2014 © Dino Security S.L.
All rights reserved. Todos los derechos reservados.
w w w . d i n o s e c . c o m
@ d i n o s e c
Raúl Siles
@raulsiles
@dinosec
June 3, 2014
i S
2 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
3 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Outline
• Vulnerability research and markets
• Apple & iOS: State of the art
– iPhone/iPad in business
– SSA
• Can we manipulate the iOS update process?
• Vulnerability details: iOS 5, 6, 7…
– Attacks
• Conclusions
• Credits
4 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Research & Markets
Insider View
5 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Markets
• How security vulnerability information is managed and traded today?
– Importance of (vuln) information systems for modern economy and society
• Who is going to potentially buy your cyber weapon?
– Closed privileged groups
• Black market: cyber criminals
• Public markets: private security companies, governments, brokers…
– E.g. Subscription fees for 25 zero-days per year: USD $2.5 million
– What is it going to be used for?
• Compromise all vuln systems w/o people ever having knowledge of the threat
– Vulns remain private for an average of 151 days (+100 exploits per year)
– Real risk exposure: Assume you are already compromised
• NSSLabs – “The Known Unknowns” (Dec 5, 2013)
– “International Vulnerability Purchase Program” (Dec 17, 2013)
https://www.nsslabs.com/reports/known-unknowns-0 https://www.nsslabs.com/reports/ivpp
6 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Disclosure Options
‘Responsible’ disclosure
• Do nothing
– Assuming it is the best way to serve the community
• Coordinated disclosure (vendor)
– Information about vulnerabilities is a valuable asset
• Security researchers require compensation for time spent
• Full disclosure
– Motivate vendors to act
• Sell it
– Bug bounty (vendor)
– Broker or directly to third-parties
7 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Research
• For previous vulnerability research I followed…
– Responsible and coordinated disclosure with vendors
– But it was time to research the current vulnerability markets
• Vulnerability was accepted and published in one of the vulnerability purchase programs
• No real interest out of RCE, LPE and information disclosure (memory addresses)
• Vulnerability discovered in early 2012 (+2.5 years)
– Keeping it private (as far as I know) and verifying it is still not public and valid
requires lot of effort (specially over long periods of time)
– Remained private until March 2014 (at RootedCON)
• What happens in Madrid stays in Madrid
– … and June 2014 at Area41: “First anniversary!”
• What if someone finds it meanwhile… or the vendor fixes it?
– For how long a not very complex vulnerability can remain undisclosed?
– Value of modern vulnerabilities and exploits is based on who knows about them
• How to provide details without disclosing too much?
8 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Research & Disclosure
• We know vendors do not always take relevant issues seriously…
– "Why iOS (Android…) Fail inexplicably". Raul Siles. Rooted CON 2013
• “When should a researcher initially notify a vendor with no serious
bug bounty before releasing an undisclosed vulnerability in a
security conference?” (Community disclosure?)
– It depends: vendor, bug, researcher, follow-ups… (“negotiate”)
• Complexity, criticality, scope…
• Evolution of security business landscape
– Vulnerability disclosure policies are like assh*les…
• …everyone has one!
• The "Month and a Day Rule" (DinoSec 2014)
– Similar to common law sentences
– Vulnerability notified to Apple on February 6, 2014 (1m + 1d)
9 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Apple & iOS: State of the Art
10 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iPhone/iPad in Business (1/2)
• Your business or Apple business model?
– Hardware, software, services & contents
• App Store & iTunes
• Apple Q1 2014 financial results
– Sales (quarter): 51M iPhones & 26M iPads
– Revenue: $57.6 billion
• $4.4 billion on iTunes/Software/Service
– Net quarterly profit: $13.1 billion
– 65 billion in apps cumulative ($15 billion to developers)
• 1 million apps cumulative in 24 categories
https://www.apple.com/pr/library/2014/01/27Apple-Reports-
First-Quarter-Results.html
11 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iPhone/iPad in Business (2/2)
• iOS design, features, and architecture
– https://www.apple.com/iphone/business/it/
– https://www.apple.com/ipad/business/it/
• iOS security model (Feb’14)
– Updates: System Software Authorization
https://www.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf
12 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
System Software Authorization (1/2)
• To prevent devices from being downgraded
– Older versions lack the latest security updates
• “An attacker who gains possession of a device could install
an older version of iOS and exploit a vulnerability that’s been
fixed in the newer version”
• Jailbreak?
• iTunes or wirelessly over the air (OTA)
– Full copy of iOS or only the components required
• Connects to Apple’s installation authorization server – Crypto measurements for each part of installation bundle (LLB,
iBoot, kernel & OS image), nonce & ECID (device unique ID)
13 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
System Software Authorization (2/2)
• Authorization server checks measurements
against versions permitted by Apple
– Allows only latest version for each device model
• Narrow signing window (~24h)
– Apple signs measurements, nonce and ECID
• Per device (ECID) and per restore (nonce)
• Every firmware installation is remotely verified
(signed) by Apple during every restore or upgrade
– Started with iPhone 3G[S] & iOS 3 (using ECID only)
• "Verifying restore with Apple...“
– iTunes “personalizes” the firmware file (ECID…): SHSH
14 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Apple iOS Downgrade (1/3)
• SHSH blobs and APTickets – Signature HaSH (SHSH blobs) and nonce (APTicket)
• Cydia (saurik) & redsn0w (Musclenerd) & iFaith (iH8sn0w)
• TSS Center (Cydia), redsn0w,TU, iFaith…
– MitM (& cache) signature server: gs.apple.com
• Source: http://svn.saurik.com/repos/menes/trunk/cysts/
– The verifier was the Tatsu Signing Server (TSS)
• Spidercab (Apple internal equivalent), running at ‘tatsu-tss-
internal.apple.com’ (Apple VPN), is used to sign old versions...
http://www.saurik.com/id/12 (iOS 3.x) http://www.saurik.com/id/15 (iOS 6.x)
15 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Apple iOS Downgrade (2/3)
• SHSH blobs (SHA-1 hashes ;160-bit digests) – iPhone Software (IPSW) file (ZIP file)
• Build manifest: BuildManifest.plist
– List of files and their content (+ Apple integrity signature) digests
• “Personalization” process
– Build manifest TSS request Apple SHSH blobs
Replace files signature section with SHSH blobs
• APTickets – Introduced with iOS 5.x
– Block of data with digest for all files used during boot • No IPSW file “personalization” any more (APTicket)
• Contains a “nonce” (anti-replay mechanism - uncacheable)
16 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Apple iOS Downgrade (3/3)
• Caching the uncacheable – Restore to very old iOS versions (no APTicket)
– Downgrade tricks history
• http://www.jailbreakqa.com/faq#32763 …
– Exploits for reusing APTickets
• No way to downgrade from iOS 6.x to older versions on
newer devices (as of April 2013) – Eligible older devices
• iPhone 4 & 3G[S], iPad, and iPod Touch 4th (A4 processor)
– limera1n BootROM exploit (redsn0w can dump TSS info from device)
• iPad2
– Go from iOS 5 (or 6) to iOS 4 (no APTicket) and back to iOS 5
• iPad 2, 3 & iPhone 4s: From iOS 5 to any other iOS 5 version
Requirement: TSS information previously saved
17 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
http://iossupportmatrix.com
18 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Can We Manipulate the iOS Update
Process?
Without a new BootROM exploit
19 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Relevant iOS 5 Change
• Over the Air (OTA)
– iOS software updates
• Settings - General - Software Update
– iTunes data sync & backup over Wi-Fi
• iTunes 10.5+
– Options – Sync with this iPhone over Wi-Fi
– iCloud backup
• Settings - iCloud - Storage & Backup
Apple fans behavior change: Getting rid of the USB cables
20 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS OTA Update Process
• HTTP (vs. HTTPS)
– iOS software (IPSW) integrity verification
– Software update server: http://mesu.apple.com
• Automatically used by iOS…
– … or manually launched by the user
• Settings - General - Software Update
• iOS software update (plist) file (XML format)
– References (URLs) to all the current iOS version files
http://appldnld.apple.com
21 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Main iOS SW Update Files
• iOS software update (plist) file – http://mesu.apple.com/assets/
com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml
• iOS software update documentation (plist) file – http://mesu.apple.com/assets/
com_apple_MobileAsset_SoftwareUpdateDocumentation/
com_apple_MobileAsset_SoftwareUpdateDocumentation.xml
• iOS 5.0 (GM) was not offered via OTA
– iOS 5.0 betas (4-7) & 5.1 beta 2 were offered via OTA
– iOS 5.0.1 was the first public OTA version
22 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 5.x & 6.x
23 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 5 & 6: HEAD Request
HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
User-Agent: MobileAsset/1.0
Connection: close
Content-Length: 0
HEAD /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
User-Agent: $%7BPRODUCT_NAME%7D/1 CFNetwork/548.0.4
Darwin/11.0.0
Content-Length: 0
Connection: close
24 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 5 & 6: HEAD Response
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: close
If it contains a date greater than
the date from the last update, it
will ask for the new content:
GET.
25 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 5 & 6: GET Req & Resp
GET /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
Connection: close
User-Agent: MobileAsset/1.0
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: keep-alive
...
26 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 5 & 6: GET Req & Resp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Assets</key>
<array>
<dict>
<key>Build</key>
...
<key>OSVersion</key>
<string>7.0.4</string>
...
<key>Certificate</key>
<data>
MIID...YSoiag78twmDRk726aYmxNIfYYpDs0hS7Mw==
</data>
<key>Signature</key>
<data>
LyfS...pvlWlONSzNYx9qZdS6B7Fs6JgHqw9DA1d2w==
</data>
<key>SigningKey</key>
<string>AssetManifestSigning</string>
</dict>
</plist> Same behavior with the iOS SW update documentation file
27 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Last-Modified: Date
Can we manipulate the iOS update process?
28 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
StarWars or Matrix?
30 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
• Man in the Middle (MitM) attacks
– E.g. Wi-Fi network impersonation attacks • http://www.dinosec.com/docs/RootedCON2013_Taddong_
RaulSiles-WiFi.pdf
• http://vimeo.com/70718776
• iProxy: MitM Python tool – Twisted (https://twistedmatrix.com)
• Event-driven networking engine (e.g. sslstrip)
– Implements both StarWars and Matrix attacks
• Multiple and flexible options
Vulnerability Exploitation
31 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
“These aren’t the updates you’re looking for”
32 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
StarWars Attack
• Block and/or drop the HEAD request (timeout)
– Fail: It sends a GET request
– Block and/or drop the GET request (timeout)
• Fail: Error message
– When the user manually checks for updates
– “Unable To Check for Update”
• Change the “Last-Modified” header of the HEAD
response to the past
– “These aren’t the updates you’re looking for”
DEMO
33 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
34 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
“This is your last chance. After this, there is no turning back. You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Appleland and I show you how deep the update-hole goes.”
35 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Matrix Attack
• Change the “Last-Modify” header of the HEAD
response to the future
– Forcing a GET request
• Change the contents of the GET response
– Fail: The response contents are signed
– Replay attacks?
• Change the “Last-Modify” header of the GET
response to the future & provide a previous file
– “You’re inside the Matrix”
• No more updates up to that future date
DEMO
36 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
37 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS Software Update Files Repo
38 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iCamasu
• iCamasu
– iOS com_apple_MobileAsset_SoftwareUpdate
• Python-based tool to parse and extract details
from Apple iOS software update PLIST files
– com_apple_MobileAsset_SoftwareUpdate.xml
• Version 0.41 (~ Area41)
– Multiple parsing options…
• Min & Max iOS versions, several summaries, search by iOS
version, search by Apple device, full details…
http://www.dinosec.com/en/lab.html#iCamasu
Released today!
$ ./iCamasu.py
com_apple_MobileAsset_SoftwareUpdate.xml (SHA-1:b21edffaf1b62d0d911a0974f15e54d111127162)
= 396870 bytes, 260 assets, 37 devices, 5 versions, min: 5.1.1, max: 7.1.1
39 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 7.x
40 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 7: GET Request
GET /assets/com_apple_MobileAsset_SoftwareUpdate/
com_apple_MobileAsset_SoftwareUpdate.xml HTTP/1.1
Host: mesu.apple.com
If-Modified-Since: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-us
Connection: keep-alive
User-Agent: MobileAsset/1.0
HEAD request removed from iOS 7
It discloses the date from the last
update stored on the iOS device:
THANKS iOS!
41 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 7: GET Response (304)
• If there is no new update from that date…
HTTP/1.1 304 Not Modified
Content-Type: application/xml
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Date: Mon, 20 Jan 2014 12:35:20 GMT
Connection: keep-alive The date on the “Last-Modified”
header does not influence the
iOS behavior this time (304)
42 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
iOS 7: GET Response (200)
• If there is a new update from that date…
HTTP/1.1 200 OK
Server: Apache
ETag: "a0d572a1d747bf12c2b107916e506c93:1389116985"
Content-MD5: oNVyoddHvxLCsQeRblBskw==
Last-Modified: Tue, 07 Jan 2014 17:45:50 GMT
Accept-Ranges: bytes
Content-Length: 283956
Content-Type: application/xml
Date: Mon, 20 Jan 2014 11:02:00 GMT
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>
...
<plist version="1.0">
<dict>
...
<key>OSVersion</key>
<string>7.0.4</string> ...
Temporary vs. Permanent attacks
44 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
StarWars Attack
• Block and/or drop the GET request (timeout)
– Fail: Error message
• When the user manually checks for updates
• “Unable To Check for Update”
• Send a 304 response
– “These aren’t the updates you’re looking for”
• Change the “Last-Modified” header of the GET request to the
future to get a 304 from Apple’s server
• Change the GET response manually to 304
This 304 Jedi trick does not work for iOS 6
DEMO
45 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Matrix Attack
• Change the contents of the GET response
– Fail: The response contents are signed
– Replay attacks?
• Change the “Last-Modify” header of the GET
response to the future
– “You’re inside the Matrix”
• No more updates up to that future date
DEMO
46 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Conclusions
47 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Details
• Affects iOS 5.x - 7.x (up to the latest version) – iOS 5.0 released on October 12, 2011
– Vulnerability discovered on early 2012, between… • 5.0.1 (Nov 10, 2011) & 5.1 (March 7, 2012)
• It has survived multiple iOS versions: 5, 6 & 7
– Long time verifying it has not been fixed
– Long time collecting iOS software update files (plist XML files)
• Targeted and very carefully planned attacks – Plenty of time to launch future attacks
• Forever (persistent - Matrix) or between iOS updates (now)
• Stealthy attacks
– The update freeze can be reverted back silently
48 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Limitations
• Cannot be used to downgrade to a previous
version, but to remain on the current version
• Can by bypassed via iTunes
– Different update check mechanism (HTTPS)
– Temporarily, as iTunes does not change the iOS
device update state if cancelled
– What is the current iOS update user behavior?
• iTunes or OTA
49 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Usage
• Outside the information security field…
• People complaining because they didn’t want to
update from iOS 6 to iOS 7
– Huge user interface (GUI) change they didn’t like
– But their iOS device used +1Gb of space (e.g. 16Gb
iPad) just to locally store the new iOS 7 update
• New update is available
• Download update
• Install update
• “Unwanted iOS 7 occupying space on iOS 6 devices”
Freeze the iOS device at iOS 6 and never get iOS 7
50 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Exploitation
• Freeze the version of a target device and wait for the next
succulent iOS update fixing a critical flaw • Wait… that sounds like… goto fail;
– Speculation: Released on February 21, 2014 (although it is older)
• Without any public researcher recognition (Apple?)
– For iOS 7.0.6 & 6.1.6, but not for OS X Mavericks (10.9) - in a hurry?
– CVE-2014-1266 • Lack of proper certificate validation: DHE & ECDHE
• https://www.imperialviolet.org/2014/02/22/applebug.html
https://www.gotofail.com
51 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Disclosure: History
• Vulnerability discovered on early 2012 – +2 years (or +750 days or +…)
– Obtained a copy of the iOS software update file for 5.0 & 5.0.1 from
other researchers (March 2012), but not the early doc update files
• Vulnerability notified to Apple on February 6, 2014 – The "Month and a Day Rule“ (“Yes We Can” )
• E-mails – Feb 6: Standard Apple automated response confirming reception
– Feb 14: Apple asked for PoC for permanent disabling • Sent a detailed response clarifying the attack techniques
• “Thanks for the clarification.”
• A victim iPad got a new update on March 1, 2014 – Saturday: “Apple has changed something on their servers!”
• Without sending any notification to the researcher…
• … and trying to break his demo at Rooted CON 2014
52 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Today (1/4)
53 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Today (2/4)
• Apple implemented the following check in its iOS
software update server (mesu.apple.com) on March 1…
– Pseudo-code
...
/* Process GET request */
if ( header(‘If-Modified-Since’) is missing ) ||
( header(‘If-Modified-Since’) > date(now) )
goto fail;
else
/* Check the date to reply with a 304 or 200 */
...
fail:
/* Send a ‘200 OK’ response including the current iOS
software update file, to avoid dates from future */
...
54 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Today (3/4)
• iOS 6
– StarWars attacks still work
– Matrix attacks still work
• iOS 6 does not send the “If-Modified-Since” header
• iOS 7
– StarWars attacks still work (304)
– Matrix attacks: Change the “Last-Modify” header of the
GET response to the current date (minus one minute)
• “You’re inside the Matrix”
• Remain on the current version and no more updates up to the
next one
DEMO
55 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Today (4/4)
• Since iOS 7.1…
– In order to start downloading new
iOS updates, the passcode is
mandatory… delaying the update
process
56 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Glitch in The Matrix
• And if you look carefully you can see it…
Do you remember sometimes anomalies show up in The Matrix?
57 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Vulnerability Fix(es)
• Why OTA SW updates didn’t use HTTPS by design? – Did Apple put too much trust on the IPSW integrity verification?
• Lack of verification of the update contents (e.g. evilgrade, 2010)
– Lack of verification of the update checks • Differentiate between update checks and update contents
– httpS://mesu.apple.com & http://appldnld.apple.com
• Caching responses for sensitive checks is probably not a good idea
• Certificate pinning?
– Performance impact? • Again, differentiate update checks from update contents
– Conspiracy theory or… another developer ‘mistake’ • Design, implementation, Q&A, security testing… (Apple?)
• MDM solutions: Verify the latest version is applied
iOS OTA was released late 2011… and it is 2014 now!
58 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Real Vulnerability Impact (1/2)
• How many people could I (or others knowing about this, e.g.
NSA) have attacked using this ‘simple’ vulnerability? – During the last +2 years
– Considering all the potential victims available worldwide • Some of them very relevant and managing very sensitive information
– By freezing their device to an old & vulnerable iOS version… • Temporarily or permanently
– … in order to exploit other iOS vulnerabilities, such as… • 197 vulns in iOS 6.0, 80 vulns in iOS 7.0, plus others…
– Ending up with the last goto fail in iOS 7.0.6
• Including multiple jailbreaks (or wait for the next one…)
– Silently, without the victim users noticing
• And even with the option of stealthily reverting the attack back…
Although the vulnerability markets were not very interested on it…
59 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Real Vulnerability Impact (2/2)
Freezing iOS from iOS 6 to iOS 7…
60 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
This is the world we live in…
… overly dependent on technology, highly
sophisticated, but still immature and very vulnerable
61 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Credits
Raúl Siles
Mónica Salas
E & E
Apple
Jorge Ortiz
Jay Freeman (saurik)
Jan Hindermann
Siletes
camisetasfrikis.es
– Produced by:
– Directed by:
– Casting by:
– IPSW Assistant:
– iOS5.0 & 5.0.1 files:
(March 2012)
– Music by:
– Costume Designer:
62 2014 © Dino Security S.L. www.dinosec.com All rights reserved. Todos los derechos reservados.
Questions?
w w w. d i n o s e c . c o m
@ d i n o s e c
R a ú l S i l e s
r a u l @ d i n o s e c . c o m
@ r a u l s i l e s