Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

1,637 views

Published on

Published in: Technology
  • Be the first to comment

Raul Siles - iOS: Regreso al futuro [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. i S w w w. dinosec. com @d in os ec Raúl Siles raul@dinosec.com @raulsiles @dinosec March 8, 2014
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Outline Vulnerability research and markets Apple & iOS: State of the art – iPhone/iPad in business – SSA Can we manipulate the iOS update process? Vulnerability details: iOS 5, 6, 7… – Attacks Conclusions Credits
  3. 3. 3 Vulnerability Research & Markets Insider View
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Markets How security vulnerability information is managed and traded today? – Importance of (vuln) information systems for modern economy and society Who is going to potentially buy your cyber weapon? – Closed privileged groups • Black market: cyber criminals • Public markets: private security companies, governments, brokers… – Subscription fees: 25 zero-days per year for USD $2.5 million – What is it going to be used for? • Compromise all vuln systems w/o the public ever having knowledge of the threat • Vulns remain private for an average of 151 days (+100 exploits per year) – Real risk exposure: Assume you are already compromised NSSLabs – “The Known Unknowns” (Dec 5, 2013) – “International Vulnerability Purchase Program” (Dec 17, 2013) https://www.nsslabs.com/reports/known-unknowns-0 https://www.nsslabs.com/reports/ivpp
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. ‘Responsible’ disclosure & Conference disclosure Disclosure Options Do nothing – Assuming it is the best way to serve the community Coordinated disclosure (vendor) – Information about vulnerabilities is a valuable asset • Security researchers require compensation for time spent Full disclosure – Motivate vendors to act Sell it – Bug bounty (vendor) – Broker or directly to third-parties
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research For previous vulnerability research I followed… – Responsible and coordinated disclosure with vendors – But it was time to research the current vulnerability markets • Vulnerability was accepted and published in one of the vulnerability purchase programs • No real interest out of RCE, LPE and information disclosure (memory addresses) Vulnerability discovered in early 2012 (+2 years) – Remained private until now – Keeping it private (as far as I know) and verifying it is still not public requires lot of effort (specially over long periods of time) Why is this vulnerability released today? – You trust your government (country)… • What about its allies (e.g. NSA)? And others? – Rooted CON 5th anniversary! What if someone finds it meanwhile… or the vendor fixes it? – For how long a not very complex vulnerability can remain undisclosed? – Value of modern vulnerabilities and exploits is based on who knows about them How to provide details without disclosing too much?
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Research & Disclosure Vendors do not take relevant issues seriously – "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013 “When should a researcher initially notify a vendor with no serious bug bounty before releasing an undisclosed vulnerability in a security conference?” (Community disclosure?) – It depends: vendor, bug, researcher, follow-ups… (“negotiate”) • Complexity, criticality, scope… • Evolution of security business landscape – Vulnerability disclosure policies are like assh*les… • …everyone has one! • The "Month and a Day Rule" (DinoSec 2014) – Similar to common law sentences – Vulnerability notified to Apple on February 6, 2014 (1M +1D)
  8. 8. 8 Apple & iOS: State of the Art
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (1/2) Your business or Apple business model? – Hardware, software, services & contents • App Store & iTunes Apple Q1 2014 financial results – Sales (quarter): 51M iPhones & 26M iPads – Revenue: $57.6 billion • $4.4 billion on iTunes/Software/Service – Net quarterly profit: $13.1 billion – 65 billion apps cumulative ($15 billion to developers) • 1 million apps cumulative in 24 categories https://www.apple.com/pr/library/2014/01/27Apple-Reports- First-Quarter-Results.html
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iPhone/iPad in Business (2/2) iOS design, features, and architecture – https://www.apple.com/iphone/business/it/ – https://www.apple.com/ipad/business/it/ iOS security model (Feb’14) – Updates: System Software Authorization • A7 processor - Security Enclave coprocessor https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (1/2) To prevent devices from being downgraded – Older versions lack the latest security updates • “An attacker who gains possession of a device could install an older version of iOS and exploit a vulnerability that’s been fixed in the newer version” • Jailbreak? iTunes or wirelessly over the air (OTA) – Full copy of iOS or only the components required Connects to Apple’s installation authorization server – Crypto measurements for each part of installation bundle (LLB, iBoot, kernel & OS image), nonce & ECID (device unique ID)
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. System Software Authorization (2/2) Authorization server checks measurements against versions permitted by Apple – Allows only latest version for each device model • Narrow signing window (~24h) – Apple signs measurements, nonce and ECID • Per device (ECID) and per restore (nonce) Every firmware installation is remotely verified (signed) by Apple during every restore or upgrade – Started with iPhone 3G[S] & iOS 3 (using ECID only) • "Verifying restore with Apple...“ – iTunes “personalizes” the firmware file (ECID…): SHSH
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (1/3) SHSH blobs and APTickets – Signature HaSH (SHSH blobs) and nonce (APTicket) • Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w) TSS Center (Cydia), redsn0w,TinyUmbrella, iFaith… – MitM (& cache) signature server: gs.apple.com • Source: http://svn.saurik.com/repos/menes/trunk/cysts/ – The verifier was the Tatsu Signing Server (TSS) • Spidercab (Apple internal equivalent), running at ‘tatsu- tss-internal.apple.com’ (Apple VPN), is used to sign old versions... http://www.saurik.com/id/12 (iOS 3.x) http://www.saurik.com/id/15 (iOS 6.x)
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (2/3) SHSH blobs – SHA-1 hashes (160-bit digests) – iPhone Software (IPSW) file (ZIP file) • Build manifest: BuildManifest.plist – List of files and their content (+ Apple integrity signature) digests • “Personalization” process – Build manifest  TSS request  Apple  SHSH blobs  Replace files signature section with SHSH blobs APTickets – Introduced with iOS 5.x – Block of data with digest for all files used during boot • No IPSW file “personalization” any more (APTicket) • Contains a “nonce” (anti-replay mechanism - uncacheable)
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Apple iOS Downgrade (3/3) Caching the uncacheable – Restore to very old iOS versions (no APTicket) – Downgrade tricks history • http://www.jailbreakqa.com/faq#32763 … – Exploits for reusing APTickets No way to downgrade from iOS 6.x to older versions on newer devices (as of April 2013) – Eligible older devices • iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor) – limera1n BootROM exploit (redsn0w can dump TSS info from device) • iPad2 – Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5 • iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version Requirement: TSS information previously saved
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Support Matrix http://iossupportmatrix.com
  17. 17. 17 Can We Manipulate the iOS Update Process? Without a new BootROM exploit
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Relevant iOS 5 Change Over the Air (OTA) – iOS software updates • Settings - General - Software Update – iTunes data sync & backup over Wi-Fi • iTunes 10.5+ – Options – Sync with this iPhone over Wi-Fi – iCloud backup • Settings - iCloud - Storage & Backup Apple fans behavior change: Getting rid of the USB cables
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS OTA Update Process HTTP (vs. HTTPS) – iOS software (IPSW) integrity verification – Software update server: http://mesu.apple.com Automatically used by iOS… – … or manually launched by the user • Settings - General - Software Update iOS software update (plist) file (XML format) – References (URLs) to all the current iOS version files • http://appldnld.apple.com
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Main iOS SW Update Files iOS software update (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml iOS software update documentation (plist) file – http://mesu.apple.com/assets/ com_apple_MobileAsset_SoftwareUpdateDocumentation/ com_apple_MobileAsset_SoftwareUpdateDocumentation.xml iOS 5.0 (GM) was not offered via OTA – iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA – iOS 5.0.1 was the first public OTA version
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5.x & 6.x
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Request HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: MobileAsset/1.0 Connection: close Content-Length: 0 HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4 Darwin/11.0.0 Content-Length: 0 Connection: close
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: HEAD Response HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: close If it contains a date greater than the date from the last update, it will ask for the new content: GET.
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com Connection: close User-Agent: MobileAsset/1.0 HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive ...
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 5 & 6: GET Req & Resp <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Assets</key> <array> <dict> <key>Build</key> ... <key>OSVersion</key> <string>7.0.4</string> ... <key>Certificate</key> <data> MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw== </data> <key>Signature</key> <data> LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w== </data> <key>SigningKey</key> <string>AssetManifestSigning</string> </dict> </plist> Same behavior with the iOS SW update documentation file
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Last-Modified: Date Can we manipulate the iOS update process?
  27. 27. 27 StarWars or Matrix?
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved.
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Man in the Middle (MitM) attacks – Do you remember the Wi-Fi network impersonation attacks from last year Rooted CON 2013? • http://www.dinosec.com/docs/RootedCON2013_Taddong_RaulSiles-WiFi.pdf • http://vimeo.com/70718776 iProxy – Python MitM tool • Twisted (https://twistedmatrix.com) – Event-driven networking engine (e.g. sslstrip) – Implements both StarWars and Matrix attacks • Multiple and flexible options Vulnerability Exploitation
  30. 30. 30 “These aren’t the updates you’re looking for”
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the HEAD request (timeout) – Fail: It sends a GET request – Block and/or drop the GET request (timeout) • Fail: Error message – When the user manually checks for updates – “Unable To Check for Update” Change the “Last-Modified” header of the HEAD response to the past – “These aren’t the updates you’re looking for” DEMO
  32. 32. 32 “This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Appleland and I show you how deep the rabbit-hole goes.”
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the “Last-Modify” header of the HEAD response to the future – Forcing a GET request Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future & provide a previous file – “You’re inside the Matrix” • No more updates up to that future date DEMO
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS Software Update Files Repo
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7.x
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Request GET /assets/com_apple_MobileAsset_SoftwareUpdate/ com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1 Host: mesu.apple.com If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-us Connection: keep-alive User-Agent: MobileAsset/1.0 HEAD request removed from iOS 7 It discloses the date from the last update stored on the iOS device: THANKS iOS! 
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (304) If there is no new update from that date… HTTP/1.1 304 Not Modified Content-Type: application/xml Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Date: Mon, 20 Jan 2014 12:35:20 GMT Connection: keep-alive
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. iOS 7: GET Response (200) If there is a new update from that date… HTTP/1.1 200 OK Server: Apache ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985" Content-MD5: oNVyoddHvxLCsQeRblBskw== Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT Accept-Ranges: bytes Content-Length: 283956 Content-Type: application/xml Date: Mon, 20 Jan 2014 11:02:00 GMT Connection: keep-alive <?xml version="1.0" encoding="UTF-8"?> ... <plist version="1.0"> <dict> ... <key>OSVersion</key> <string>7.0.4</string> ...
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Temporary vs. Permanent attacks
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. StarWars Attack Block and/or drop the GET request (timeout) – Fail: Error message • When the user manually checks for updates • “Unable To Check for Update” Send a 304 response – “These aren’t the updates you’re looking for” • Change the “Last-Modified” header of the GET request to the future to get a 304 from Apple’s server • Change the GET response manually to 304 This 304 Jedi trick does not work for iOS 6 DEMO
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Matrix Attack Change the contents of the GET response – Fail: The response contents are signed – Replay attacks? Change the “Last-Modify” header of the GET response to the future – “You’re inside the Matrix” • No more updates up to that future date DEMO
  42. 42. 42 Conclusions
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Details Affects iOS 5.x - 7.x (up to the latest version) – iOS 5.0 released on October 12, 2011 – Vulnerability discovered on early 2012, between… • 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012) • It has survived multiple iOS versions: 5, 6 & 7 – Long time verifying it has not been fixed – Long time collecting iOS software update files (plist XML files) Targeted and very carefully planned attacks – Plenty of time to launch future attacks • Forever (persistent - Matrix) or between iOS updates (now) Stealthy attacks – The update freeze can be reverted back silently
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Limitations Cannot be used to downgrade to a previous version, but to remain on the current version Can by bypassed via iTunes – Different update check mechanism (HTTPS) – Temporarily, as iTunes does not change the iOS device update state if cancelled – What is the current iOS update user behavior? • iTunes or OTA
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Usage Outside the information security field… People complaining because they didn’t want to update from iOS 6 to iOS 7 – Huge user interface (GUI) change they didn’t like But their iOS device used +1Gb of space (e.g. 16Gb iPad) just to locally store the new iOS 7 update – New update is available – Download update – Install update “Unwanted iOS 7 occupying space on iOS 6 devices” Freeze the iOS device at iOS 6 and never get iOS 7 
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Exploitation Freeze the version of a target device and wait for the next succulent iOS update fixing a critical flaw Wait… that sounds like… goto fail; – Speculation: Released on February 21, 2014 (although it is older) • Without any public researcher recognition (Apple?) – For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) – in a hurry? – CVE-2014-1266 • Lack of proper certificate validation: DHE & ECDHE • https://www.imperialviolet.org/2014/02/22/applebug.html https://www.gotofail.com
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: History Vulnerability discovered on early 2012 – +2 years (or +750 days or +…) – Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from other researchers (March 2012), but not the early doc update files Vulnerability notified to Apple on February 6, 2014 – The "Month and a Day Rule“ (“Yes We Can” ) E-mails – Feb 6: Standard Apple automated response confirming reception – Feb 14: Apple asked for PoC for permanent disabling • Sent a detailed response clarifying the attack techniques • “Thanks for the clarification.” A victim iPad got a new update on March 1, 2014 – Last Saturday: “Apple has changed something on their servers!” • Without sending any notification to the researcher… • … and trying to break his demo at Rooted CON 2014
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Vulnerability Disclosure: Today1…
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. We don’t learn from the past!  Vulnerability Fix(es) Why OTA SW updates didn’t use HTTPS by design? – Did Apple put too much trust on the IPSW integrity verification? • Lack of verification of the update contents (e.g. evilgrade, 2010) – Lack of verification of the update checks • Differentiate between update checks and update contents – httpS://mesu.apple.com & http://appldnld.apple.com • Caching responses for sensitive checks is probably not a good idea • Certificate pinning? – Performance impact? • Again, differentiate update checks from update contents – Conspiracy theory or… another developer ‘mistake’ • Design, implementation, Q&A, security testing… (Apple?) MDM solutions: Verify the latest version is applied
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Real Vulnerability Impact (1/2) How many people could I (or others knowing about this, e.g. NSA) have attacked using this ‘simple’ vulnerability? – During the last +2 years – Considering all the potential victims available worldwide • Some of them very relevant and managing very sensitive information – By freezing their device to an old & vulnerable iOS version… • Temporarily or permanently – … in order to exploit other iOS vulnerabilities, such as… • 197 vulnerabilities fixed in iOS 6.0 • 80 vulnerabilities fixed in iOS 7.0 • Other critical vulnerabilities fixed in intermediate iOS 5.x, 6.x & 7.x versions – More than 20 iOS lock screen bypass vulnerabilities between iOS 5.x-7.x – Ending up with the last goto fail in iOS 7.0.6 • Including multiple jailbreaks available meanwhile (wait for the next one…) – Silently, without the victim users noticing • And even with the option of stealthily reverting the attack back…
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Freezing iOS from iOS 6 to iOS 7…  Real Vulnerability Impact (2/2) … with one single exception, where the user might have noticed the lack of an iOS update
  52. 52. 52 This is the world we live in… … overly dependent on technology, highly sophisticated, but still immature and very vulnerable
  53. 53. 53 Produced by: Directed by: Casting by: IPSW Assistant: iOS5.0 & 5.0.1 files: (March 2012) Music by: Costume Designer: Credits Raúl Siles Mónica Salas E & E Apple Jorge Ortiz Jay Freeman (saurik) Jan Hindermann Siletes camisetasfrikis.es
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 2014 © Dino Security S.L. (www.dinosec.com) All rights reserved. Questions?
  55. 55. 55 w w w. d in os ec. com @dinosec Raú l Siles rau l@d in os ec. com @rau ls iles

×