hacking ios gamecenter and passbook
Post on 01-Jan-2017
231 Views
Preview:
TRANSCRIPT
Hacking iOS Game Center and Passbook with Proxies Louisville Metro Infosec Conference:
October 3, 2013
• Karl Fosaaen
Senior Security Consultant
At NetSPI
Twitter: @kfosaaen
Who am I?
Presentation Overview
• Intercepting iOS Traffic
• Why and How
• Tools
• Certificates
• Identifying Pinning
• Attack Examples
• GameCenter Scores
• GameCenter Hashes
• Passbook files
• Conclusions
Intercepting traffic: Why
• iOS traffic can be interesting
‒ Most apps use web service calls
‒ Most apps are web browsers
• Traffic tampering
‒ Can you name your own price?
‒ Submit a higher score?
• Server responses can be interesting
‒ Modify what the server says to trick your app
‒ Intercepting files (ie: Passbook Passes)
Intercepting traffic: How
• Use an intercepting proxy
‒ Set it up to capture your traffic
‒ Store and forward allows for tampering
• SSL Interception
‒ Requires a trusted certificate
‒ Some apps don’t trust iOS
• This is a good thing, just a pain for interception
• Traffic sniffing
‒ Some apps send requests in the clear
‒ Packet sniffing can be useful
Intercepting traffic: Tools
• Burp
• iOS simulator
• Other Proxies
Intercepting Traffic: Certs
• Exporting the Burp Root CA
Intercepting Traffic: Certs
• Exporting the Burp Root CA
Intercepting Traffic: Certs
• Exporting the Burp Root CA
• Save the root cert as PortSwiggerCA.crt
• Send the cert to yourself via email and add it to your iOS device
• Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone
Intercepting Traffic: Certs
• Exporting the Burp Root CA
• Certificate installed on iPhone
Intercepting Traffic: Burp
• Burp Set Up
Intercepting Traffic: Burp
• iOS Proxy Set Up
Intercepting Traffic: Burp
• Intercepted iOS traffic
• HTTPS request to Google from iPhone
Intercepting Traffic: Burp
• A quick warning…
‒ Watch your credentials
• Exchange ActiveSync sends encoded passwords
• Your login creds for other apps and sites will get stored in your proxy
‒ Mostly watch the data getting stored in your proxy
• You never know when you will need to send your Burp session to someone else
Intercepting Traffic: Certs
• Identifying pinned apps
• Able to intercept normal browser SSL traffic
• Can’t get app specific data
• Pinning might be in use
• The app may also be looking for specific cert parameters
• This is not pinning
• It’s cert checking
Attack Examples
• GameCenter High Scores
• GameCenter Email Hashes
• Passbook files
‒Boarding Passes
‒Coupons
‒Gift Cards
Attack Examples: GameCenter
• Attacking High Scores
‒GameCenter scores update with
HTTPS POST requests
‒No input validation on “score-value” parameter
• Max score of 9,223,372,036,844,775,807
Attack Examples: GameCenter
Attack Examples: GameCenter
• Attack Process
‒Set up intercepting proxy
‒Play a game
• Beat the first level
or
• Trigger a score update
‒ Intercept the score update
• Look for “submitScores” page
‒ Replace score value with
9,223,372,036,844,775,807
Attack Examples: GameCenter
Attack Examples: GameCenter
Attack Examples: GameCenter
‒ Bad News
• This was fixed in iOS 7
• There’s a token now
=
Attack Examples: GameCenter
Capturing GameCenter Email Hashes
Attack Examples: GameCenter
• Capturing Email Hashes
• SHA1 email hashes can be leaked by requesting player information
• This can be done for current friends and accounts of “friends of friends”
• What can we do with these?
• Why would anyone want those?
Attack Examples: GameCenter
• Capturing Email Hashes
• Step One: Add a bunch of friends
• Current recommendations, leaderboards, friends of your friends
Attack Examples: GameCenter
• Capturing Email Hashes
• Step Two: Get a list of all of their friends
• So “friends of friends”
• Use Burp for this
Attack Examples: GameCenter
• Capturing Email Hashes
• Results!
Attack Examples: GameCenter
• Capturing Email Hashes
• Step Three: Friend request all of them
Attack Examples: GameCenter
• Capturing Email Hashes
• RETURN to Step One multiple times
• Step Four: Query the email hashes for all of your friends and all of their friends too
• This will be done with intruder in Burp
• Much like step three – Send the request on the next slide to intruder
Attack Examples: GameCenter
Attack Examples: GameCenter
• Next Steps
‒ So you have some hashes, so what…
• You have their handle, first and last names too
‒ What’s your email address?
• Common email user names
• First.last
• FirstinitialLast
• Handle/username
• NameBirthYear (or other “significant” number)
‒ Who’s your email provider?
• Gmail, yahoo, hotmail, AOL
Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to Guess Email user names
• kfosaaen@example.com
• k.fosaaen@example.com
• karlfosaaen@example.com
• karl.fosaaen@example.com
• karl.f@example.com
• karlf@example.com
‒Append the top 500 email domains to the end and SHA1 the whole thing
Attack Examples: GameCenter
• Cracking Email Hashes
‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well
‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking
easier
Attack Examples: GameCenter
• Final Numbers:
‒222 friends added* (as of 9/9/13) *Records collection stopped after 45 friends
‒1,635 records gathered
• 1,534 after Unicode removal
‒300 email hashes cracked (19.5%)
Records Example:
591542B50A99EAA8E41136305075F9FF708F1992 bubblefishgumpop Deb Morgan
Attack Examples: Passbook
Passbook
Attack Examples: Passbook
• Multiple Apps are now available with Passbook
• Mostly used to store loyalty cards, coupons, and boarding passes
‒ Gift cards are now getting adopted
• Can actually be pretty convenient to use
Attack Examples: Passbook
• Common Application Issues:
• Failure to securely deliver .pkpass files
• No HTTPs or certificate pinning
• Failure to validate pass information on backend systems
• Do you really have $1,000 on that gift card?
Attack Examples: Passbook
• Passes are sent as .pkpass files
‒ .pkpass is just a renamed .zip file
‒Required contents:
• manifest.json
• pass.json
• Signature
• A signature file for integrity
• Prevents file replacement and a re-zip
Attack Examples: Passbook
• Creating your own
‒ Join the Apple Developer Program ($99)
‒ Modify the pass.json to match your needs
• The teamIdentifier and passTypeIdentifier fields need to be modified to match your Apple cert
• Modify the pass details that you want to
‒ Use the signpass application (from Apple) to generate the new .pkpass file
‒ Can be done in Windows • Apple Developer cert is still needed
Attack Examples: Passbook
• Deployment
‒ Can be done via email or web server
Attack Examples: Passbook
• Attack overview
‒ Set up your intercepting proxy
‒ Request a Passbook pass from the app
• Look for the “Add to Passbook” button
‒ Intercept the request for the pass
• Usually to a third party site
‒ Request and save the pass in your browser
‒ Modify your pass
‒ Resign and use your new and improved pass
Attack Examples: Passbook
• Avoiding issues with cert pinned apps • Open the app without the proxy enabled
• Get up to the page where you request the pass
• Switch over to your preferences
• Turn on the Proxy
• Request the pass
Attack Examples: Passbook
Example Time!
Attack Examples: Passbook
• Delta Boarding Passes
‒ One of many Passbook apps, but it’s the one that I use the most
‒ Main Delta App does not do certificate pinning
Attack Examples: Passbook
• Delta Boarding Passes
‒ Request for Passbook pass
Attack Examples: Passbook
• Delta Boarding Passes
‒ Extracted pkpass file
‒ Extracted Sky Priority pkpass file
Attack Examples: Passbook
• Delta Boarding Passes
‒ Modify the pass.json file
‒ And include the footer images in the directory
Attack Examples: Passbook
• Delta Boarding Passes
‒ Run the Signpass utility and email yourself the pass
Attack Examples: Passbook
• Original/Modified Delta Boarding Pass
Conclusions
•Fixes
• Certificate pinning
• Better input validation
• Limiting data leakage from apps
• Questions?
Hacking iOS Game Center and Passbook
• Karl Fosaaen
‒ Security Consultant at NetSPI
‒ Twitter: @kfosaaen
top related