This document discusses several undocumented services running on iOS devices that can be used to extract large amounts of personal data from the device without requiring the passcode. These services bypass encryption and are designed to provide law enforcement and intelligence agencies access to sensitive user information. They can be started remotely and extract contacts, photos, location history, messages and more. The document raises concerns that these services covertly collect too much personal data and were intentionally designed for surveillance.
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Find out what sets IEF apart, and why it’s the defacto standard in law enforcement. Internet Evidence Finder (IEF) is a digital forensics solution that can search a hard drive, live RAM captures, or files for Internet-related evidence. IEF was designed with digital forensics examiners/investigators in mind.
This presentation is based on the security and encryption measures adopted by Apple for its iPhones.
It was submitted to RTU, Kota during final year seminars.
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
Tom Eston has spent quite a bit of time evaluating mobile applications. In this presentation he will provide the audience with a high level understanding of what the risks are, how to evaluate mobile applications and provide examples of how things have been done wrong. Tom has used a variety of the top 25 applications downloaded from the Apple App Store and Google Play to provide real world examples of the problems applications face. Tom has mapped out how these applications are vulnerable to the OWASP Mobile Top 10 security issues.
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
Breaking in is easy, real security is hard. Breaching the security of a Casino doesn't have to be as dramatic or dangerous as depicted in the Ocean's Eleven movies. In fact, by simply sitting in a hotel room of a Casino, hackers can find ways to breach the high security that Casino's have been known for. This type of attack has a simple goal: steal the Casino's money and cheat the system. All of this can be done without anyone seeing you and is much easier then walking directly into the Casino vault armed with guns and explosives.
In this presentation Tom Eston from SecureState walks us through some of the more interesting and exciting penetration tests his team have conducted. These include breaking into Casinos, Banks, Energy companies and other high security facilities (with permission of course). Tom's stories not only show how attackers break in but also show important lessons on how businesses can better secure their physical as well as network assets.
Find out what sets IEF apart, and why it’s the defacto standard in law enforcement. Internet Evidence Finder (IEF) is a digital forensics solution that can search a hard drive, live RAM captures, or files for Internet-related evidence. IEF was designed with digital forensics examiners/investigators in mind.
Internet Evidence Finder (IEF) is a digital forensics solution that can search a hard drive, live RAM captures, or files for Internet-related evidence. IEF was designed with digital forensics examiners/investigators in mind. IEF is also used by security professionals, prosecutors, incident response teams, and cyber security personnel.Find out why IEF is trusted by many of the world’s most demanding military departments and government agencies.
This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
Faux Disk Encryption....by Drew Suarez & Daniel MayerShakacon
The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss of theft of a device which grants an attacker physical access which may be used by bypass security controls in order to gain access to application data. Depending on the application’s data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.
In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Androids respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with a demonstration of a kernel root-kit exploit called Rosie (the evil Android maid) we created that illustrates what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings. Rosie was designed to siphon any file off the device and send its payload via UDP to a cloud hosted server for inspection. Because Rosie runs completely within the kernel, there is no need to modify the core system partition on the device and it has full privileges on the target system. Modifying the system partition is entirely possible on devices without strong chains of trust in their boot configurations, but it has the potential to be more complicated due to various OEM and Google-provided security measures.
Essential Technologies for PsychologistsBradnor444
Presentation at the 2013 Pennsylvania Psychological Association annual convention by Dr. Brad Norford. A survey in 2012 revealed that many psychologists do not use some of the basic technologies that would help to make their practices more electronically savvy and more electronically secure. This was part two of a three part presentation that also included presentations by Dr. Chris Royer and Dr. David Zehrung designed to present some of these technologies.
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
Communication protocols are core to computing devices. They have evolved from the traditional Serial and LAN ports to complex (and lightweight) protocols of today, such as Bluetooth Low Energy (BLE), ANT+, ZigBee, etc.
Bluetooth Low Energy (BLE) is a popular protocol of choice for low energy, low performance computing systems. While versions of the BLE specification prior to 4.2 allowed simple key mechanisms to encrypt the communication between connected nodes, the more recent specification of BLE (4.2) provides better channel encryption via the Secure Simple Pairing (SSP) mode to protect data against snooping and man-in-the-middle style attacks. These protocols are used extensively by wearables such as smart watches and activity trackers.
Most wearables work in conjunction with a companion mobile application running on a platform that supports BLE with the aforementioned security mechanisms. We looked at Android and iOS for our study. We observe that there are fundamental assumptions (leading security limitations) in the adoption of the BLE security specifications on these two platforms. Relying on the standard BLE APIs for Android and iOS may be insufficient and may even project a false sense of security. It is critical to understand the degree of security that the BLE specifications can offer, and clearly separate that from the developers’ responsibility to design application level security in order to assure confidentiality and integrity of data being transmitted between a wearable device and its companion application.
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
While the Internet of Things (IoT) is growing significantly in the number of devices and capabilities, there is little thought given to security by the manufacturers and software developers for these devices. This talk will explore one mechanism, using open standards, to add a layer of security and convenience for devices connecting to a personal cloud including the challenges that exist to make it a reality.
The Internet of Things (IoT) is thriving network of smart objects where one physical object can exchange information with another physical object. In today’s Internet of Things (IoT) the interest is the concealment and security of data in a network. The obtrusion into Internet of Things (IoT) exposes the extent with which the internet of things is vulnerable to attacks and how such attack can be detected to prevent extreme damage. It emphasises on threats, vulnerability, attacks and possible methods of detecting intruders to stop the system from further destruction, this paper proposes a way out of the impending security situation of Internet of things using IPV6 Low -power wireless personal Area Network.
Case Project 7-1 commen, diicrerne functions, arii price. wri.pdff3apparelsonline
Case Project 7-1 commen, diicrerne functions, arii price. write shari pAper statmy wtich onA w
wind f you were an investiertur fur small fam, unwiexplain why. ase Project 7-2
Solution
Digital Forensic: Its basically refer to the process of preservation, identification, extraction of the
digital evidence which can be used in the court of law
Forensics team uses various tools on different platform. Forensic tools for examining for mac,
iphone and ipod devices are as follows:
1) Elcomsoft iOS Forensic Toolkit: This tools having following features:
i) Do the complete forensic study of the user data on iphone and ipods.
ii) Its also help in getting the device private data like passwords, passcodes and encrypted
keys.
iii) Provide fast execution and give the detailed summary about the device.
iv) Very effective for iphone, ipod as well as for ipod.
v) Logging facility, where every step of investigation is being logged.
In term of price its price is around 1400 $
2) iPhone Research Tool: Tools features are as follows:
i) This tool is free of cost tool.
ii) Its mainly used for iphone backup data investigation.
3) MacLockPick: Tools features are as follows:
i) Its a new generation tools for forensic investigations.
ii) Its a cross platform tool and can be used with different platforms
iii) Best suitable for mac os..
Internet Evidence Finder (IEF) is a digital forensics solution that can search a hard drive, live RAM captures, or files for Internet-related evidence. IEF was designed with digital forensics examiners/investigators in mind. IEF is also used by security professionals, prosecutors, incident response teams, and cyber security personnel.Find out why IEF is trusted by many of the world’s most demanding military departments and government agencies.
This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
Faux Disk Encryption....by Drew Suarez & Daniel MayerShakacon
The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss of theft of a device which grants an attacker physical access which may be used by bypass security controls in order to gain access to application data. Depending on the application’s data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.
In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for many attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Androids respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with a demonstration of a kernel root-kit exploit called Rosie (the evil Android maid) we created that illustrates what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings. Rosie was designed to siphon any file off the device and send its payload via UDP to a cloud hosted server for inspection. Because Rosie runs completely within the kernel, there is no need to modify the core system partition on the device and it has full privileges on the target system. Modifying the system partition is entirely possible on devices without strong chains of trust in their boot configurations, but it has the potential to be more complicated due to various OEM and Google-provided security measures.
Essential Technologies for PsychologistsBradnor444
Presentation at the 2013 Pennsylvania Psychological Association annual convention by Dr. Brad Norford. A survey in 2012 revealed that many psychologists do not use some of the basic technologies that would help to make their practices more electronically savvy and more electronically secure. This was part two of a three part presentation that also included presentations by Dr. Chris Royer and Dr. David Zehrung designed to present some of these technologies.
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
Communication protocols are core to computing devices. They have evolved from the traditional Serial and LAN ports to complex (and lightweight) protocols of today, such as Bluetooth Low Energy (BLE), ANT+, ZigBee, etc.
Bluetooth Low Energy (BLE) is a popular protocol of choice for low energy, low performance computing systems. While versions of the BLE specification prior to 4.2 allowed simple key mechanisms to encrypt the communication between connected nodes, the more recent specification of BLE (4.2) provides better channel encryption via the Secure Simple Pairing (SSP) mode to protect data against snooping and man-in-the-middle style attacks. These protocols are used extensively by wearables such as smart watches and activity trackers.
Most wearables work in conjunction with a companion mobile application running on a platform that supports BLE with the aforementioned security mechanisms. We looked at Android and iOS for our study. We observe that there are fundamental assumptions (leading security limitations) in the adoption of the BLE security specifications on these two platforms. Relying on the standard BLE APIs for Android and iOS may be insufficient and may even project a false sense of security. It is critical to understand the degree of security that the BLE specifications can offer, and clearly separate that from the developers’ responsibility to design application level security in order to assure confidentiality and integrity of data being transmitted between a wearable device and its companion application.
Internet of Things: Identity & Security with Open StandardsGeorge Fletcher
While the Internet of Things (IoT) is growing significantly in the number of devices and capabilities, there is little thought given to security by the manufacturers and software developers for these devices. This talk will explore one mechanism, using open standards, to add a layer of security and convenience for devices connecting to a personal cloud including the challenges that exist to make it a reality.
The Internet of Things (IoT) is thriving network of smart objects where one physical object can exchange information with another physical object. In today’s Internet of Things (IoT) the interest is the concealment and security of data in a network. The obtrusion into Internet of Things (IoT) exposes the extent with which the internet of things is vulnerable to attacks and how such attack can be detected to prevent extreme damage. It emphasises on threats, vulnerability, attacks and possible methods of detecting intruders to stop the system from further destruction, this paper proposes a way out of the impending security situation of Internet of things using IPV6 Low -power wireless personal Area Network.
Case Project 7-1 commen, diicrerne functions, arii price. wri.pdff3apparelsonline
Case Project 7-1 commen, diicrerne functions, arii price. write shari pAper statmy wtich onA w
wind f you were an investiertur fur small fam, unwiexplain why. ase Project 7-2
Solution
Digital Forensic: Its basically refer to the process of preservation, identification, extraction of the
digital evidence which can be used in the court of law
Forensics team uses various tools on different platform. Forensic tools for examining for mac,
iphone and ipod devices are as follows:
1) Elcomsoft iOS Forensic Toolkit: This tools having following features:
i) Do the complete forensic study of the user data on iphone and ipods.
ii) Its also help in getting the device private data like passwords, passcodes and encrypted
keys.
iii) Provide fast execution and give the detailed summary about the device.
iv) Very effective for iphone, ipod as well as for ipod.
v) Logging facility, where every step of investigation is being logged.
In term of price its price is around 1400 $
2) iPhone Research Tool: Tools features are as follows:
i) This tool is free of cost tool.
ii) Its mainly used for iphone backup data investigation.
3) MacLockPick: Tools features are as follows:
i) Its a new generation tools for forensic investigations.
ii) Its a cross platform tool and can be used with different platforms
iii) Best suitable for mac os..
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
This presentation will dive into research, outcomes, and recommendations regarding information security for the "Internet of Things". Mark and Zach will discuss IoT security failures both from their own research as well as the work of people they admire. Attendees are invited to laugh/cringe at concerning examples of improper access control, a complete lack of transport security, hardcoded-everything, and ways to bypass paying for stuff.
Mark and Zach will also discuss the progress that their initiative, BuildItSecure.ly, has made since it was announced this past February at B-Sides San Francisco. Based on their own struggles with approaching smaller technology vendors with bugs and trying to handle coordinated disclosure, Mark and Zach decided to change the process and dialog that was occurring into one that is inclusive, friendly, researcher-centric. They will provide results and key learnings about the establishment of this loose organization of security-minded vendors, partners, and researchers who have decided to focus on improving information security for bootstrapped/crowd-funded IoT products and platforms.
If you're a researcher who wants to know more about attacking this space, an IoT vendor trying to refine your security processes, or just a consumer who cares about their own safety and privacy, this talk will provide some great insights to all of those ends.
MARK STANISLAV
DUO SECURITY
Mark Stanislav is the Security Evangelist for Duo Security. With a career spanning over a decade, Mark has worked within small business, academia, startup and corporate environments, primarily focused on Linux architecture, information security, and web application development. He has presented at over 70 events internationally including RSA, ShmooCon, SOURCE Boston, and THOTCON. His security research has been featured on web sites including CSO Online, Security Ledger, and Slashdot. Mark holds a B.S. in Networking & IT Administration and an M.S. in Information Assurance, both from Eastern Michigan University. Mark is currently writing a book titled, "Two-Factor Authentication" (published by IT Governance).
ZACH LANIER
DUO SECURITY
Zach Lanier is a Security Researcher with Duo Security, specializing in various bits of network, mobile, and application security. Prior to joining Duo, Zach most recently served as a Senior Research Scientist with Accuvant LABS. He has spoken at a variety of security conferences, such as Black Hat, CanSecWest, INFILTRATE, ShmooCon, and SecTor, and is a co-author of the recently published "Android Hackers' Handbook."
Mobile apps are the entry point to your web applications, APIs and web services. But sometimes the developer implements security in the mobile app that can easily be bypassed by a malicious attacker, allowing the attacker to exploit your web applications and steal confidential information. In this presentation I will show you how easy it is to attack a mobile application, intercept the communication and exploit the trust model of mobile apps. I will also give an overview of the OWASP Top 10 Mobile Risks.
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
The article gives an overview of data extraction techniques from Mobile phones. This will help to new forensic investigators as well as forensic analysts to learn these techniques in detail subsequently.
Attacking and Defending Apple iOS DevicesTom Eston
IT loves to use Apple iPhones and iPads, but hates supporting them. For most environments, they represent the exception, and are not subject to standard corporate controls. The reason the exception is allowed is usually the fact that the CEO bought an iPhone and iPad the day they were released, and then quickly filled them with sensitive corporate data. With their portability and popularity, it is only a matter of time before one of these devices ends up missing. How worried should you be? This presentation will cover the latest real-world attack techniques for compromising Apple’s iOS devices, introduce a new assessment methodology that can be used by penetration testers, and discuss the latest defensive techniques for securely deploying iOS devices within your enterprise.
Presentation on conducting mobile device forensics without the use of expensive commercial tools, instead utilising FOSS alternatives. Conducting manual analysis makes you a better forensic analyst as well as helps to discover more potential evidence. From acquisition, to analysis, to malware disassembly, this presentation will provide a primer on all facets of mobile forensics.
Open Signal 2014 Android Fragmentation ReportDario Caliendo
Al pari delle più importanti ricorrenze, arriva puntuale anche quest'anno il rapporto di Open Signal sullo stato di Android, un appuntamento che si rinnova annualmente, con il quale l'azienda specializzata nello studio statistico dei fenomeni relativi alla telefonia mobile rappresenta graficamente l'evoluzione dell'ecosistema del colosso della tecnologia di Mountain View, sempre più diffuso ma caratterizzato da enormi limiti non del tutto negativi.
Con un brevetto depositato nelle scorse ore all'US Patent & Trademark Office, Apple alimenta le speranze di esperti e appassionati di tutto il mondo, che sin dalla sua prima introduzione con l'iPhone 5, attendono l'introduzione di Siri anche su computer.
L'assistente digitale più famoso del mondo arriverà presto in Mac OS X, e a descriverne le funzioni è proprio un brevetto di ben novantadue pagine intitolato “Assistente digitale intelligente in un ambiente desktop". Attivabile tramite una gesture nel trackpad multitouch dei Mac, oppure tramite la frase "Hey Siri", il funzionamento dell'assistente digitale per Mac sarà molto simile a quello già visto su iPhone e iPad, ma oltre alle tipiche possibilità di utilizzo, Siri per Mac analizzerà contestualmente le abitudini dell'utente e apprenderà nuove in maniera del tutto autonoma.
Brevetto Apple per la modifica dei messaggi dopo l'invio
iOS backdoors attack points and surveillance mechanisms
1. J O N A T H A N Z D Z I A R S K I
J O N A T H A N @ Z D Z I A R S K I . C O M
@ J Z D Z I A R S K I
Identifying Back Doors, Attack
Points, and Surveillance
Mechanisms in iOS Devices
2. Whois NerveGas
— Worked as dev-team member on many of the early
jailbreaks until around iOS 4.
— Author of five iOS-related O’Reilly books including
“Hacking and Securing iOS Applications”
— Designed all of the iOS forensics techniques used in law
enforcement and commercial products today
— Consulted closely with federal and local law enforcement
agencies and US military on high profile projects and
criminal cases
— Trained law enforcement worldwide in iOS forensics and
penetration arts
3. iOS Operating System
— Subject of interest among forensics, law
enforcement, and criminal communities
— As leaked by Der Spiegel, iOS was targeted by NSA
for targeted collection
— Later found more evidence of C&C capabilities in
DROPOUTJEEP leaks via close access methods
— Attacked for everything from cases of national
security to nude photos of marginally attractive
celebrities
— A number of forensic techniques exist to acquire data
4. What This Talk Is
— Overview of a number of undocumented high-value
forensic services running on every iOS device
¡ How they’ve evolved
¡ What kind of data they provide
— Examples of forensic artifacts acquired that should
never come off the device without user consent
— Surveillance mechanisms to bypass personal security
(intended for enterprises), but make potential targets
— Suspicious design omissions in iOS that make
collection easier
5. What This Talk Is NOT
— A talk about fun 0days and how we can have a little
temporary fun with them for a few days.
¡ The content discussed here has been around for many years,
and are low level operating system components
¡ Apple is well aware of these components, and has clearly been
updating them and supporting them for reasons unknown
¡ I have emailed both Tim Cook and Steve Jobs at various times
to ask for an explanation about these services, citing them as
“back doors”, and have received no reply
¡ I *have* received replies from Tim Cook about Apple’s
crummy warranty service, so I know he gets my email
6. Centralized Control
— Apple has worked hard to make iOS devices
reasonably secure against typical attackers
— Apple has worked hard to ensure that Apple can
access data on end-user devices on behalf of law
enforcement
— To their credit, iPhone 5* + iOS 7 is more secure
from everybody except Apple (and .gov)
— Apple’s Law Enforcement Process Guidelines:
¡ https://www.apple.com/legal/more-resources/law-
enforcement/
7. Law Enforcement Process
— Requires a warrant for actual content from iCloud, iTunes, or
from the device itself
— A subpoena appears good enough for “metadata”
— Recent changes will notify all customers unless a
confidentiality order is included; so most agencies are now
getting confidentiality orders with every warrant.
— When provided with the physical device, Apple will retrieve
and return NSProtectionNone data from passcode locked
devices; rumors of a PIN brute forcer are floating around, but
I’m told this practice stopped around iOS 5.
— Process is now taking about four months on average, and costs
about $1,000, so LE is looking for streamlined / inexpensive
tools to collect evidence.
8. Apple Law Enforcement Process
Extracting Data from Passcode Locked iOS Devices
Upon receipt of a valid search warrant, Apple can extract
certain categories of active data from passcode locked
iOS devices. Specifically, the user generated active files on
an iOS device that are contained in Apple’s native apps and for
which the data is not encrypted using the passcode (“user
generated active files”), can be extracted and provided to law
enforcement on external media. Apple can perform this data
extraction process on iOS devices running iOS 4 or more recent
versions of iOS. Please note the only categories of user generated
active files that can be provided to law enforcement, pursuant to
a valid search warrant, are: SMS, photos, videos, contacts,
audio recording, and call history. Apple cannot provide:
email, calendar entries, or any third-party App data.
9. iOS 4 Storage Encryption Overview
Courtesy of Sogeti Labs
10. Encryption in iOS 7: Not Much Changed
— Almost all native application / OS data is encrypted with a key
not married to the passcode, but rather encrypted with a
hardware deduced key (NSProtectionNone)
— As of iOS 7, third party documents are encrypted, but
Library and Caches folders are usually not
— Once the device is first unlocked after reboot, most of the
data-protection encrypted data can be accessed until the
device is shut down
¡ Screen Lock != Encrypted
— The undocumented services running on every iOS device help
make this possible
— Your device is almost always at risk of spilling all data, since
it’s almost always authenticated, even while locked.
11. Law Enforcement Technologies
— Latest commercial forensics tools perform deep
extraction using these services
— Tablet forensics in the field can acquire a device at a
routine traffic stop, or during arrest – before device
can be shut down (leaving encryption unlocked)
— Federal agencies have always been interested in
black bag techniques (compromised docking
stations, alarm clocks, etc).
— Snowden Docs: Computer infiltration was used
12. Undocumented Services
— Accessed through lockdownd, requiring pairing
authentication. (Explain Pairing)
— MACTANS talk demonstrated how easy Juice
Jacking can be to establish pairing
¡ iOS 7 trust dialog helps, but third party accessories are making
people stupid again … and people are naturally stupid too
— Law enforcement agencies moving to tablet devices
for pairing and acquisition in the field; USB thumb
drive to scan computers for pairing records
— Der Spiegel outlined black bag techniques to access a
target’s computer, where pairing records live
13. Der Spiegel
— “The documents state that it is possible for the NSA
to tap most sensitive data held on these smart
phones, including contact lists, SMS traffic,
notes and location information about where a
user has been. In the internal documents, experts
boast about successful access to iPhone data in
instances where the NSA is able to infiltrate the
computer a person uses to sync their iPhone.
Mini-programs, so-called "scripts," then enable
additional access to at least 38 iPhone features.”
14. Undocumented Services
— Bypasses “Backup Encryption” mechanism provided
to users
— Can be accessed both via USB and wirelessly (WiFi,
maybe cellular); networks can be scanned for a
specific target
— If device has not been rebooted since user last
entered PIN, can access all data encrypted with
data-protection (third party app data, etc)
— Other (more legitimate) services enable software
installation, APN installation (adding proxy servers)
for continued monitoring
15. Undocumented Services
— Most services are not referenced by any known Apple
software (we’ve looked)
— The raw format of the data makes it impossible to
put data back onto the phone, making useless for
Genius Bar or carrier tech purposes (cpio.gz, etc)
— The personal nature of the data makes it very
unlikely as a debugging mechanism
— Bypassing backup encryption is deceptive
— Services are available without developer mode,
eliminating their purpose as developer tools
16. DROPOUTJEEP
— DROPOUTJEEP describes techniques, most of which are possible with Apple’s
undocumented services
— SMS messaging suggests either jailbreak or baseband code
DROPOUTJEEP
(TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the
Apple iPhone operating system and uses the CHIMNEYPOOL framework.
DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in
the TURBULENCE architecture.
(TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes
modular mission applications to provide specific SIGINT functionality. This
functionality includes the ability to remotely push/pull files from the device,
SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera
capture, cell tower location, etc. Command, control, and data exfiltration can occur
over SMS messaging or a GPRS data connection. All communications with the
implant will be covert and encrypted.
(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the
implant via close access methods. A remote installation capability will be pursued
for a future release.
17. Starting Services
— Connect to lockdownd (tcp:62078) via usbmux or TCP
— Authenticate with intercepted / generated pairing record
— Invoke “StartService” command with name of the service
we wish to start
— Profit*
— * A number of commercial law enforcement forensic
manufacturers have started tapping these services:
¡ Cellebrite
¡ AccessData (Mobile Phone Examiner)
¡ Elcomsoft
18. Open Source!
— Nearly all lockdownd protocols have been
documented in the libimobiledevice project
(libimobiledevice.org).
— Been around since 2009 but many of these services
haven’t been re-examined since then; initially benign
— A number of private tools and source are out there as
well to take advantage of these services
19. com.apple.pcapd
— Immediately starts libpcap on the device
— Dumps network traffic and HTTP request/response data
traveling into and out of the device
— Does not require developer mode; is active on every iOS
device
— Can be targeted via WiFi for remote monitoring
— No visual indication to the user that the packet sniffer is
running.
WHY DO WE NEED A PACKET SNIFFER RUNNING ON
600 MILLION PERSONAL IOS DEVICES?
21. com.apple.mobile.file_relay
— Biggest forensic trove of intelligence on the device
— Found in /usr/libexec/mobile_file_relay on device
— Provides physical artifacts vs. logical (databases; deleted
records can be recovered)
— Transmits large swaths of raw file data in a compressed
cpio archive, based on the data source requested.
— Completely bypasses Apple’s backup encryption for
end-user security.
— Once thought benign, has evolved considerably, even in
iOS 7, to expose much personal data.
— Very intentionally placed and intended to dump data
from the device by request
24. com.apple.mobile.file_relay
— Accounts A list of email, Twitter, iCloud, Facebook
etc. accounts configured on the device.
— AddressBook A copy of the user’s address book
SQLite database; deleted records recoverable.
— Caches The user cache folder: suspend screenshots
(last thing you were looking at), shared images,
offline content, clipboard/pasteboard, map tile
images, keyboard typing cache, other personal data
25. com.apple.mobile.file_relay
— CoreLocation GPS logs; cache of locations taken at
frequent intervals (com.apple.routined)
¡ fileslockCache_encryptedA.db and cache_encryptedA.db
¡ Similar to the old consolidated.db database from iOS 4
¡ Timestamps span ~60 days on my phone
26. com.apple.mobile.file_relay
— HFSMeta (New in iOS 7!) A complete metadata disk
sparseimage of the iOS file system, sans actual content.
¡ Timestamps, filenames, sizes, creation dates of all files
¡ When device was last activated / wiped
¡ All applications installed on a device and filenames of all documents
(e.g. Dropbox documents, etc)
¡ The filenames of all email attachments on the device
¡ All email accounts configured on a device
¡ Host IDs and timestamps of all devices paired with the device
¡ Phone numbers and timestamps of everyone for whom an SMS draft
was saved
¡ Timeline of activity based on timestamp data
27. com.apple.mobile.file_relay
— Keyboard A copy of the keyboard autocorrect cache
¡ DynamicDictionary-4: First half contains all recent typed
content from all applications, consolidated and in the order it
was typed
¡ DynamicDictionary-5: Improved, contains words and word
counts only
— MobileCal, MobileNotes Complete database images
of the user’s calendar, alarms, and notes databases in
SQLite format (deleted records recoverable).
— Photos Complete dump of user’s photo album (not
just camera roll) stored on the device
28. com.apple.mobile.file_relay
— UserDatabases (Been around since v2) dump of
address book, calendar, call history, SMS database,
email metadata (envelope index); SQLite databases
(deleted records recoverable)
— VARFS (predecessor to HFSMeta) virtual file system
metadata dump in statvfs format.
— Voicemail Copy of user’s voicemail database and
audio files (AMR format)
29. com.apple.mobile.house_arrest
— Originally used to allow iTunes to copy documents
to/from third party applications
— Even though iTunes doesn’t permit it through GUI,
the service allows access to the Library, Caches,
Cookies, Preferences folders as well
— These folders provide highly sensitive account
storage, social/Facebook caches, photos and other
data stored in “vaults”, and much more.
30. Example: Twitter
— Recent photos from my stream
— Most recent timeline
— Private message database; numerous deleted
messages recovered
— Screenshots of my last use of Twitter
— OAuth tokens (when combined with consumer key/
secret, can be used to spy on all future
correspondence remotely)
31. Example: Photo Vaults
— Copies of the actual photos the vaults are
“protecting”
— Configuration files including the PIN, or a hash of
the PIN
— Occasionally, developer will actually encrypt files
— Sometimes encryption keys or PIN dumped to syslog
32. Theories
— Maybe iTunes or Xcode use them? No.
¡ iTunes uses com.apple.mobilesync, backup2, and other
facilities, but none use file relay or pcap
¡ iTunes uses house_arrest, but only for accessing Documents;
there’s no need to allow access to Library, Cache, or other
privileged folders
¡ iTunes respects backup encryption
33. Theories
— Maybe for Genius Bar or Apple Support? No.
¡ Data is in too raw a format to be used for tech support
¡ Can’t be put back onto the phone in any way
¡ Tech support use shouldn’t call for bypassing backup password
¡ Data is far too personal in nature for mere tech support
34. Theories
— Maybe for Developers for Debugging? No.
¡ Actual developer tools live on the developer image, and are
only available when Developer Mode is enabled
¡ Xcode does not provide a packet sniffing interface for
developers
¡ Developers don’t need to bypass backup encryption
¡ Developers don’t need access to such sensitive content
¡ Apple wants developers to use the SDK APIs to get data
¡ There are no docs to tell developers about these “features”
35. Theories
— Maybe for Engineering / Debugging? No.
¡ Not all 600 million devices need debugging always on
¡ By preventing localhost connections, Apple must know these
services are being abused by malware
¡ You still wouldn’t need to bypass backup encryption
¡ Engineering wouldn’t need access to such personal data
36. Theories
— Maybe old debug code they forgot was in there? No.
¡ Apple has been maintaining and enhancing this code, even
with iOS 7; they know it’s there
¡ Have emailed Apple’s CEOs and gotten no response
¡ It’s not buried; it’s listed in Services.plist
¡ While house_arrest security issues might be “bugs”, file relay
and pcap most certainly aren’t
37. The More Benign Services
— While more benign, the following services are good
attack targets for forensic artifacts:
— com.apple.iosdiagnostics.relay Provides detailed network
usage per-application on a per-day basis
— com.apple.mobile.installation_proxy Given an enterprise
certificate, can use this to load custom software onto the
device (which can run invisibly and in the background)
— com.apple.syslog_relay: Syslog, provides a lot of details
about what the device is doing, and often leaks user
credentials from 3rd party apps via NSLog()
38. Invisible Malware
— Installing invisible software that backgrounds is still easy
to do in iOS 7
— Apple made a crucial security improvement in iOS 7:
prevented socket connections to localhost / local IP
¡ Prior to this, I had spyware running invisibly that could dump a
phone and send its contents remotely anywhere. (never released for
obvious reasons)
— This stopped a number of privately used spyware apps in
their tracks; they can not connect to localhost:62078
— Future spyware: phones attacking other phones on the
network (zomg zombies)
40. Backgrounding Malware
[ [ UIApplication sharedApplication ]
setKeepAliveTimeout: 600 handler:^(void)
{
/* Do bad things in background */
}
In iOS 7, you can still capture:
• All socket connections (netstat data)
• Process information (ps data)
• A number of personal files on the device
• Launch some very closely-held-to-the-vest userland exploits
41. But Wait. I paid $600 for a Fingerprint Reader
— Fingerprint reader: Doesn’t add any additional
encryption beyond basic PIN
— Has shown to be spoofed with the right equipment
— Allows GUI access, therefore allowing pairing,
therefore allowing forensic dumps
— Oh, and… there’s a bypass switch for pairing anyway
42. Pairing Bypass
— Added for supervised devices to be accessible (e.g.
employee dies, leaves on bad terms, criminal
investigation).
— Devices try to call home when first configured to
download automatic configurator profile. (likely used for
large-scale MDM rollouts).
— An electronic alternative to interdiction could be
deployed by spoofing Apple’s certificates and
configuring / pairing the device out of the box.
— OR by penetrating a targeted organization, supervisor
records can be used to pair with and access any device
they’re supervising.
43. MCCloudConfiguration
— Deny all pairing
— Allow pairing, but prompt the user
— Allow pairing with no user prompt (and while
locked)
— Allow pairing with a challenge/response
44. Pairing Bypass
; Check –[ MCProfileConnection hostMayPairWithOptions:challenge: ]
__text:0001938E LDR.W R0, [R8,#0xC]
__text:00019392 BL sub_5754
__text:00019396 CMP R0, #0
__text:00019398 BNE.W loc_19AA8
__text:0001939C LDR.W R1, [R8,#0x1C]
__text:000193A0 ADD R2, SP, #0x7E8+var_420
__text:000193A2 ADD R3, SP, #0x7E8+out
__text:000193A4 MOV R0, R4
__text:000193A6 BL sub_1F100
; Pairing is explicitly forbidden by MC
__text:000193AA CMP R0, #0
__text:000193AC BEQ.W loc_19AB0
; Pairing is allowed by MC, but with challenge/response
__text:000193B0 LDRB.W R0, [SP,#0x7E8+out]
__text:000193B4 CMP R0, #0
__text:000193B6 BNE.W loc_19AC2
; Pairing is allowed by MC while locked / untrusted without
; any challenge/response (pairing security is bypassed)
__text:000193BA LDRB.W R0, [SP,#0x7E8+var_420] <- Profit
__text:000193BE CMP R0, #0
__text:000193C0 BNE.W loc_19B06
; Pairing is allowed while locked / untrusted if the device
; doesn’t support it
__text:000193C4 MOV R0, #(cfstr_Hasspringboa_1 - 0x193D0) ; "HasSpringBoard"
__text:000193CC ADD R0, PC ; "HasSpringBoard"
__text:000193CE BLX _MGGetBoolAnswer
__text:000193D2 CMP R0, #1
__text:000193D4 BNE.W loc_19B06
; Actual pairing security routines (check device lock, whether
; user has pressed “Trust”, and so on)
__text:000193D8 MOVS R0, #0
__text:000193DA BLX _MKBGetDeviceLockState
45. In Pseudocode
if (mc_allows_pairing_while_locked || device_has_no_springboard_gui)
{
goto skip_device_lock_and_trust_checks; /* Skip security */
}
/* Pairing Security */
if (device_is_locked == true) {
if (setup_has_completed) {
if (user_never_pushed_trust) {
error(PasswordProtected);
}
}
}
46. Calling Home
— On setup, teslad connects to
https://iprofiles.apple.com
¡ /resource/certificate.cer
¡ /session and /profile
¡ Capable of downloading MCCloudConfiguration
— Could be used for electronic interdiction, either with
technology or secret FISA order
— MCCloudConfiguration affects pairing bypass
— Build in mechanism to bypass SSL validation. WTF.
¡ MCTeslaConfigurationFetcher checks for
MCCloudConfigAcceptAnyHTTPSCertificate
47. Calling Home
— Once configured, a new cloud configuration can be
downloaded via periodic check-in
— -[MCProfileConnection retrieveCloudConfiguration
FromURL:username:password:anchorCertificates:
completionBlock:]
¡ Great attack surface if you can get past the SSL
¡ Not necessary if you have a secret FISA order
48. Questions for Apple
— Why is there a packet sniffer running on 600 million
personal iOS devices instead of moved to the developer
mount?
— Why are there undocumented services that bypass user
backup encryption that dump mass amounts of personal
data from the phone?
— Why is most of my user data still not encrypted with the
PIN or passphrase, enabling the invasion of my personal
privacy by YOU?
— Why is there still no mechanism to review the devices my
iPhone is paired with, so I can delete ones that don’t
belong?
49. Pairing Locking
; Check –[ MCProfileConnection hostMayPairWithOptions:challenge: ]
__text:0001938E LDR.W R0, [R8,#0xC]
__text:00019392 BL sub_5754
__text:00019396 CMP R0, #0
__text:00019398 BNE.W loc_19AA8
__text:0001939C LDR.W R1, [R8,#0x1C]
__text:000193A0 ADD R2, SP, #0x7E8+var_420
__text:000193A2 ADD R3, SP, #0x7E8+out
__text:000193A4 MOV R0, R4
__text:000193A6 BL sub_1F100
; Pairing is explicitly forbidden by MC
__text:000193AA CMP R0, #0 <- HOW DO WE MAKE THIS WORK?
__text:000193AC BEQ.W loc_19AB0
; Pairing is allowed by MC, but with challenge/response
__text:000193B0 LDRB.W R0, [SP,#0x7E8+out]
__text:000193B4 CMP R0, #0
__text:000193B6 BNE.W loc_19AC2
; Pairing is allowed by MC while locked / untrusted without
; any challenge/response (pairing security is bypassed)
__text:000193BA LDRB.W R0, [SP,#0x7E8+var_420]
__text:000193BE CMP R0, #0
__text:000193C0 BNE.W loc_19B06
; Pairing is allowed while locked / untrusted if the device
; doesn’t support it
__text:000193C4 MOV R0, #(cfstr_Hasspringboa_1 - 0x193D0) ; "HasSpringBoard"
__text:000193CC ADD R0, PC ; "HasSpringBoard"
__text:000193CE BLX _MGGetBoolAnswer
__text:000193D2 CMP R0, #1
__text:000193D4 BNE.W loc_19B06
; Actual pairing security routines (check device lock, whether
; user has pressed “Trust”, and so on)
__text:000193D8 MOVS R0, #0
__text:000193DA BLX _MKBGetDeviceLockState
50. Apple Configurator
— Free in the Mac App Store
— Allows you to set enterprise MDM restrictions on your
device
— Can be used to prevent pairing even when unlocked
— Pair once with your desktop, then never again… OR (if
you’re paranoid) delete all pairing records and prevent
any comms.
— Won’t help you if device sent to Apple; should still use a
complex passphrase
— Removable later if you change your mind
56. Design Suggestions
— Asymmetric cryptography to allow encryption of
incoming SMS, Photos, etc. without requiring decryption
— File system equivalent of “session keys” for memory
resident processes (CommCenter) to uniquely decrypt
shadow copy of certain data (AddressBook)
— Add boot password to encapsulate existing FS
encryption; makes stronger / complex passwords less
inconvenient
— When pairing, encrypt all keys and EscrowBag sent from
phone using backup password, so can’t be used without
something you know.
57. Summary
— Apple is dishing out a lot of data behind our backs
— It’s a violation of the customer’s trust and privacy to
bypass backup encryption
— There is no valid excuse to leak personal data or allow
packet sniffing without the user’s knowledge and
permission.
— Much of this data simply should never come off the
phone, even during a backup.
— Apple has added many conveniences for enterprises that
make tasty attack points for .gov and criminals
— Overall, the otherwise great security of iOS has been
compromised… by Apple… by design.