SecureState Powerpoint

SecureState Powerpoint
Attacking and Defending Apple iOS
Devices in the Enterprise
Tom Eston
Who is Tom Eston?
• Manger of the SecureState Profiling & Penetration
• Specializing in Attack & Penetration
• Founder of
• Facebook Privacy & Security Guide
• Security Blogger
• Co-host of two podcasts (Security Justice,
Social Media Security)
• National Presenter (Black Hat USA, Defcon,
ShmooCon, OWASP)
• I hack my Mac and iDevices. Also my clients. 
Current State of iOS Devices
Why assess iOS Deployments?
Latest Real-World Attacks
Assessment Methodology
Defensive Techniques and Deployment Methods
Basic iOS Hardening
Apple Release Cycle
• Not to be confused with Cisco “IOS”
• Apple changed the name to “iOS” in June
• At least once a quarter, mostly minor
• Current version(s):
– AT&T (GSM) = 4.3.5/5.0.1
– Verizon (CDMA) = 4.2.10/5.0.1
– iOS 5 released on October 12, 2011
– iOS 5.1 beta 3 released to devs on
January 9, 2012
• iOS 4/5 fully supports iPhone 4, iPhone
3GS, iPod Touch 3/4 gen, iPad as of 4.2.1
• Limited support for iPhone 3G with iOS 4.
No support for iOS 5.
iOS 5
Introduces 200+ new features
Twitter integrated into the OS
Major update
– Sync iDevice with the “cloud”
– Includes documents, settings and backups
iOS vs. OS X
• iOS has the same underlying OS as Apple’s OS X
(Darwin which is Unix based)
• iOS is mobile specific
– Core OS
– Core Services
– Media Layer
– Cocoa Touch
• OS X is desktop/laptop specific
Current Security Features
• I won’t talk about < iOS 4
• A lot depends on if your device supports iOS 4/5
– iPhone 3G and older are near impossible to secure!
(depends on iOS version supported)
– Example: iPhone 3G only supported up to iOS 4.2
• In > iOS 4.2:
– Support for SSL VPN
– Support for Mobile Device Management (MDM)
• Previously only Exchange Active Sync and Apple’s
iPhone Configuration Utility
– Hardware-based encryption improvements
• Key generated from user’s passcode
• Enabled when device is off or locked
– Remote wipe via “Find My Phone”
• This is now free
Hardware Encryption
• Hardware encryption was introduced with the
iPhone 3GS
• Secures all data “at rest”
• Hardware encryption is meant to allow remote wipe
by removing the encryption key for the device
• Once the hardware key is removed, the device is
Device Protection
• “Device Protection” different then “Hardware
• This is Apple’s attempt at layered security
– Adds another encryption layer by encrypting
application data.
– Key is based off of the users Passcode.
• Only currently supports this
• Many developers are not using the APIs
• Often confused with Hardware Encryption
Statistics on iOS Devices
• 250 Million iOS Devices Sold (as of October 2011)
• Mostly due to Verizon/Sprint now selling Apple
• 500,000 apps in the Apple App Store
• Android: 300 Million Devices Sold
(as of February 2012)
• 450,000 apps in the Android Market
• A close race between Apple and Android…what
about BlackBerry? 
BlackBerry is Dying
• ATF (Bureau of Alcohol, Tobacco, Firearms and
Explosives) and Halliburton publically announced
they are dropping BlackBerry for iOS
• More enterprises are doing this and the trend will
• Tablets are on the rise!
Statistics on Jailbroken iOS Devices
• 8.43% of all iPhones are Jailbroken (as of 2009)
– Pinch Media Statistics
• I’ve seen estimates that say > 10% now
But in China…
• 34.6% of iPhones are Jailbroken (roughly one third)
• China is the fastest growing market for iOS
Just Ask Cydia
• When you
Jailbreak your
device, you
upload your
SHSH blobs to
Saurik’s server…
• Almost 1
Million in 3
What We Find…
• Many are deployed without much configuration
– No passcodes, Weak passcodes
– Personally owned
– No central management or poor management
– Executives always are the exception
• Many are lost or stolen
– Especially by executives!
• Very sensitive or confidential information being stored
– Emails and contacts
– Board documents, merger and acquisition info
Other Reasons for Assessments
• Find out what data is being stored
• Determine how iOS devices are being managed
– Example:
Can I simply connect my iOS device to the
network/Exchange server?
• Test third-party MDM controls and settings
– How secure is that super expensive third-party
solution? 
Why Do Users Jailbreak?
• Full access to the OS and file system
• Install applications and themes not approved by
Apple (via installers like Cydia)
• Tether their iOS device to bypass carrier restrictions
• They hate Apple’s communist and elitist restrictions
1984 Is Now 2012?
Some Other Jailbreaking Facts
• All “iDevices” can be Jailbroken
– Including Apple TV and iPod
– New A5 devices (iPhone 4S and iPad 2)
• It voids the warrantee from Apple
• The first Jailbreak was in July 2007, one month after the
iPhone was released
• The default root password after Jailbreaking is “alpine”
• You can downgrade if you save your SHSH blobs
(signature hash)
• Jailbreaking is legal in the United States
– Digital Millennium Copyright Act (DMCA 2010)
Types of Jailbreaks
• Two types:
• Tethered
– The device must be connected to a computer on
every reboot
• Untethered
– Allows the device to be rebooted without the
• Jailbreaking is NOT unlocking!
Jailbreaking Tools
Pwnage Tool*
GreenP0ison Absinthe
LimeRa1n exploit used
for most Jailbreaks
* Require the IPSW (firmware)
in some form…
GreenP0ison, Redsn0w and are best
used in device pentesting (which one depends on the
Passcode being enabled/brute forced)
About the New Jailbreak Tools and iOS 5
• Two different untethered Jailbreaks for iOS 5
– Redsn0w 0.9.10 and PwnageTool 5.0.1
• Non-A5 devices: iPhone 3GS, iPhone 4, iPhone
4 CDMA, iPad 1, iPod Touch 3G/4G
– GreenPois0n Absinthe
• A5 devices: iPhone 4S (iOS 5/5.0.1) iPad 2 (iOS
5.0.1 only)
• Links and more information on these tools can be
found at the end of this presentation
• Uses a PDF or the new
FreeType parser security
flaw to Jailbreak the
device via Safari
• Versions 4.0-4.0.1, are vulnerable on
any device (including
iPad 2 if running 4.3.3)
Security Issues with Jailbreaking
• Renders most built-in protections useless
– Applications can fully access the OS
– Applications are not vetted by Apple
• Root password is changed to “alpine”
– Many users forget to change this
• You have full access to the OS
• Jailbreaking removes the passcode on iOS 3.x devices
– But we don’t need the passcode anyway…
• Easily allows live imaging via DD or other forensic tools
Privacy Issues
• Instant access to the file system (sms, contacts,
Example: /Users/Library/SMS/sms.db
• Jailbreaking bypasses the Passcode by using a tool
like iPhone Explorer
iCloud Security
• Some research already done…we tested:
– Authentication
– Authorization
– Network Communication
– Error Enumeration
– What info is stored on the device?
• Apple did a good job
• SecureState did find an issue with account enumeration
via the iCloud web application (
• Just like account owns all your data!
• Whitepaper in process…
Apps Transmitting Sensitive Data
• iOS devices are vulnerable to typical WiFi attacks
– Man-in-the-Middle
– SSL Strip/Sniff
– Sidejacking
– Sniffing
• Some applications send credentials in base64 or
clear text
– FourSquare (was base64)
– Many, many apps use basic authentication
– SSL?
OS X/iOS Captive Portal Hijacking Attack
• Discovered by
• Allows attacker to hijack
the captive portal
• Uses DNS spoofing
( and Java
based Metasploit
payload (OS X only)
• Can pull cookies from
iOS devices…
Exploits for Third-Party Apps
• Many are listed on ExploitDB…
Recent Skype iOS XSS
Apps with Location Permissions can Access Photos
• Geolocation data is tied to
photos and videos
• Developers can access all
photos with this one
• Broken by design?
Apps that Store Sensitive Data
• Don’t get me started about DropBox/Evernote!
– Apps like these auto login (so does Facebook)
– They also have other documented problems
• Apps like to leave behind things like…
• Keyboard Cache
~/Library/Application Support/iPhone/x.x.x/Library/Keyboard/dynamic-text.dat
• Logs
• Geolocation Data
The infamous “consolidated.db” file in iTunes backups, also geo-tags in photos
• SQLite Database(s) and PLIST configuration files
– Developers use these to store lots of information
Screen Shots and other Cache
• iOS devices store a screen shot every time you press
the “home” button
• This is for the “cool” shrink and disappear feature
• Conveniently located here:
(files are deleted periodically..DD FTW!)
• Some apps like to store cached files
– One in particular was GoodReader (this may have
been fixed with Device Protection APIs)
Some apps open Network Ports
OWASP Mobile Security Project
Defining a detailed application testing methodology
Top 10 Mobile Security Risks (recently released)
Top 10 Mobile Controls
Mobile Threat Model
GoatDroid/iGoat Project
Get Involved:
How Do Users Back Up Data?
• iOS devices automatically are backed up in iTunes
– When syncing device information
• Stored in:
/Users/<your user name>/Library/Application
• By default iOS device backups are not encrypted!
Recent Location Data Issue
• Fixed in iOS 4.3.3
– When turning off location services, iOS will not
store this data or back it up
• Some researchers created a cool tool to demo this
Keychain Exploit
• Discovered by two German researchers
• Phone has to be Jailbroken
• Keychain contains WiFi, Email, Exchange, some app
• Code available:
Passcode Bypass Vulnerability
• Only on iOS <= 4.1
• Allows you to access the contact list and make
phone calls
“When your iPhone is locked with a passcode tap Emergency Call, then enter a
non-emergency number such as ###. Next tap the call button and immediately
hit the lock button. It should open up the Phone app where you can see all
your contacts, call any number, etc.”
New iOS 5.0.1 Passcode Bypass Vulnerabilities
• Brute Force phone contacts
via the “Voice Control”
feature with a locked phone
• Make FaceTime video calls,
pull profile pictures
• Voice Control enabled by
default but it doesn’t have
to be enabled for this to
New iOS 5.0.1 Passcode Bypass Vulnerabilities
• Missed call notification on lock screen is used to
trigger the flaw
• Begin a call and quickly remove the SIM card, the
phone becomes unlocked while the device searches
for a signal
• Can be combined with the “Voice Control” issue
to unlock the device! (cool)
Incorrect Time Setting Can Leak iOS 5 Photos
• Set the time back by a year
(or any date in the past)
• Lock the device, double
press the “home” button
• Like magic…all the pictures
you took in the last year
are now shown if you show
all pictures!
• Why? Apple uses a
timestamp when the
camera app is invoked…
iPad 2 Smart Cover Unlock
Lock the iPad 2
Open the iPad 2 with a “smart cover”
Press the sleep/wake button to get “slide to unlock”
Close the smart cover and open it back up and click
• The iPad 2 is now unlocked like magic even with a
passcode enabled iPad 2
• You have access to the last running application
• iPad 2 with iOS 5.0 Vulnerable. Fixed in iOS 5.0.1
Penetration Testing Execution Standard
• Currently in Alpha but will define what a pentest is…
• Obtain fully deployed iOS device(s)
– Ensure device has been backed up
• Define Rules of Engagement
• Determine type of pentest
– Grey Box or Black Box
– Will client provide credentials/passcode
• Devices could be “bricked” and possibility of data
• Gather your tools (IPSW firmware/jailbreak tool)
Intelligence Gathering
• What type of iOS device is it?
• Is the device passcode enabled?
– Simple four digit or more?
• Determine iOS version
• Is the device already Jailbroken?
• What key applications are installed, conduct
• Corporate email being used?
• Conduct network port scan of the device
Threat Modeling
• What is the risk if the device is lost?
• What is the business driver for the device?
• What type of scenario(s) can simulate business
impact of lost/stolen/compromised devices?
• What is being simulated?
– Unsecured WiFi threats?
– Lost or stolen device?
– Malware or worm attacks?
– Combination of all of these?
Vulnerability Analysis
Can the iOS device be Jailbroken?
Do third-party controls prevent Jailbreaking?
Are there vulnerabilities in the third-party controls?
What vulnerabilities are there in the installed iOS
– Example: iOS 4.1 passcode bypass vulnerability
• What vulnerabilities exist in any installed
– This may be the start of a more detailed mobile
application assessment
• Attempt to circumvent passcode controls
– Brute force or other methods (Jailbreaking)
• Attempt to back up the device in iTunes or other
– Also attempt to access the backup
• Attempt to Jailbreak the device (if required)
• Attempt to circumvent third-party controls
– Example: Can you connect to an Exchange server w/a
personal device?
• Attempt to mount or image the device with DD or other
forensic techniques
Post Exploitation
• Carve out key data
– Manually or using forensic tools
• iPhone Analyzer (for backups or via SSH)
• Any forensic tool for DD images
– SMS messages, email(s), screen shots, keyboard cache,
location data, app logs, files, etc…
• Export key data
• Document and screen shot findings
• Wipe or return devices to the client
• The most important phase!
• Include as much detail as possible (including version
numbers of tools)
• Show business damaging evidence
• The client should be able to replicate what was
conducted during the pentest!
Enterprise End User Rights
• Who owns the device?
• Employee vs. Company Owned
(Bring Your Own Device)
• Each has its challenges
• You should have a policy regardless
Device Deployment and Management
• How are devices provisioned?
Simple Certificate Enrollment Protocol
– User initiated or MDM (push)
Mobile Device Management (MDM)
• Set of APIs provided by Apple to control various
policy and security settings
• Third-party solutions interface with these APIs
• Apple actually recommends using an MDM for
Enterprise support and management of iOS devices
Microsoft Exchange ActiveSync
• IMAP via SSL Support
• Configure Policies
– Passcode Rules/Enforcement
• Example: Minimum passcode length
• Passcode expiration (Exchange 2007/2010)
– Remote Wipe
• More information:
• Note: Can be configured insecurely!
Apple’s iPhone Configuration Utility
Used for “small” deployments
Manually administered via email or other method
Available for iPad and iPhone
Can be used to configure lots of policies including:
– Passcode
– VPN and WiFi settings
– Email
– SCEP settings (MDM)
Configuration File Example
Third-Party Solutions
Multiple vendors are providing this
More features generally mean more $$
Examples: MobileIron, Good, AirWatch are a few
Current solutions out there are not perfect…still
The Passcode
• You always should have a
• You should require it
• It should be > 4 characters
• It should be complex
• Enable lockout/wipe feature
after 10 attempts
• You might want to ensure some applications don’t
get installed
• “Cloud” data storage applications
– DropBox
– Evernote
– Microsoft OneNote
• What about iCloud?
• Could your corporate data be floating in the cloud?
• Do you have polices and procedures to address this?
Configure VPN
• Ensure if accessing corporate resources the VPN is
configured. Hard to enforce at the device level for
all communications
• Could be interesting with a corporate vs. personally
owned device
Enable Remote Management
• Enable FindMyPhone (MobileMe) at a minimum
– For very small deployments this could work
• For true Enterprise level management you must use
a third-party MDM
– Decide which type of enrollment is best for you
– Whitelist approach may be best
• Allow only devices you have authorized
(corporate owned?)
Find My Phone
• Very easy to use and it
Don’t Allow Jailbreaking
• Bypasses the passcode in some cases
• Removes some built-in security features
• Can leave you vulnerable to third-party applications
not vetted by Apple
• Ensure third-party MDM solutions prevent
• For some reason Apple disabled the Jailbreak check
API in iOS > 4.2 (mostly for liability reasons)
• Address this in your mobile device policy
Keep iOS Up To Date
• Always update and use the latest Apple iOS firmware
• Many vulnerabilities are fixed
• Security always is improving
Encrypt Backups
• Always enable the encryption option in iTunes
• Some third-party MDMs have alternate backup
methods (server centralized)
Selling or Redeploying
• Use a secure wipe solution
– Latest version of iTunes includes this
– Third-party solutions available via MDM
• Ultra paranoid?
– Try the iErase app in the Apple App Store
– Erases slack space periodically
• It’s important to carefully evaluate any deployment
of iOS devices
• Unfortunately, many devices are being used after
employees have connected them to your network
• Conduct periodic penetration tests and assessments
to ensure your controls are working
• iOS and threats to these devices are always changing
Where to Find More Information
• Links to all the tools and articles mentioned in this
Twitter: @agent0x0 Email: [email protected]
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF