w== </data> <key>SigningKey</key> <string>AssetManifestSigning</string> </dict> </plist> Same behavior with the iOS SW update documentation file
  • 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Last-Modified: Date Can we manipulate the iOS update process?
  • 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
  • 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Man in the Middle (MitM) attacks – Do you remember the Wi-Fi network impersonation attacks from last year Rooted CON 2013? • http://www.dinosec.com/docs/RootedCON2013_Taddong_RaulSiles-WiFi.pdf • http://vimeo.com/70718776 iProxy – Python MitM tool • Twisted (https://twistedmatrix.com) – Event-driven networking engine (e.g. sslstrip) – Implements both StarWars and Matrix attacks • Multiple and flexible options Vulnerability Exploitation
  • 30. 30 “These aren’t the updates you’re looking for”
  • 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the HEAD request (timeout) – Fail: It sends a GET request – Block and/or drop the GET request (timeout) • Fail: Error message – When the user manually checks for updates – “Unable To Check for Update” Change the “Last-Modified” header of the HEAD response to the past – “These aren’t the updates you’re looking for” DEMO
  • 32. 32 “This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Appleland and I show you how deep the rabbit-hole goes.”
  • 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the “Last-Modify” header of the HEAD response to the future – Forcing a GET request Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future & provide a previous file – “You’re inside the Matrix” • No more updates up to that future date DEMO
  • 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Software Update Files Repo
  • 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7.x
  • 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Request GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-us Connection: keep-alive User-Agent: MobileAsset/1.0 HEAD request removed from iOS 7 It discloses the date from the last update stored on the iOS device: THANKS iOS! 
  • 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (304) If there is no new update from that date… HTTP/1.1 304 Not Modified Content-Type: application/xml Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Date: Mon, 20 Jan 2014 12:35:20 GMT Connection: keep-alive
  • 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (200) If there is a new update from that date… HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive <?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <dict> ... <key>OSVersion</key> <string>7.0.4</string> ...
  • 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Temporary vs. Permanent attacks
  • 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the GET request (timeout) – Fail: Error message • When the user manually checks for updates • “Unable To Check for Update” Send a 304 response – “These aren’t the updates you’re looking for” • Change the “Last-Modified” header of the GET request to the future to get a 304 from Apple’s server • Change the GET response manually to 304 This 304 Jedi trick does not work for iOS 6 DEMO
  • 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future – “You’re inside the Matrix” • No more updates up to that future date DEMO
  • 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Details Affects iOS 5.x - 7.x (up to the latest version) – iOS 5.0 released on October 12, 2011 – Vulnerability discovered on early 2012, between… • 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012) • It has survived multiple iOS versions: 5, 6 & 7 – Long time verifying it has not been fixed – Long time collecting iOS software update files (plist XML files) Targeted and very carefully planned attacks – Plenty of time to launch future attacks • Forever (persistent - Matrix) or between iOS updates (now) Stealthy attacks – The update freeze can be reverted back silently
  • 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Limitations Cannot be used to downgrade to a previous version, but to remain on the current version Can by bypassed via iTunes – Different update check mechanism (HTTPS) – Temporarily, as iTunes does not change the iOS device update state if cancelled – What is the current iOS update user behavior? • iTunes or OTA
  • 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Usage Outside the information security field… People complaining because they didn’t want to update from iOS 6 to iOS 7 – Huge user interface (GUI) change they didn’t like But their iOS device used +1Gb of space (e.g. 16Gb iPad) just to locally store the new iOS 7 update – New update is available – Download update – Install update “Unwanted iOS 7 occupying space on iOS 6 devices” Freeze the iOS device at iOS 6 and never get iOS 7 
  • 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Exploitation Freeze the version of a target device and wait for the next succulent iOS update fixing a critical flaw Wait… that sounds like… goto fail; – Speculation: Released on February 21, 2014 (although it is older) • Without any public researcher recognition (Apple?) – For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) – in a hurry? – CVE-2014-1266 • Lack of proper certificate validation: DHE & ECDHE • https://www.imperialviolet.org/2014/02/22/applebug.html https://www.gotofail.com
  • 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: History Vulnerability discovered on early 2012 – +2 years (or +750 days or +…) – Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from other researchers (March 2012), but not the early doc update files Vulnerability notified to Apple on February 6, 2014 – The "Month and a Day Rule“ (“Yes We Can” ) E-mails – Feb 6: Standard Apple automated response confirming reception – Feb 14: Apple asked for PoC for permanent disabling • Sent a detailed response clarifying the attack techniques • “Thanks for the clarification.” A victim iPad got a new update on March 1, 2014 – Last Saturday: “Apple has changed something on their servers!” • Without sending any notification to the researcher… • … and trying to break his demo at Rooted CON 2014
  • 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: Today1…
  • 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. We don’t learn from the past!  Vulnerability Fix(es) Why OTA SW updates didn’t use HTTPS by design? – Did Apple put too much trust on the IPSW integrity verification? • Lack of verification of the update contents (e.g. evilgrade, 2010) – Lack of verification of the update checks • Differentiate between update checks and update contents – httpS://mesu.apple.com & http://appldnld.apple.com • Caching responses for sensitive checks is probably not a good idea • Certificate pinning? – Performance impact? • Again, differentiate update checks from update contents – Conspiracy theory or… another developer ‘mistake’ • Design, implementation, Q&A, security testing… (Apple?) MDM solutions: Verify the latest version is applied
  • 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Real Vulnerability Impact (1/2) How many people could I (or others knowing about this, e.g. NSA) have attacked using this ‘simple’ vulnerability? – During the last +2 years – Considering all the potential victims available worldwide • Some of them very relevant and managing very sensitive information – By freezing their device to an old & vulnerable iOS version… • Temporarily or permanently – … in order to exploit other iOS vulnerabilities, such as… • 197 vulnerabilities fixed in iOS 6.0 • 80 vulnerabilities fixed in iOS 7.0 • Other critical vulnerabilities fixed in intermediate iOS 5.x, 6.x & 7.x versions – More than 20 iOS lock screen bypass vulnerabilities between iOS 5.x-7.x – Ending up with the last goto fail in iOS 7.0.6 • Including multiple jailbreaks available meanwhile (wait for the next one…) – Silently, without the victim users noticing • And even with the option of stealthily reverting the attack back…
  • 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Freezing iOS from iOS 6 to iOS 7…  Real Vulnerability Impact (2/2) … with one single exception, where the user might have noticed the lack of an iOS update
  • 52. 52 This is the world we live in… … overly dependent on technology, highly sophisticated, but still immature and very vulnerable
  • 53. 53 Produced by: Directed by: Casting by: IPSW Assistant: iOS5.0 & 5.0.1 files: (March 2012) Music by: Costume Designer: Credits Raúl Siles Mónica Salas E & E Apple Jorge Ortiz Jay Freeman (saurik) Jan Hindermann Siletes camisetasfrikis.es
  • 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Questions?
  • 55. 55 w w w. d in os ec. com @dinosec Raú l Siles rau l@d in os ec. com @rau ls iles