ios trustjacking trust has a price - … · session id: #rsac #rsac roy iarchy. ios trustjacking....
TRANSCRIPT
![Page 1: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
SESSION ID:
#RSAC
Roy Iarchy
IOS TRUSTJACKINGTRUST HAS A PRICE
TTA-R02
Research Team Leader, Modern OSSymantec@Royiarchy
Yair Amit
VP & CTO, Modern OS SecuritySymantec@YairAmit
![Page 2: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/2.jpg)
#RSAC#RSAC
Agenda
2
Background
Recap of related past attacks
The foundation of Trustjacking attacks
Remote Videojacking attack + demo
Advanced Trustjacking attack flows + demos
Summary & Recommendations
![Page 3: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/3.jpg)
#RSAC#RSAC
A day in the office
3
Working with several iOS devices
Weird behavior
![Page 4: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/4.jpg)
#RSAC#RSAC
Background
4
Behind the scenes
Key relevant daemons: usbdusbmuxlockdownauthd
![Page 5: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/5.jpg)
#RSAC#RSAC
Juicejacking
5
https://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
![Page 6: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/6.jpg)
#RSAC#RSAC
Juicejacking mitigation
6
Trust This Computer?BackgroundWhy use it?
![Page 7: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/7.jpg)
#RSAC#RSAC
Videojacking (leveraging HDMI interface)https://krebsonsecurity.com/tag/video-jacking/
![Page 8: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/8.jpg)
#RSAC#RSAC
But we promised you a remote (wifi?) hijacking disclosure…
![Page 9: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/9.jpg)
#RSAC#RSAC
iTunes Wi-Fi Sync
9
Uses the trust established during initial USB connectionRelies on an implementation of usbmux over network
![Page 10: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/10.jpg)
#RSAC#RSAC
IOS TRUSTJACKING
![Page 11: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/11.jpg)
#RSAC#RSAC
iOS Trustjacking – attack flow
11
Trust == One time mistake
Victim side -> nothing much “seem to happen”
Attacker sideAccessing device informationAccessing device logsRebooting the device (can be used for DoS attack)Leveraging the developer image
![Page 12: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/12.jpg)
#RSAC#RSAC
REMOTE VIDEOJACKING DEMO
Using developer image for advanced attacks
![Page 13: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/13.jpg)
#RSAC#RSAC
IOS TRUSTJACKINGADVANCED DEMO
Backup and restore
![Page 14: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/14.jpg)
#RSAC#RSAC
Backup format
14
The decision whether the backup is encrypted or not is initiated by the computer-side but then enforced on the client side
An encryption policy defined at some point will take effect in future backups!
If victim didn’t choose to encrypt backups, the attacker can enforce encrypted backup on the user’s device, putting the victim in a bad situation.
This is another reason for user’s to opt in to encrypt their backups; it will make attackers’ life harder!
Getting data out of the deviceInfo.plist - contains information about the device and installed appsManifest.plist – contains information about the backup and installed appsStatus.plist - information regarding the backupManifest.db - SQLite3Files paths converted to SHA1 file names
![Page 15: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/15.jpg)
#RSAC#RSAC
Remote backup
15
The remote backup allows us access to:MultimediaMessagesContactsApp data
![Page 16: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/16.jpg)
#RSAC#RSAC
IOS TRUSTJACKINGADVANCED DEMO
Installing / Deleting AppsReplacing AppsPrivate API Access
![Page 17: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/17.jpg)
#RSAC#RSAC
Post-Trust and Pre-Trust attacks
17
Trusting a malicious computer
Attacking a trusted computer (Post-Trust Attack)
Temporal access to a computer (Pre-Trust attacks)Won’t work as Apple mitigated it by generating a unique key-pair for each connection
![Page 18: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/18.jpg)
#RSAC#RSAC
What about USB Restricted Mode?
Taken via Trustjacking…Backup and other actions are working remotely as well.
* Confirmed on iOS 12 beta 3.
![Page 19: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/19.jpg)
#RSAC#RSAC
Is the attack confined to Wi-Fi only?
![Page 20: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/20.jpg)
#RSAC#RSAC
Wi-Fi Sync & Bonjour
20
mDNS (Bonjour) used for device discovery
Replicating / tunneling mDNS + Malicious Profiles attack Malicious Profiles can also allow attacker to redirect and decrypt traffic Allows access to the mobile phone without the need to be on the same network nor location
More on Malicious Profiles:https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security
![Page 21: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/21.jpg)
#RSAC#RSAC
Recommendations
21
End Users:Clear trusted computer settings
— Settings > General > Reset > Reset Location & Privacy
Enable Encryption on all Backups
Trust who you really trust
Keep your OS up-to-date
Organizations:IT: Deploy Mobile Threat Defense (MTD) solutionsDev: Exclude sensitive info from app backup data
& logs
![Page 22: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/22.jpg)
#RSAC#RSAC
Recommendations
22
Responsible & Coordinated disclosure process with AppleAs always Apple has been actively engaged to preserve and maintain the security of its usersiOS 11 Changes— Trusting computers requires entering a passcode.— The dialog still states that the risk of Trust is only temporal
(while the computer is connected).Wi-Fi sync should be reconsideredMobile OS should be responsible for most of the security decisions— Encrypted backups— Trusted hosts management
![Page 23: IOS TRUSTJACKING TRUST HAS A PRICE - … · SESSION ID: #RSAC #RSAC Roy Iarchy. IOS TRUSTJACKING. TRUST HAS A PRICE. TTA-R02. Research Team Leader, Modern OS. Symantec @Royiarchy](https://reader031.vdocuments.us/reader031/viewer/2022021717/5bb526da09d3f2213f8b883e/html5/thumbnails/23.jpg)
#RSAC#RSAC
Summary
23
Single point of failure / one time mistake
Physical -> Wi-Fi -> Anywhere
Long lasting implications
Can be used by conventional malware
How to mitigate
Check out our blog for more information:https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability
Twitter: @Royiarchy @YairAmit