Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Who am I ?
# @GotoHack
DAY: Pentester & Team Leader
NIGHT: Security Researcher
# Area of expertise
Mobility / BYOD
Web application
Embedded systems
Hardware Hacking
# Publications
GreHack 2012
Practical iOS Application Hacking
HACK.lu 2012
Hacking iOS Application
MobileSafari
MobileMail
AppStore
iDevices
BootROM
LLB
iBoot
DFU Mode
IMG3
X509
Fake DFU
IMG3
X509
Recovery mode
IMG3
X509
Kernel
Deamons
iTunes services:
Backup, AFC,
(USBMux)
Apps
Accessory
Protocol
(Serial)
Bootime
Runtime
GOTO: H[a]CK
iTunes Services
5
5
# USBmuxd
Hello
USBMuxd
Hello
USBMux Client
device ID
TCP connect request
Lockdownd
# Lockdownd binary
Responsible for several tasks
Pairing,
Activation,
Unlocking FairPlay certificates,
Delegating communications to other services
Host
Pairing request
Pairing OK
lockdownd
libmobiledevice
USBMuxd
AFC Client
AFC Commands
AFC Service
AFC Results
{Request=QueryType}
{Request=QueryType, Result=Success, Type=com.apple.mobile.lockdown}
{Request=GetValue, Label=xxxx}
{PairRecord={DevicePublicKey=xxxxx, DeviceCertificate=xxxx,HostCertificate=xxxx,
HostID=xxxx,RootCertificate=xxxx, SystemBUID=xxxx}, Request=Pair}
{Request=Pair, EscrowBag=xxxx}
{PairRecord={DevicePublicKey=xxxxx, DeviceCertificate=xxxx, HostCertificate=xxxx,
HostID=xxxx,RootCertificate=xxxx, SystemBUID=xxxx}, Request=ValidatePair}
Lockdown Client
Lockdownd (Device)
{Request=ValidatePair}
{HostID=xxx, Request=StartSession}
{SessionID=xxx, Request=StartSession, EnableSessionSSL=True}
9
libImobiledevice / pymobiledevice
# Libimobiledevice
# Pymobiledevice
Lite python implementation
Handles only most important protocols to support iDevices
Based on the open source implementation of usbmuxd
10
com.apple.mobilebackup &
com.apple.mobilebackup2
# Mobilebackup services
Used by iTunes to backup the device
# iDevice backup
Permit a user to restore personal data and settings
Abusing this service may allow an attacker
Retrieving personal and confidential data
SMS
Call Logs
application data
default preferences
data stored in the keychain (WiFi password, VPN Certificate Passwords).
Inject data to the device.
11
com.apple.afc
12
com.apple.mobile.house_arrest
# House_arrest
allows accessing to AppStore applications folders and their content.
13
com.apple.mobile.installation_proxy
# Installation proxy
Manages applications on a device
14
com.apple.mobile.diagnostics_relay
# Diagnostics relay
Allows requesting iOS diagnostic information.
Handles the following actions:
Puts the device into deep sleep mode and disconnects from host.
Restart the device and optionally show a user notification.
Shutdown of the device and optionally show a user notification.
15
com.apple.mobile.file_relay
# File_Relay
Allow paired devices to launch the following commands
AppleSupport,
Network,
WiFi,
SystemConfiguration,
VPN,
UserDatabases,
CrashReporter,
Tmp,
Caches
All the files returned are stored in clear text in a CPIO archive
Asking for UserDatabases allow retrieving
SMS, Contacts, Calendar and Email from databases in clear text.
16
Summary
SMS
Call Logs
application data
default preferences and data stored in the keychain (using backup)
17
GOTO: H[a]CK
Reversing an
Apple MFI accessory
18
Anatomy of an Accessory
19
iDevice interface
Mother board
20
21
R5F2126
In-System Programming
On-chip data flash (1Kbytes)
Internal ROM (32 Kbytes)
22
iDevice interface
23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
J1 iDevice connector
550K
2V
49.9K
49.9K
43.2K
75K
GND
5V
Tx
Rx
AC DET
IP DET
IPOD R
A GND
IPOD L
2,6V
J2
Audio
RS232
Charging
24
# 30 pins adapters
Allows to connect 30-pin accessories to devices
featuring the Lightning connector.
Successfully tested on the dock station used for
our analysis
25
26
Request/Response Structure
Play
https://nuxx.net/wiki/Apple_Accessory_Protocol
27
Summary
# Hacking the firmware of the C ?
Not relevant regarding our goal
We need some space to store user data
GOTO: H[a]CK
Weaponizing an
Apple
MFIpour
accessory
Cliquez
modifier
le style du
titre
29
29
1
1
1
1
1
1
1
Raspberry pi
PodSocket
PodBreakout
USB Connector
mini USB Connector
WiFi USB Key
SDcard
30
Hardware Hacking
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
J1 iDevice connector
550K
2V
49.9K
49.9K
43.2K
75K
GND
5V
Tx
Rx
AC DET
IP DET
IPOD R
A GND
IPOD L
2,6V
J2
Audio
RS232
Charging
32
GND
5V
Tx
Rx
AC DET
IP DET
IPOD R
A GND
IPOD L
VCC
D+
DGND
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Enabling USB
J1 iDevice connector
550K
J3 USB
J2
Audio
RS232
USB
33
Hardware MiTM
Cheap ARM GNU Linux board
34
GOTO: H[a]CK
Demo
35
iPown
Personal Data dumper
36
iPown
Personal Data dumper
GOTO: H[a]CK
iPown 2.0
Automating Jailbreak
38
38
Public Jailbreaks
#
jailbreakme.com
Exploits by comex, Grant Paul (chpwn), Jay Freeman (saurik) & MuscleNerd
Targeting MobileSafari
Could be used against an unwitting victim
Only working on old devices
iDevices refuse to communicate over USB if they are locked unless they have previously
paired.
Lower security impact
only useful to the phones owner
39
evasi0n
40
Evasi0n
Initialization & Stage 1
# Evasi0n Stage 1
Pairing with the device
Starting com.apple.mobile.file_relay service
Retrieving the com.apple.mobile.installation.plist
plist file
caches the list of installed applications
41
Evasi0n
Stage 2: Overview
# Evasi0n Stage 2
Chmod 777 /var/tmp/launchd
Injecting symbolic link 1/2
/var/db/timezone -> /var/tmp/launchd
Evasi0n
Stage 2: Remout payload
# Executing DemoApp.app => Executing the remount script
Evasi0n
Stage 2: Remouting the file system in R/W
44
Evasi0n
Stage 3: Injecting final payload
# Evasi0n Stage 3
Creating a directory at /var/evasi0n containing 4 files
launchd.conf.
List
amfi.dylib
Loaded with DYLD_INSERT_LIBRARY
Contains only lazy bindings and no TEXT section
No TEXT/text section means that there is nothing to sign
Overriding MISValidateSignature in order to always return 0
Allowing unsigned code execution
Evasi0n Binary :
Executed with root privilege in the early boot environment.
Launches the kernel exploit
Udid
Contains the UDID of the current device
45
Reimplementing evasi0n
Modding evasi0n installer
46
Original Schematic
in
iPown Schematic
in
out
47
GOTO: H[a]CK
Demo
48
Room 2 : Attacker
49
50
GOTO: H[a]CK
Conclusion
51
51
Conclusion
# Apple made the choice of user experience instead of security.
It is possible to build up a malicious device in order to get both the
data and the control of iDevices.
52
Credits
GOTO: H[a]CK
le style du
titre
54
54