SESSION ID:
iOS Security
The Never-Ending Story of Malicious Profiles
BR-R02
Adi Sharabani
CEO & Co-Founder
Skycure
@AdiSh...
#RSAC
About the Presenters
Adi Sharabani
 CEO & co-founder of Skycure
 Watchfire's research group
[Acquired by IBM]
 Le...
#RSAC
Agenda
 iOS security model
 Malicious profiles
 iOS 7.1 security fix
 Impact on MDMs
 Afterthoughts
3
#RSAC
 Android malware threat growth:
Starting With the Obvious
Source: Trend Micro 2012 Mobile Threat and Security Round...
#RSAC
iOS sandbox approach
Source: Apple’s App Sandbox Design Guide
- No Store
- No Screening
- No Sandboxing
- One Store
...
#RSAC
Configuration Profiles – Where Do We Find Them?
 Mobile Device Management (MDM)
 Cellular carriers
 Usually used ...
#RSAC
Click to install
streaming profile
Welcome to iOS
Streamer
Watch TV shows
and movies free
online. Stream your
favori...
Time for a demo
(so take out your iOS device)
8
#RSAC
Malicious Profiles – Where Do We Find Them?
 Malicious “service providers” (apps/services/etc.)
 Malicious Wi-Fi n...
#RSAC
Am I Safe?
 Profile listing could indicate suspicious profiles
 Cat-and-mouse game: attackers can name their profi...
So let’s remove the
attack
12
#RSAC
How Does it Look to the Bare Eye
13
Malicious Profile Invisible Malicious Profile
#RSAC
The Invisible Profile
 iOS vulnerability allowing a profile to hide itself.
 Identified by Assaf Hefetz, researche...
Malicious Profiles
and
MDMs
15
#RSAC
Mobile Device Management
 Enrollment:
1. A configuration profile is sent to the device
2. User installs the MDM pro...
#RSAC
Mobile Device Management
 MDM profile could potentially act as a powerful “malicious profile”.
 However:
 Alarmin...
#RSAC
MDM Security Issues
 David Schuetz presented a
great research on MDM security
 Problem increases when malicious pr...
#RSAC
MDM Piggybacking
 Attack scenario:
 IT/user enrolls an iOS device to a legitimate MDM service
 Victim installs a ...
#RSAC
Possible Attacks – Removal of MDM
 A simple 401 HTTP response leads to the removal of the MDM (and
associated setti...
#RSAC
Possible Attacks – Remote Wipe
21
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//...
Full Demo Flow
22
#RSAC
Impact
 Things an attacker can do:
 Remove the MDM profile (along with associated apps, configuration and
data)
 ...
#RSAC
Some Challenges
 Challenge: Client-side certificate validation
 Not all MDMs enforce them
 Mdm-Signature HTTP hea...
#RSAC
Current Status
 We reported to Apple the issue at the end of September, 2013
 Apple fixed the issue in 7.1 code (G...
#RSAC
Recommendations
 End users:
 Maintain an up to date OS
 Check your iOS for suspicious profiles
 If you don’t hav...
#RSAC
Thank you!
27
 twitter: @YairAmit, @AdiSharabani
 email: {yair,adi}@skycure.com
 blog: http://www.skycure.com/blog
Upcoming SlideShare
Loading in …5
×

iOS Security: The Never-Ending Story of Malicious Profiles

1,401 views

Published on

iOS is probably the most security mobile operating system nowadays. However, is it enough? Last year, we identified the malicious profiles attack, which leverages features of iOS to grant remote hackers deep control over victim’s devices. This presentation reviews recent threats, their evolvements and uncover a new vulnerability that makes it possible to effectively conceal attacks.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,401
On SlideShare
0
From Embeds
0
Number of Embeds
574
Actions
Shares
0
Downloads
15
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

iOS Security: The Never-Ending Story of Malicious Profiles

  1. 1. SESSION ID: iOS Security The Never-Ending Story of Malicious Profiles BR-R02 Adi Sharabani CEO & Co-Founder Skycure @AdiSharabani Yair Amit CTO & Co-Founder Skycure @YairAmit
  2. 2. #RSAC About the Presenters Adi Sharabani  CEO & co-founder of Skycure  Watchfire's research group [Acquired by IBM]  Lead the security of IBM software  Fellow at Yuval Neeman’s workshop  Teacher at Ohel Shem high-school Yair Amit  CTO & co-founder of Skycure  Web, network and mobile researcher  Inventor of 15 patents  Former manager of the Application Security & Research group at IBM
  3. 3. #RSAC Agenda  iOS security model  Malicious profiles  iOS 7.1 security fix  Impact on MDMs  Afterthoughts 3
  4. 4. #RSAC  Android malware threat growth: Starting With the Obvious Source: Trend Micro 2012 Mobile Threat and Security Roundup iOS malware in 2012: less than 1% of mobile malware 4
  5. 5. #RSAC iOS sandbox approach Source: Apple’s App Sandbox Design Guide - No Store - No Screening - No Sandboxing - One Store - Heavy Screening - App Sandboxing App Characteristics Profile Characteristics iOS Security Model 5
  6. 6. #RSAC Configuration Profiles – Where Do We Find Them?  Mobile Device Management (MDM)  Cellular carriers  Usually used for APN settings  Mobile applications  Service providers 6
  7. 7. #RSAC Click to install streaming profile Welcome to iOS Streamer Watch TV shows and movies free online. Stream your favorite content directly to your iOS device. Malicious Profiles Hacker gains access to your mail, business apps, cloud services, bank accounts and more, even if traffic is encrypted 7
  8. 8. Time for a demo (so take out your iOS device) 8
  9. 9. #RSAC Malicious Profiles – Where Do We Find Them?  Malicious “service providers” (apps/services/etc.)  Malicious Wi-Fi networks  Vulnerable services 10
  10. 10. #RSAC Am I Safe?  Profile listing could indicate suspicious profiles  Cat-and-mouse game: attackers can name their profile to look benign 11
  11. 11. So let’s remove the attack 12
  12. 12. #RSAC How Does it Look to the Bare Eye 13 Malicious Profile Invisible Malicious Profile
  13. 13. #RSAC The Invisible Profile  iOS vulnerability allowing a profile to hide itself.  Identified by Assaf Hefetz, researcher and developer, Skycure  So what happened:  Victim was lured into installing a special crafted profile  Due to iOS bug, profile is not listed in the Profiles pane  Malicious profile is active and yet hidden  Additional technical details pending on iOS 7.1 release 14
  14. 14. Malicious Profiles and MDMs 15
  15. 15. #RSAC Mobile Device Management  Enrollment: 1. A configuration profile is sent to the device 2. User installs the MDM profile 3. Device connects to MDM Server to enroll  Commands: 4. Server sends an APNS command 5. Device connects directly to the server over HTTPS (Server sends commands or requests information) 16 Source: Apple
  16. 16. #RSAC Mobile Device Management  MDM profile could potentially act as a powerful “malicious profile”.  However:  Alarming installation message  Barriers to become an MDM  Only one MDM is allowed on device 17
  17. 17. #RSAC MDM Security Issues  David Schuetz presented a great research on MDM security  Problem increases when malicious profiles are used to exploit MDM protocol shortcomings 18 Source: Apple SSL communication between client and MDM server lacks certificate-pinning
  18. 18. #RSAC MDM Piggybacking  Attack scenario:  IT/user enrolls an iOS device to a legitimate MDM service  Victim installs a malicious profile  Attacker waits …  MDM server sends an APNS command (attacker has no control over this part)  iOS device asks the MDM server for commands  (attacker does have control over this)  Attacker impersonates the MDM server 19
  19. 19. #RSAC Possible Attacks – Removal of MDM  A simple 401 HTTP response leads to the removal of the MDM (and associated settings or apps) from the device 20 HTTP/1.1 401 Unauthorized Content-Type: text/html Cache-Control: must-revalidate,no-cache,no-store Transfer-Encoding: chunked Content-Encoding: gzip
  20. 20. #RSAC Possible Attacks – Remote Wipe 21 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Command</key> <dict> <key>RequestType</key> <string>EraseDevice</string> </dict> <key>CommandUUID</key> <string>b114dcd0-2e24-0131-df43-22000a1f95e7</string> </dict> </plist>
  21. 21. Full Demo Flow 22
  22. 22. #RSAC Impact  Things an attacker can do:  Remove the MDM profile (along with associated apps, configuration and data)  Send MDM query commands (e.g., list apps, profiles, certificates)  Perform an action (lock, remote wipe)  Configure additional stuff (Wi-Fi/APN proxy settings, install apps) 23
  23. 23. #RSAC Some Challenges  Challenge: Client-side certificate validation  Not all MDMs enforce them  Mdm-Signature HTTP header  Challenge: Reliance on APNS calls  Chaining consequent commands  Challenge: MDM can query the profile list  The “invisible profile” is also hidden from the MDM 24
  24. 24. #RSAC Current Status  We reported to Apple the issue at the end of September, 2013  Apple fixed the issue in 7.1 code (GA should be released soon)  We are not aware of live exploitation of the issue  We acknowledge Apple’s security team for dedication to the security of their products 25
  25. 25. #RSAC Recommendations  End users:  Maintain an up to date OS  Check your iOS for suspicious profiles  If you don’t have profiles, make sure you don’t have the profile menu  Organizations:  Enforce OS updates  Implement network based solutions for your mobile devices  MDM Vendors:  Verify client side certificates  Work with Apple on the MDM protocol issues 26
  26. 26. #RSAC Thank you! 27  twitter: @YairAmit, @AdiSharabani  email: {yair,adi}@skycure.com  blog: http://www.skycure.com/blog

×