iPhone security model & vulnerabilities

Cedric Halbronn
Jean Sigwald
Sogeti / ESEC
cedric.halbronn(at)sogeti.com
jean.sigwald(at)sogeti.com
HITB SecConf 2010
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Introduction
The iPhone is (one of) the most popular Smartphone(s)
Enterprise features: VPN, Exchange, etc.
Closed platform
-
jailbreak
Owned this year at PWN2OWN
Browser-based jailbreak released in August
-
Was patched one week later
BootROM exploits for all devices since last week
What are the possibilities for an attacker ?
iPhone security model & vulnerabilities 2/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Plan
1 iOS security features
Trusted boot
Application-level security
Keychain & Data protection
2 Bootloader attacks
3 Browser attacks
iPhone security model & vulnerabilities 3/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
iOS introduction
iPhone Operating System
Runs on the application processor (ARM core)
Based on Mac OS X
4 major releases
Components
Bootloaders
Kernel
System software, shared libraries, built-in applications
Uses 2 HFS+ partitions on ash: system (read only) and user
data/applications
iPhone security model & vulnerabilities 4/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Trusted boot
BootROM LLB iBoot Kernel
NAND Flash
root device
iPhone security model & vulnerabilities 5/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Trusted boot
Chain of trust
Apple root certicate embedded in the BootROM
Firmware images stored in signed IMG3 containers
RSA signatures checked before moving on to the next stage
USB interfaces
2 interfaces available before iOS startup
DFU mode (BootROM)
Recovery mode (iBoot)
Used to bootstrap ramdisk with ashing tool (update/restore)
iPhone security model & vulnerabilities 6/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Trusted boot - DFU mode
BootROM LLB iBoot Kernel
iBSS iBEC Kernel
Ramdisk
iPhone security model & vulnerabilities 7/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Trusted boot - recovery mode
Kernel
Ramdisk
BootROM LLB iBoot Kernel
iPhone security model & vulnerabilities 8/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Trusted boot - iOS startup
Important processes
First userland process: Launchd
Starts daemons
Register IPC services
CommCenter : interface with the baseband (AT commands)
Lockdown: iTunes USB entry point
SpringBoard: GUI
iPhone security model & vulnerabilities 9/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Code signing
Applications binaries
MACH-O format
Code directory structure with SHA-1 hashes of memory pages
Code directory is signed
PKCS#7 signature embedded for AppStore binaries
For system binaries, code directory hashes are already cached in kernel
Entitlements
Describes permissions for the application
Allow debugger to attach
Keychain access group
Sandbox prole
XML document embedded in binary (signed)
iPhone security model & vulnerabilities 10/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Sandboxing & exploit mitigations
Sandboxing
Seatbelt kernel extension
Mandatory Access Control on les, sockets, etc.
Predened proles with rules
Mainly used to restrict lesystem access & isolate applications
Exploit mitigations
Applications run with standard user account (mobile)
Non-executable stack & heap
W^X policy enforced on code pages
No ASLR
-
Return-oriented programming (ROP) is possible
iPhone security model & vulnerabilities 11/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Keychain
Secure storage
SQLite database
Tables for passwords, certicates, keys
Email accounts, VPN certicates & keys, SIM card pincode, Wi-Fi keys, etc.
Table columns: account, data, access group
Data column is encrypted
Access control
Exposed to applications through an IPC API
Security Server translates IPC calls into SQL queries
Restrict queries with caller access group
System applications share the apple access group
iPhone security model & vulnerabilities 12/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Keychain encryption
iOS 3
Data encrypted using AES with key 0x835 (unique for each device)
Random initialization vector
iOS 4
Random encryption key for each item
Items have a new accessibility attribute (protection class)
always, after rst unlock, when unlocked (screenlock)
Item key is wrapped with the protection class key (master key)
Part of a new feature called data protection
iPhone security model & vulnerabilities 13/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Data protection
Description
Used to protect keychain items and data les
Protection classes keys are grouped in keybags
Keystore kernel extension manages keybags
Unlocking the screenlock
-
class keys are unwrapped
AES key wrap algorithm (RFC 3394)
Passcode derivation
AES wrap key encryption key is derivated from user passcode
Derivation involves use of the on-device UID AES key
Makes passcode bruteforce impractical
iPhone security model & vulnerabilities 14/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
iOS introduction
Trusted boot
Application-level security
Keychain & Data protection
Attack surface
Attack surface
Attack surface
Bootloaders USB communication: DFU, recovery mode, restore process
Bootloaders transitions
iTunes services: Lockdown, AFC, BackupAgent, Sync, etc.
Network: cellular, Wi-Fi
Applications: Web browser, le formats, IPCs
Kernel: BSD API, IOKit interfaces
iPhone security model & vulnerabilities 15/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Plan
1 iOS security features
2 Bootloader attacks
Objectives
Vulnerabilities
Forensics ramdisk
3 Browser attacks
iPhone security model & vulnerabilities 16/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Bootloader vulnerabilities - objectives
Objectives
Extract data from the phone with physical access
Call logs, contacts, SMS messages, etc.
Decrypt ciphered data if possible (keychain)
Passwords, certicates/keys, passcode, etc.
How?
Bootloaders USB interfaces only accept signed binary images
Need a vulnerability to execute arbitrary code
Many vulnerabilities have been found in DFU mode and iBoot
Possible to use vulnerabilities from jailbreak tools
iPhone security model & vulnerabilities 17/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Blackra1n (geohot - October 2009)
Vulnerability
Bad handling of USB control messages in iBoot
Exploit
Send: usb_control_msg(0x21, 2)
Result: memcpy(0x0, LOAD_ADDR, 0x2000)
LOAD_ADDR contains USB received data
Interrupt handler was overwritten so it executes shortly after
Patches signature checks in iBoot and kernel
iPhone security model & vulnerabilities 18/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Limera1n/greenpois0n (geohot/comex - October 2010)
Vulnerability
Bad handling of USB control messages in DFU mode
Heap overow
Exploit
Send a specially crafted USB control msg
Result: code execution thanks to a heap overow
Load original bootloaders and patch signature checks
Do the same for the kernel
iPhone security model & vulnerabilities 19/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Forensics ramdisk
Realization
Use exploit to disable signature checks
Blackra1n iBoot exploit (rmware 3.1.2)
Pwnage 2 BootROM exploit on older devices (iPhone 3G)
Limera1n/greenpoison BootROM exploit on newer devices (iPhone 4)
Load our own ramdisk with extraction tool (same as Jonathan Zdziarski)
Retrieve data over USB
iPhone security model & vulnerabilities 20/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Vulnerabilities
Forensics ramdisk
Forensics ramdisk
Results
Leave no trace (except the phone was rebooted)
Took only a few minutes
Allows extraction of SMS, contacts, etc.
Extraction of keychain data
Possible on iOS < 4
Need passcode bruteforce on iOS 4
Always accessible items can be retreived
Remember
Demo
iPhone security model & vulnerabilities 21/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Plan
1 iOS security features
2 Bootloader attacks
3 Browser attacks
Objectives
Star (comex - August 2010)
Malicious PDF
iPhone security model & vulnerabilities 22/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Browser vulnerabilities - objectives
Objectives
Install a rootkit on a device
Do it remotely
Extract data from the device
Keep control of the device
How?
Need a remote exploit
Star allows this
iPhone security model & vulnerabilities 23/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Star
Description
Released by comex in August 2010
Use the MobileSafari browser (jailbreakme.com)
Userland jailbreak
Remote code execution
1-week Apple response (to prevent misuse)
3 vulnerabilities
PDF CFF fonts vulnerability (ROP)
IOSurface kernel vulnerability
Incomplete codesign: launchd interposition
iPhone security model & vulnerabilities 24/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Star - PDF CFF fonts vulnerability
Vulnerability
Freetype font parser stack overow
Can be triggered by opening a PDF le
Exploit
ROP payload exploits IOSurface kernel vulnerability
-
Code signing checks are now disabled
Write installui.dylib in /tmp, load it and call iui_go()
Repair stack and resume thread
Display progress bar, download and install Cydia
iPhone security model & vulnerabilities 25/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Star - IOSurface vulnerability
Vulnerability
IOSurface: pixel buer managed by the kernel
Integer overow on width and height properties
Exploit
Patch signature checks and sandboxing restrictions
Patch suser function to allow MobileSafari to get root access
iPhone security model & vulnerabilities 26/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Star - incomplete codesign - launchd interposition
Launchd gmalloc
Debug mechanism in Launchd
At startup, Launchd checks if /var/db/.launchd_use_gmalloc exists
If so, it loads guard malloc dynamic library (/usr/lib/libgmalloc.dylib)
-
Can be used maliciously to persist to a reboot
iPhone security model & vulnerabilities 27/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Star - incomplete codesign - launchd interposition
Exploit
Use .dylib interposition to redirect execution through existing code fragments
Make a stack pivot to have SP pointing to the .dylib data section
Execute a ROP payload from now on
-
Runs as root in launchd and exploits IOSurface kernel vulnerability
Restart launchd without .dylib once the kernel is patched
Vulnerability
Dynamic library interposition allows modication of imported symbols
Signatures only required on code pages
NOT on dynamic library interposition
iPhone security model & vulnerabilities 28/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Malicious PDF
Realization
Idea: modify Star payload
Extract font stream (payload) from the original exploit
Create a custom installui.dylib with a iui_go() function
Replace installui.dylib in extracted payload
Inject modied payload in any PDF le with origami (thanks Guillaume :-)
Send the PDF to your victim
iPhone security model & vulnerabilities 29/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Objectives
Star (comex - August 2010)
Malicious PDF
Malicious PDF
Rootkit
Victim opens the PDF le
iui_go()
-
download and run rootkit binary
Poll orders and send data back to command & control server
For now, only get contacts and SMS messages
Can also steal keychain data when the phone is unlocked with standard API
Remember
Demo
iPhone security model & vulnerabilities 30/33
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
Conclusion
Bootloader exploits
Can be used for targeted physical attacks
Data extraction only takes a few minutes
BootROM vulnerabilities cannot be patched (Pwnage, limera1n/greenpois0n)
New data protection feature helps protect data with passcode
Browser exploits
Star remote exploit is one of a kind
Made possible due to lack of ASLR
Hopefully no serious malware on the iPhone yet
iPhone security model & vulnerabilities 31/33
Thanks for your attention
Introduction
iOS security features
Bootloader attacks
Browser attacks
Conclusion
References
25C3: Hacking the iPhone, 2008
The iPhone wiki, http://www.theiphonewiki.com
Ralf-Philipp Weinmann & Vincenzo Iozzo own the iPhone at PWN2OWN,
2010, http://blog.zynamics.com/2010/03/24/ralf-philipp-weinmann-
vincenzo-iozzo-own-the-iphone-at-pwn2own/
Post Exploitation Bliss: Meterpreter for iPhone, Charlie Miller and Vincenzo
Iozzo, 2009, http://www.blackhat.com/presentations/bh-usa-
09/IOZZO/BHUSA09-Iozzo-iPhoneMeterpreter-SLIDES.pdf
iPhone privacy, Nicolas Seriot, 2010,
http://seriot.ch/blog.php?article=20091203
Apple WWDC 2010, Session 209 - Securing Application Data
Star jailbreak, Comex, 2010, http://www.jailbreakme.com
Star source code, http://www.github.com/comex/star
Origami, http://esec-lab.sogeti.com/origami
iPhone security model & vulnerabilities 33/33