convergedipad代理
ipad代理 时间:2021-05-05 阅读:()
GeneralReleaseAppleiPadIntheWorkPlaceWrittenByRussSpoonerPortcullisComputerSecurityLTDTheGrangeBarnPike'sEndPinnerMiddlesexHA52EXTel:02088680098Fax:02088680017rus@portcullis-security.
comDocumentReferenceWhitepapers/WPIOS2011/wp_WPIOS2011_0.
3Version0.
3Date16February2011cCopyrightPortcullisComputerSecurityLimited2011PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace1DocumentHistoryRevisionAuthorRoleDateComments0.
1RUSAuthor09/02/2011InitialFirstDraft0.
2RUSAuthor15/02/2011MinorRevisions0.
3RUSAuthor16/02/2011Updatedtoreectnewversionofredsn0wTable1:DocumentRevisionHistoryReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page2of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceContents1DocumentHistory22TableOfContents32.
1ListOfFigures32.
2ListOfTables43Introduction54TheStateOfPlay55Evolution56Deployments76.
1Whyarewedeploying76.
2Wherearewedeploying76.
3PersonalvsPrivateProperty76.
4Whydoesthismatter87CoreSecurityFeatures87.
1Devicepolicies/proles87.
2FilesystemEncryptionFallacy98Whereisinformationstored98.
1ProblemswithSQLite108.
2iTunes118.
3LocalFilesystem129Accessingthedata129.
1Simpleattacks129.
2Jailbreaking149.
3OwningtheDevice15103rdPartyApplicationsecurity1710.
1Applicationsstoringsensitivedatainsecurely1710.
2Applicationsthatopenservicesonanetwork1811GoodPractise(i.
e.
Howdowexit)1811.
1Physicalsecurity1811.
2PolicyControls1911.
3Technicalrestrictions19AppendixAListofkeylesbackedupbyiTunes20AppendixBCitations/Furtherreading22ListofFigures1DeletedData102DynamicDictionary10Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page3of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3ApplicationLaunchLog114EnvelopeIndex115SynchronisationHandshake136Redsn0wOptions16ListofTables1DocumentRevisionHistory2Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page4of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3IntroductionSecurityconsiderationsforiOS4.
2.
1andearlier,iPad.
iOSdevicessuchastheiPadarebecomingincreasinglyprevalentinworkenvironmentslargelyduetotheireaseofuseandexibility,butalsoduetotheso-called"haloeffect".
Whatmostusers,bothcorporateandindividual,oftendonotacknowledgearethesecurityweaknessesintheAppleiOSoperatingsystem,andadditionallyiTuneswhichcaneasilyresultintheexposureofhighlysensitiveinformationandthecompromiseofthedeviceitself.
InthiswhitepaperIwilloutlineandenumeratemanyoftheissuessurroundingtheintroductionoftheiPadintotheworkplacewithparticularregardtotheexposureandtheftofsensitiveinformation,coun-termeasuresemployedbyAppleandhowinmostcasestheyaretriviallybypassed.
Theinformationprovidedinthiswhitepaperisnotentirelymyownwork,andreferencespubliclyavail-abletoolsandinformation,ifIhavemissedanyattribution,pleasedonothesitatetocontactme.
Theintendedaudienceforthisistechnical/managerial,thatistosay,inpartsitwillbemoderatelytechnical,butthekeyfocuswillbetheprovisionofinformationtothoseplanningorevaluatingrolloutsofiOSbaseddevicesinorderthattheyareabletoaccuratelyunderstandtherisksassociatedwiththis.
ThereasonIamwritingthispaper,isduetothefactthatPortcullishavebeenapproachedwithincreasingfrequencywithregardtoperformingsecurityassessmentsoftheiPad,togiveourperceptionofthedevicessecurityortoprovideguidancewithregardtodeployingthemsecurely.
Inasensethisistobeconsideredasummationofmyndings,itisnotbyanymeansintendedtodissuade,impedeorscaremonger,butrathertoenableinformedunderstandingoftherisksthatthesedevicesmayintroduce.
WhereverpossibleIwillsuggestmitigatingstrategies,insomecasestheyarenotpossible.
AlsoIwillwhereverpossiblebesteeringawayfromnamingspecic3rdpartyapplications,orvendorsasitisnotmyintenttoeitherendorseorcondemnthem.
Alsotrademarksorregisteredtrademarksarethepropertyoftheirrespectiveowner(s).
4TheStateOfPlayForthesakeofthisdocumentwearegoingtoassumethatwearedealingwiththeiPad3GrunningiOS4.
2.
1.
AlthoughthereareotherversionsofhardwarethatruniOScurrentlyincirculation,andtheywillbementionedwhereitismeritoriousorusefulasacomparison,wearelookingintoiPaddeployments.
5EvolutionTheiPhonewasrstreleasedtothepublicin2007,runningaderivativeofMacOSX/DarwincompiledfortheARMprocessor,whichbecameknownasiOS.
ApplereleasedDarwin,anopensourceoperatingsystem,in2000;itisPOSIXcompliantandiscompat-iblewiththeSingleUNIXSpecicationversion3(SUSv3).
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page5of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceDespitetheinherentexibilityofthebaseoperatingsystem,initialreleasesofiOSprovidednointendedfacilityfortherunningof3rdpartyapplications,insteadrelyingonwebapplicationstodeliverfunction-alitybeyondthatdeliveredbythebuiltinapplications.
However,enterprisingindividualsontheinternetwerequicklyableto"Jailbreak"theoperatingsystem,effectivelygaininginteractiveaccesstotheunderlyingoperatingsystem.
CommonUNIXutilitieswereeasilyportedtoiOSandsoonmanyunofcial3rdpartyapplicationstartedtoappear.
PerhapsasareactiontothisAppleannouncedanofcialSDKonOctober2008.
InMarch2008ApplereleaseditsrstbetaoftheiPhoneSDKwhichwouldpermitdeveloperstoof-ciallydevelopnativeapplicationsfortheoperatingsystem.
TheapplicationswouldbedistributedviatheApple"AppStore"and,ofcourse,iTunes.
DespitethisJailbreakingremainedpopular,insomepartduetotherestrictionsplacedupondevelop-ers.
Forinstance,applicationswhichusedApple"Private"APIswere(andare)rejectedbyAppleandthereforetheonlyviablereleasevectorforthemwasthroughthe"unofcial"appstores(cydia,icyandrock).
Unofcal3rdpartyapplicationswhichextendthefunctionalityandcustomisabilityoftheiOSinter-face/launcher(Springboard)suchasWinterboardhavealsohelpedtoensurethatJailbreakingisapopularandsoughtafterprocedure.
NaturallyasizeablenumberofJailbreakersdosoinorderto"pirate"Ofcial3rdpartyapplications,andalsotoremovecarrierlocksfromtheiPhonebaseband.
Itisestimatedthatanywherebetween10and20%ofiOSdeviceshavebeenJailbroken.
Whichequatestoavastnumberofdevices.
ForinstanceanalystsanticipatethatApplewillhavesoldover100millioniPhonesby2011,andtheWallStreetJournalestimates20MillioniPadswillsellinthesameyear.
ApplerespondedwitheachsubsequentreleaseofiOSwithcountermeasuresintendedtoclosevulnera-bilitiesintheoperatingsystemanditscomponentseffectivelystoppingJailbreaking.
Howeverthishasledtoa"catandmouse"approachtovulnerabilityresearchanddevelopment.
i.
e.
vulnerabilitieswhichmayresultin"root"levelcompromiseofthedevicearecloselyguardedandsharedprincipallyamongstmembersoftheJailbreakingdevelopmentcommunity.
NaturallysuppressionofJailbreakinghasnotbeenthesolemotiveofupdatestoiOS.
Newfeaturesandfunctionalityhavebeengraduallyintroducedtoaddressmanyoftheperceivedshortcomingsoftheoperatingsystem,suchasMultitasking,copyandpaste,improvedbatteryusageetc.
SuccessiveiterationsofiOSdeviceshavealsosoughttoimproveperformanceandindeedsecurityofthedevice.
ForinstancewiththeiPhone3GSandtheiPadhardwareencryptionwasintroduced.
TheiPadwasactuallydevelopedbeforetheiPhone,butitwasrealisedthatthetechnologywouldworkwellasamobilephoneplatform,andemphasiswasshiftedinthatdirection.
TheiPadwasnallyannouncedinJanuary2010,andreleasedinApril.
VersionsofiOSrunningontheiPad,andiPhonewereconvergedinNovember2010withthereleaseofversion4.
2.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page6of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace6Deployments6.
1WhyarewedeployingTherearemanyreasonswhycompanies,institutionsandevenschoolsareseekingtodeploytheiPad.
Manyofthesearenotbusinessrelated:EaseofaccesstoinformationAconsistent,easilymaintainedplatformPortabilityRobusthardwareToreducepaperuseImprovedcommunicationsRelativelylowcostSecurityfeatures(Oftensaidwithastraightface)Theyare"shiny"6.
2WherearewedeployingAtPortculliswedealwithcompaniesfromallsectors,usuallythosewithaverylowriskappetite.
Wehavesofarbeenapproachedbyclientslookingatsmalldeployments(lessthan100)inareassuchas:FinancialMediaCommunicationsButanecdotallyandviathepressweareseeinglargedemandin:EducationLocalGovernmentHealthcareSothatcoversmostsectors.
Whatisinterestingisthatweareseeingtheprimarydemandanddeploymenttargetscomingfromandtothe"boardlevel".
Studentsandmedicalstaffseemtobetheprincipaltargetsinthepublicsector.
6.
3PersonalvsPrivatePropertyItisimportanttounderstandwho"owns"thedevice.
IsthisapersonaldevicethatisbeingconnectedtocorporateresourcesIsitacorporatedevicethatisbeingconnectedtopersonalresourcesReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page7of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceThedevicesaremediacentric,meaningthattheyaredesignedforgames,music,photos,lmsaswellasweb-browsingandinformationviewing/sharing.
Corporationsandinstitutionsneedtobeawarethatthereisastrongpossibilitythatdataonthedevicecanbecomeblended,i.
e.
thatcorporatedataisstoredalongsidepersonaldata.
Suchblendeddatacantheneitherbesynchronisedintoacorporateorahomeenvironment.
Obviousrisksarethatifadevicethathasbeenusedtoaccesscorporatedataisbackeduptoapersonalcomputer,thenthatcorporatedataistheneffectivelypropagatedtothatcomputer.
Converselytheremaybesupportandpolicyconsiderations,(nottomentionpotentialcopyrightissues)shouldadevicebesynchronisedwithacorporatecomputer.
ForinstanceitmaybeagainstcompanypolicyforiTunestobeinstalled.
OtherlessobviousrisksarefeatureswithinapplicationssuchasMobileMail.
The"uniedinbox"isagoodexampleofthis.
Ifmultipleemailaccountsareconguredonthedevice,theycanbecomeeffectivelymergedintoone"inbox",itcanthenbecomeveryeasytocomposeorforwardmailsviathe"wrong"account.
Thismaybypasscontentlteringrequirements,oremailarchivingpolicies.
6.
4WhydoesthismatterInessence,whousesiPadsshouldn'tmatter,howeverwhenyouconsiderthereasonsfordeployingthem,andwhotheyarebeingdeployedtoandthencontrastthattotheprobabilityofinformationexposurewehavearatherunappealingscenario.
Itwouldappearthathighlysensitiveinformationstorageisbeingcarriedoutbyalowsecuritysystem.
7CoreSecurityFeaturesHerewearegoingtotakealookatthecoresecurityfeaturesofiOSdevices,bothatthehardwareandsoftwarelevels:7.
1Devicepolicies/prolesPasscodescanbesetbyusers,orbyapplyinganMSExchangeActiveSyncpolicy.
Thedefaultisa4digitPIN,which,ifentered10timesincorrectlywillcausethedevicetowipe.
TheonlywaytochangefromthisdefaultisbyapplyinganExchangepolicywhichwillthenenablethefollowingtobeset:EnforcepasswordondeviceMinimumpasswordlengthMaximumfailedpasswordattemptsNumbersandlettersbothrequiredInactivitytimeinminutesWithMSExchangeServer2007thefollowingadditionalpoliciesaresupported.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page8of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceSimplepasswordallowedorprohibitedPasswordexpirationPasswordhistoryPolicyrefreshintervalMinimumnumberofcomplexcharactersinapasswordThesepoliciesareeitherdeployed"overtheair"oraspartofacongurationprolethatuserscaninstall.
Thepoliciescanbesigned,andpasswordprotectedrequiringan"administrator"toremovethem.
Apolicy"lock"canbeenforced,whichwillrequirethedevicetobewipeduponremovalofthepolicy.
CongurationprolesareXMLleswhichcancontaininformationsuchasserversettings,securitypoliciesthatwillbeappliedtothedevice.
Itsinterestingtonotethatwhencongurationprolesareencrypted,theyautomaticallyenforceencryp-tionofbackupsiniTunes.
Devicerestrictionscanbeappliedwhichcanpreventusersperformingcertainactions,suchasinstallingapplications,accessingYouTube,etc.
7.
2FilesystemEncryptionFallacyAlthoughiOSdevices(iPhone3GS+,andiPad)haveahardware-levelencryptedlesystem,thereisamisconceptionthattheinformationisactuallyprotected.
Thelesystemiseffectivelydecryptedatboot-time(thebootloaderneedstoaccessthelesystemtostartiOS),therebyeffectivelyrenderingtheencryptionredundantintermsofprotectinginformationonarunningiOSdevice.
Wheretheencryptioncomesintoplayiswhena"remotewipe"commandispushedtothedevice,viaeitherMSExchangeorMobileMe.
AtthispointiOSdeletestheencryptionkeysandforcesareboottherebyrenderingtheinformationonthedeviceinaccessible,andindeedunbootable.
8WhereisinformationstoredInordertounderstandtheriskofinformationexposureortheftweneedtounderstandwhereinformationisstoredandhow.
AlthoughiOSisaUNIXbasedoperatingsystemandusesHFSasthelesystem,iOSreliesontwomaintypesoflestostoreandretrieveinformation,andtostorecongurationinformation:Plists(preferencelists)areXMLbasedplaintextles,(orinsomecasebinary)thatcontainvarioussettingsandotherinformationpertainingtoapplicationsandhowtheoperatingsystemiscongured.
SQLitedatabasestypicallycontainapplicationspecicdata.
ToolsarefreelyavailabletointerrogatebothleseitherusingaGUIorviaacommandlineinterface.
ClearlytheselesarethekeypointofinterestforindividualsseekingtoextractinformationfromiOSdevices.
Indeed,thosefamiliarwithUNIXcommandlinetoolssuchasgrepwillbeabletoextractveryinterestinginformationfromeitheroftheseletypes.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page9of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceForallintentsandpurposeseachapplicationwilluseSQLitedatabasestostoredata,thiswillincludeEmails,Imagesandsoforth.
8.
1ProblemswithSQLiteSQLite,accordingtowikipediais:"anACID-compliantembeddedrelationaldatabasemanagementsystemcontainedinarelativelysmall(approx225kB)Cprogramminglibrary.
ThesourcecodeforSQLiteisinthepublicdomain.
"Whichmakesitidealforalowfootprint,swiftandeasytouseplatformfordatamanipulationonasmalldevice.
ThesedatabasescanbeaccessedeitherbycopyingthemoffthedeviceafterJailbreakorbyaccessingtheiTunesbackup.
OnceretrievedtherearemanySQLitedatabaseviewers,whichcomeinveryusefulinexamininglivedataonthedevice.
Whatwehavefoundinourinvestigationsisthatdatastoredinthesedatabasesispersistentandquitetenacious.
Forinstance,whenyoudeleteanotesentryitisjustaggedasdeleted,itisn'tactuallyremoved.
Thisin-formationcannotbeaccessedusingstandardSQLitebrowsers,howeversimpletoolslike"vi"or"strings"canbeusedtoviewthe"deleted"data:Figure1:DeletedDataAlso:theDynamicDictionaryfeaturestoreswholephrasesinadatabase(including,undercertaincir-cumstancescouldincludecreditcardnumbers,passwords,etc)Figure2:DynamicDictionaryiOSlogswhenandhowoftenapplicationshavebeenlaunched:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page10of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure3:ApplicationLaunchLogThe"EnvelopeIndex"storesEmailheaders,evenfordeletedaccounts,andaccountinformationpersistsinvariousles:Figure4:EnvelopeIndex8.
2iTunesEachtimeyouconnectyourdevicetoyourPC/MaciTunescanbeconguredtoautomaticallybackupyourdevice.
Thisisaveryusefulfeature,anditisaverythoroughbackup,totheextentthatifyouweretoloseyourdeviceandgetanewone,youcanrestorethisbackupandbarelyevennoticeyouhadanewone(moreonthislater).
Thesebackupsarestoredinthefollowinglocations:WindowsXP:C:\DocumentsandSettings\$USERNAME\ApplicationData\AppleComputer\MobileSync\BackupWindowsVistaand7:C:\Users\$USER\AppData\Roaming\AppleComputer\MobileSync\BackupOSX:~/Library/ApplicationSupport/MobileSync/Backup/IntherelevantfolderyouwillndwhatappearstobeafolderorfolderswhosenameconsistsofaUniqueIdentier.
Withinthisfolderareallthebackeduplespertainingtoyourdevice.
Thelesare,simplyput,preferencelistsandSQLitedatabases.
Theydonothavemeaningfulnames,butthatwontdeterusasyouwillseelater.
KeySQLitedatabasesandpliststhataresynchronisedarelistedinappendixA.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page11of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace8.
3LocalFilesystemiOSdeviceshavetwomainpartitions,the"root"orsystempartitionwhereoperatingsystemlesarestored:/dev/disk0s1/rw01andthe"media"partitionwhere"user"lesarestored:/dev/disk0s2/private/varhfsrw,noexec02Undernormal(i.
e.
non-Jailbroken)circumstances,itisonlypossibleforuserstoaccessthemediapartition;eventhenthisaccessisheavilyrestrictedbyapplicationsandboxing.
AccordingtoAppleap-plicationscanonlyaccesslesanddirectoriesintheir"area"onthelesystemforinstanceanexampledirectorystructurecouldbe:|ApplicationGUID||_Application.
app|_Documents/|_Library/Preferences/|_tmp/Thusanygivenapplicationshouldonlyhaveaccesstoits"own"les.
However,onceJailbrokenthefulllesystemisavailabletoapplications,whichaswewillseegreatlyimpactsthesecurityofthedevice.
9AccessingthedataAnefariousindividual'sobjectiveistoaccessthisinformationcovertly,withminimalphysicalaccess,leavinglittleornoevidenceoftampering,ideallypersistentlyandofcoursegettinglotsofsensitivestuffeitherforblackmailorcommercialadvantage.
9.
1SimpleattacksBydefaultiTunesstoredabackupofthedeviceunencrypted.
Whetherornotthebackupisencryptedisenforcedbyaagsetinaplistonthedeviceitself.
Auserspeciedencryptionkeyisalsostoredonthedeviceinthekeychain.
Thekeychainisanencrypteddatabaseofpasswordsstoredbythedevice.
AccessinganunencryptediTunesbackupistrivialaswehaveseenabove,butwhatelsecanwedowiththesebackupsWecancopythemformthehostcomputertoourcomputerforanalysis,wecanevenrestorethebackuptoourphone,effectivelycloningit.
Unfortunatelythekeychaindoesnotsurvivethis(duetothewayitisencrypted)sowewontbeabletoretrievepasswordsthisway.
Wecanalsoeditbackups.
Theyaren'tsigned.
Wecanthenrestorethemback.
IfwegobackalittlebitandlookathowiOSandiTuneshandlesbackupscrudelyputthisishowitoccurs:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page12of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure5:SynchronisationHandshakeInessenceweneedtoeitherhave"paired"theiOSdevicetoiTunesorweneedtoknowthepasscodeinordertogainaccesstoanunencryptedbackup.
Thereareotherspeedbumpsaswell,forinstanceanExchangepolicycouldmandateencryptedbackups,butagainwecanovercomethis.
Wecanremovethepasscodebyeditingtherelevantplist,(thisiswheregrepcomesinhandyasalltheplistshavewhatseemtobe"random"names)wearelookingforsomethinglikethis:PasswordInformationpinTimeStamp2010-07-20T11:46:22ZRemoveeverythingfromtheinner""savetheleandrestorethedevice.
Bingo.
Nopass-code.
Anothermeansofremovingthepasscodeistodeletethekeychainfromthebackup,butasthiswouldalsoeraseotherpasswordsstoredonthedevice,itiscounterproductiveinthatitwouldhinderourabilitytoretrievefurtherinformationfromthedeviceonceitisunlocked.
ThisbackuptamperingcanbeusedtodefeatalargenumberofsecurityfeaturesthatmaybeenforcedbyExchangepolicies.
Thingssuchas:Policyrefreshintervals,autolock,lockinterval.
Youcanalsousethistechniquetoincreaseyourhighscoresincertaingames.
Theonlylimitsareyourowningenuity.
RemembertokeepabackupofyourˇEbackup.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page13of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceWhatifthepasscodeispresentandactiveonthedeviceandithasn'tbeen"paired"withyourcomputerThisisnotassimpleasitmayseematrstglance.
iOSkeepstrackofwhichcomputersithaspairedwith,sowehavea"chickenandegg"scenario:Inordertoremovethepasscodebybackuptamperingwehavetorstbypassthepasscode.
Wecouldattempttobrute-forceguessthepasscode,however,bydefault,after10failedattemptsthedevicewillwipeitself,whichwouldrenderourmissiontoextractdata,afailure.
Thinkingbrieyaboutthedefault4digitPINbasedpasscode.
Thereare10,000possiblenumbers,(0000-9999).
Givingyoua1in1,000chanceofguessingtherightcombinationwithin10attempts.
Wecouldconceivablyreducethis,byshouldersurng,using"common"PINnumbers,usingsocialengineeringtacticsorinterestinglyexaminethescreentoseeiftherearengerprintsaroundthekeypadareaonthedevicewhichcouldexposedigitspresentinthePIN.
Theparingmechanismseemstobequiterobust,sotheratherobviousadvicehereisthatifyouwanttokeepyourdatasafe,ensurethatyouareverycautiousaboutwhatcomputersyouconnectyourdeviceto.
Backupencryptiondoespresentanotherchallenge.
Thereareonlyreallytwooptionsopentous;Eitherwehavetobruteforceguessthebackuppasswordorwearegoingtohavetoresorttoexploitingthedevice.
.
.
9.
2JailbreakingAsdiscussedearlier,iOSrestrictsaccesstotheentirelesystemtothebaseoperatingsystemitself.
Additionallyitprovidesnonativemeanstoaccesstheunderlyingoperatingsystem.
Jailbreakingessentiallyfoilsthatrestriction,allowingforunrestrictedaccesstothedevice.
Effectivelyputitmeanswecanrunanycodeonthedevicewelike,ignoringrestrictionssuchasapplicationsigning,adheringtoprescribedapplicationsandboxing,andread/writeaccesstothesystempartition.
InordertoJailbreak,vulnerabilitiesmustbeidentiedinthesoftwareorrmwarerunningonthedevice.
ThesevulnerabilitiesmusthavecertaincharacteristicsinordertobeusefulinJailbreaking.
Themostimportantoftheseisthatitmustenableustobeabletorunarbitrarycodeasthe"root"user.
Therearealargenumberof"Jailbreaking"toolsavailableforavarietyforversionsofiOS.
AsapplepatchesvulnerabilitiesiniOSortheBootromsoftheirdevices,Jailbreakershavetondnewvulnerabil-itiestoincorporateintotheirtools.
Jailbreakingisalsodividedintotwobroadcategories:Untethered-MeaningthatonceJailbrokenthedevice,ifrebooted,willstartnormallywithnointerventionTethered-withthistypeofJailbreak,userinterventionisrequiredinorderforthedevicetorestart.
Thedevicewillneedtobeconnectedtoacomputerandeffectivelybere-Jailbrokeninordertoboot.
WhetheradevicecanbeJailbrokenuntethered(whichistheoptimalroute)isdependantonthebootromversion,andthermwareversion.
CurrentlyiOSversions3.
2.
2andearliercanbeJailbrokenuntethered,morerecentversionswillrequirefurtherstepstobetakeninordertoremovethetether(suchasrunningGreenpois0n,analternateJail-breakingtool,afterJailbreakingthedevicewithredsn0w).
Incomingmonthstheseadditionalstepsarelikelytobecomeredundant,thusforbrevitythefollowingJailbreakstepswillworkcleanlyoniOSversionsearlierthan4.
2.
1.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page14of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceI.
e.
ifyouaregoingtoattemptwhatIwilldescribedosomeresearchrst:thereisahighdegreeofriskfortheuninitiatedandunlessyouareluckyorwellinformedyoumightendupwithahighlydesirable,expensiveplacemat.
Update:Asof16thFebruaryredsn0wwasupdatedtoversion4.
2,whichisanuntetheredjailbreak.
ThereforeallversionsofiOSuptoandincluding4.
2.
1canbejailbrokensafely,anduntethered.
ThusthefollowingstepscanbereplicatedonallversionofiOSfortheiPadandiPhone.
9.
3OwningtheDeviceAcommon,andexible,toolavailabletousewithiOS4.
2.
1(andearlier)isredsn0w.
AccuratelyspeakingwedonotneedtofullyJailbreakinordertoaccessdataonthedevice,wejustneedtobeabletobootthedevicewithacustomramdisk.
iOSdeviceshavethefacilitytodothiseitherbydroppinginto"recoverymode"(intendedforoperatingsystemrecoveryorupgrade)orDFUmode(intendedforrmwareupgrade).
Redsn0wdependsuponanexploitknownasLimera1n,whichtakesadvantageofbothofthesemodes,employingbothabootromexploitaswellasauserlandexploittofullyJailbreakthedevice.
Howeveraswedonothaveaccesstothecodeforredsn0w,wecan'tchangeitsbehaviourtostopitfullyJailbreakingthedevice.
Ifwewereabletocustomisetheactionsitwouldbeasimplemattertoremovethedevicepasscodebyeditingthefollowingle:/private/var/ManagedPreferences/mobile/com.
apple.
springboard.
plist(aswewouldhavedoneinthebackuptamperingmethod).
Howeverifwewantedtoremovethebackupencryptionaswell,wewouldhavetodoalittlemore.
Bydeleting(orrenaming)thekeychain:/var/Keychains/keychain-2.
dbwenotonlyremovethepasscode,butalsothekeyusedtoencryptthebackups,thusthebackupswillbeunencrypted.
Sadlywedosacriceotherpasswords,toosuchasemailpasswords,etc.
Redsn0w,thoughostensiblyaJailbreakingtool,isactuallyalittlemore:itcanbeusedtoinstallcustombundles.
Custombundlesareessentiallycompressedarchivescontainingcontent(suchasexecutablebinaries,orevenpreferencelists),whicharecopiedtothedevice.
Thuswecanusethisfeature,tofullyJailbreakthedevice,copysomescriptsandtoolstothedeviceinordertocompromiseit.
Andwecancompromiseitinsuchawaythatthedeviceshowsalmostnoevidencetotheuserthatithasbeen.
Redsn0wdependsonhavingacopyoftherestoreimageforthedevicebeingJailbroken(thesearefreelyavailablefromapple)andwillhavetobedownloadedinadvance.
So,wehavethefollowingscenario:AniPadwithapasscodeset,backupencryptionenabled.
Wehavealaptop(runningOSXorWindows)Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page15of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAnup-to-dateversionofredsn0wAcustombundle(withOpenSSH,APT,andafewothertoolsandscripts)Acollectionofrestoreimages5minutesleftalonewiththedevice.
AnetworkconnectionWedon'tneedtoworryaboutthedevicebeingpairedtoourlaptopasitsidestepsthedevicepairingrequirement.
Asapartofthe"Jailbreak"thedeviceisputintoDFUmode.
Inthismodethedeviceisinastatewhereitistoallintentsandpurposesunabletocheckwhetheritispairedtothecomputeritisconnectedto.
TheiPadWecantakeaguesstoseeifitisrunning4.
2.
1byickingthehardwareswitchontheside.
Ifitmutesthevolumeonthedevicethereitisquitelikelytobe4.
2.
x.
Priorversionsusedthishardwareswitchtoengagetheorientationlock.
Inlaterversionsusersweregiventheoptiontochoosebetweenmuteandlock;thedefaultbeingmute.
Guessingtheversionofthermwareincorrectlyisnotfatal,itwillsimplymeanthattheJailbreakwillfailandyouwillhavetogothroughitagain.
TheLaptopWehaveredsn0w,wehavelauncheditandselectedtherelevantrmwareforthedevice.
EvenbeforeweconnecttheiPadwecanallowredsn0wtoprocessthermwareandwearepresentedwiththefollowingchoice:Figure6:Redsn0wOptionsWedon'twantcydiatobeinstalled,orthevictimwillseetheiconontheirspringboardinsteadwearegoingtouseoneofourcustombundles.
Wecanthenfollowthestepsthroughredsn0w,thedevicewillreboot.
OncethishascompleteditwillbeJailbrokenandthepasscodewillhavebeenremoved.
Whatthiscustombundledoes:Installsalargenumberofbasicunixtools,andsomekeypackages:OpenSSH(andalaunchscriptsoitstartsatboot)andAPT(sowecaninstalladditionalpackagesfromtheshell).
Italsorunsashellscriptatstartupthatrenamesthekeychain.
Thisremovesthepassphrase.
InordertogetitsIPaddress(sowecanSSHintoit)wecanjustlookinthenetworkpreferencesforitsIPaddress.
OncewehavethatwecanthensimplySSHintothedeviceas"root"(thedefaultpasswordis"Alpine").
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page16of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceInordertoremoveanyobvioustracesofushavingcompromisedthedevicewecanrenamethekeychainback,thiswon'timmediatelyrestorethepasscode,wewillneedtorebootforthattohappen.
Firsttherearesomeotherthingswecando.
UsingAPTwecaninstallothertoolsandutilities:Using"recAudio"willcausetheipadtostartrecordingaudio,thisisahighlyeffectivewaytolisteninonmeetings.
Itstorestheaudioinaiffle,andthiscanthenbecopiedoffthedevice,orascriptcouldbegeneratedtorecordatpredeterminedintervalsandthenuploadtheresultingaudioletoaweborftpserver.
Othertoolssuchas"pirni"canbescheduledtorun,Pirniisanarp-spoongtoolthatactsasaman-in-the-middle,snifngalldataonthewirelessnetwork.
Again,theresultantdatacanbeuploadedtoanexternalserverforcollectionbytheattacker.
"Nmap"canbeusedtomapthewirelessnetwork,andmetasploitcanthenbeusedtoattackandcompro-misehostsidentied,therebyusingtheiPadto"pivot"intothecorporateenvironment.
"Netcat"canbeconguredtoinitiateareverseshelltoahostontheinternetforremotecontrol.
Howeverwealsohaveour"increasedstealth"custombundle,onethat:LeavesthekeychainintactInstallsOpenSSHInstallstheabovetoolsGathersinformationfromthedevice(thedynamicdictionary,Emails,calendarentriesetc)anduploadsittomywebserver.
SchedulesrecordingsanduploadsthemtomywebserverAttemptsareverseshelltomyservereachtimeitdetectsanetworkconnection.
Tweetsthegeographicallocationofthedevicedaily103rdPartyApplicationsecurityEvenlegitimateapplicationscanintroducerisksintoacorporateenvironment.
AsImentionedinthein-troductionIamgoingtoavoidnamingspecicapplicationsorvendors(theywillorhavebeencontacteddirectly)withregardtosecurityissues.
BroadlyspeakingIhaveidentiedtwoprevalentcategoriesofrisk:10.
1ApplicationsstoringsensitivedatainsecurelyManyapplicationshavetheabilitytoaccesssensitivedata.
Thisdatacouldbeasbasicassocialnet-workingsites,downloadingandviewingdocumentsorascomplexasremotedesktopfunctionalityforaccessingcorporateresources.
Inanycasewehaveidentiedalargenumberofapplicationsthatstorecredentialslocallyinplaintext.
Thesecredentialscanbeforcorporateservers,internetlestores,websitesorevenforlocalaccesstotheapplication.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page17of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceOtherapplicationswehaveseencacheinformationlocallyonthedevice,sothatitcanbeviewedormanipulatedofine.
Theselocalcachesarerarelyencrypted.
Inbothcasesinsecurestorageofcacheddataorcredentialsisabadthing,asitwillbesynchronisedbacktoiTunesincleartext(ifencryptedbackupsarenotenabled).
Failingthat,thedatacaneasilyberetrievedafteraJailbreak.
ThereforewhenassessingapplicationsforusewithinacorporateenvironmentitisimportanttoensurethatthedevelopershaveelectedtousetheiOSencryptedkeychain(asrecommendedbyapple)andthattheyareencryptinganylocallycacheddata.
Anotherinteresting"feature"ofiOSitselfcanintroduceweaknessesinapplicationindirectly:theDy-namicDictionary.
Evenifanapplicationisnotstoringinformationorcredentialsinaninsecureformat,itismrethanlikelythattheDynamicDictionarywill.
Iteffectivelyactsasakeyloggeronthedevice.
Wehaveseeninstanceswherethedictionaryhasstoredpasswords,contactinformationandallmannerofinformationthatwouldgiveanyindividualcausetopale.
10.
2ApplicationsthatopenservicesonanetworkThereareseveralmethodsthatapplicationscanusefacilitatethetransferofdatafromothersourcessuchasthelocalnetwork,theinternetoradesktopcomputer.
Itisfairlycommonforapplicationsthatviewormanipulatedocumentstorunawebservertofacilitateletransfers.
UsersthencanuseawebbrowseronanotherdeviceorcomputertoconnecttotheiPadtouploadcontent.
Thismaynotseemaparticularlyhighlevelrisk,howeverinsomecaseswehaveseentheseapplicationsbroadcasttheseservicesvia"bonjour"andalmostwithoutexceptionusepredictableTCPportsfortheirservicesmakingthemeasytoidentifyonanetwork.
Suchserversusually(ifnotalways)bydefaultrequirenoauthentication.
iPadsdeployedincorporateenvironmentswillalmostcertainlybeusedtoviewandsharesensitiveinformation.
Itmaybethatusersareinadvertentlysharingthisinformationwhentheyconnecttothefreewirelessattheirlocalcoffeeshop.
11GoodPractise(i.
e.
Howdowexit)11.
1PhysicalsecurityClearlyphysicalcontrolofthedeviceisparamount.
DetectingifadevicehasbeenstealthilyJailbrokenwithoutactuallyJailbreakingitistricky,itcanbedone,butitisbettertonotletithappen.
IfyoudolosephysicalcontrolofthedevicewhatthenIfitwasleftaloneforaperiodoftime,orifitwaslostandthenreturnedyoushouldassumethatithasbeencompromised.
Restorethedevice;thiswilleffectivelyremovetheJailbreak,(iTunesdoesn'tbackupanyoftheJailbreakoritsdata).
Ifithasgonemissingattempttoremotewipethedevice,howeverbeawarethatsimplyremovingtheSIMfromthedevicecandefeatthis.
AlsorememberdotheremotewipebeforeyoucanceltheSIM,forobviousreasons.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page18of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace11.
2PolicyControlsCorporatepoliciesshouldforbidJailbreaking.
ThereisnoguaranteethatevenifthedevicehasbeenJailbroken"legitimately"thatapplicationsinstalledvia3rdpartyapplicationstoressuchasCydiadonotcontainhostilecode.
Determinewhatdatashouldbepermittedonthedevice.
Corporateandpersonaldatashouldnotmix.
Highlysensitiveinformationshouldneverbestoredlocallyonthedeviceunlessappropriatelyencrypted.
Controlwhatapplicationsshouldberunonthedevice,3rdpartyapplicationscanintroducethreats.
Userawarenessandeducationisparamount.
Makecertainthatusersareeducatedastothethreatstotheirownaswellascompanydata.
11.
3TechnicalrestrictionsUseapplicationsthatenforcedatasegregation.
Thereareseveralapplicationsthatusetheirownemail,calendarandcontactprograms,andwhichenforcelocalencryptioneffectivelycreatingasecondary"sandbox"inwhichcorporatedatacanbehandled.
SomeoftheseapplicationsuseJailbreakdetectionandrefusetorunifapolicyissettothateffect.
EmployExchangesecuritypoliciestotheirbesteffect,lockdownasmuchaspossible.
Rememberifthedeviceissynchronisedregularlyitdoesn'tmatterifitiswipedafter3failedpasscodeattempts,itcanberestored.
Protectthecomputerthatthedeviceisbeingsynchronisedto!
Ifyoulosethebackupofthedevice,youlosecontrolofthedatathathasbeenstoredonit.
Examinethecapabilitiesof3rdpartyapps.
DotheyopennetworkportsfordocumentsharingHavethemsecuritytestedforvulnerabilitiesthatcouldexposesensitiveinformation.
Considerusingdevicesasthinclients.
Therearemanyremotedesktopclientsouttherethatareser-viceable.
(butagain,ensurethattheyaren'tcachingcredentialsinplaintextonthedevice.
Getthemtested!
)Restorefrequently.
Amonthlyrestoreofthedeviceshouldprovidesomeassurancethatitisnotcompro-mised.
EnsurethatdevicesaremaintainedattheirlatestrmwareversionReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page19of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixAListofkeylesbackedupbyiTunesLibrary_AddressBook_AddressBook.
sqlitedbLibrary_AddressBook_AddressBookImages.
sqlitedbLibrary_Calendar_Calendar.
sqlitedbLibrary_CallHistory_call_history.
dbLibrary_Cookies_Cookies.
plistLibrary_Keyboard_dynamic-text.
datLibrary_LockBackground.
jpgLibrary_Mail_Accounts.
plistLibrary_Mail_AutoFetchEnabledLibrary_Maps_Bookmarks.
plistLibrary_Maps_History.
plistLibrary_Notes_notes.
dbLibrary_Preferences_.
GlobalPreferences.
plistLibrary_Preferences_SBShutdownCookieLibrary_Preferences_SystemConguration_com.
apple.
AutoWake.
plistLibrary_Preferences_SystemConguration_com.
apple.
network.
identication.
plistLibrary_Preferences_SystemConguration_com.
apple.
wi.
plistLibrary_Preferences_SystemConguration_preferences.
plistLibrary_Preferences_com.
apple.
AppSupport.
plistLibrary_Preferences_com.
apple.
BTServer.
plistLibrary_Preferences_com.
apple.
Maps.
plistLibrary_Preferences_com.
apple.
MobileSMS.
plistLibrary_Preferences_com.
apple.
PeoplePicker.
plistLibrary_Preferences_com.
apple.
Preferences.
plistLibrary_Preferences_com.
apple.
WebFoundation.
plistLibrary_Preferences_com.
apple.
calculator.
plistLibrary_Preferences_com.
apple.
celestial.
plistLibrary_Preferences_com.
apple.
commcenter.
plistLibrary_Preferences_com.
apple.
mobilecal.
alarmengine.
plistLibrary_Preferences_com.
apple.
mobilecal.
plistLibrary_Preferences_com.
apple.
mobileipod.
plistLibrary_Preferences_com.
apple.
mobilemail.
plistLibrary_Preferences_com.
apple.
mobilenotes.
plistLibrary_Preferences_com.
apple.
mobilephone.
plistLibrary_Preferences_com.
apple.
mobilephone.
speeddial.
plistLibrary_Preferences_com.
apple.
mobilesafari.
plistLibrary_Preferences_com.
apple.
mobileslideshow.
plistLibrary_Preferences_com.
apple.
mobiletimer.
plistLibrary_Preferences_com.
apple.
mobilevpn.
plistLibrary_Preferences_com.
apple.
preferences.
network.
plistLibrary_Preferences_com.
apple.
preferences.
sounds.
plistLibrary_Preferences_com.
apple.
springboard.
plistLibrary_Preferences_com.
apple.
stocks.
plistLibrary_Preferences_com.
apple.
weather.
plistLibrary_Preferences_com.
apple.
youtube.
plistLibrary_Preferences_csidataLibrary_SMS_sms.
dbReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page20of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceLibrary_Safari_Bookmarks.
plistLibrary_Safari_History.
plistLibrary_Voicemail_.
tokenReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page21of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixBCitations/Furtherreadinghttp://www.
apple.
com/uk/ipad/business/integration/http://blog.
iphone-dev.
org/http://www.
theiphonespot.
net/p=7561http://www.
zdziarski.
com/blog/cat=11http://xsellize.
com/index.
phphttp://www.
greenpois0n.
comReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page22of22
comDocumentReferenceWhitepapers/WPIOS2011/wp_WPIOS2011_0.
3Version0.
3Date16February2011cCopyrightPortcullisComputerSecurityLimited2011PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace1DocumentHistoryRevisionAuthorRoleDateComments0.
1RUSAuthor09/02/2011InitialFirstDraft0.
2RUSAuthor15/02/2011MinorRevisions0.
3RUSAuthor16/02/2011Updatedtoreectnewversionofredsn0wTable1:DocumentRevisionHistoryReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page2of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceContents1DocumentHistory22TableOfContents32.
1ListOfFigures32.
2ListOfTables43Introduction54TheStateOfPlay55Evolution56Deployments76.
1Whyarewedeploying76.
2Wherearewedeploying76.
3PersonalvsPrivateProperty76.
4Whydoesthismatter87CoreSecurityFeatures87.
1Devicepolicies/proles87.
2FilesystemEncryptionFallacy98Whereisinformationstored98.
1ProblemswithSQLite108.
2iTunes118.
3LocalFilesystem129Accessingthedata129.
1Simpleattacks129.
2Jailbreaking149.
3OwningtheDevice15103rdPartyApplicationsecurity1710.
1Applicationsstoringsensitivedatainsecurely1710.
2Applicationsthatopenservicesonanetwork1811GoodPractise(i.
e.
Howdowexit)1811.
1Physicalsecurity1811.
2PolicyControls1911.
3Technicalrestrictions19AppendixAListofkeylesbackedupbyiTunes20AppendixBCitations/Furtherreading22ListofFigures1DeletedData102DynamicDictionary10Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page3of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3ApplicationLaunchLog114EnvelopeIndex115SynchronisationHandshake136Redsn0wOptions16ListofTables1DocumentRevisionHistory2Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page4of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3IntroductionSecurityconsiderationsforiOS4.
2.
1andearlier,iPad.
iOSdevicessuchastheiPadarebecomingincreasinglyprevalentinworkenvironmentslargelyduetotheireaseofuseandexibility,butalsoduetotheso-called"haloeffect".
Whatmostusers,bothcorporateandindividual,oftendonotacknowledgearethesecurityweaknessesintheAppleiOSoperatingsystem,andadditionallyiTuneswhichcaneasilyresultintheexposureofhighlysensitiveinformationandthecompromiseofthedeviceitself.
InthiswhitepaperIwilloutlineandenumeratemanyoftheissuessurroundingtheintroductionoftheiPadintotheworkplacewithparticularregardtotheexposureandtheftofsensitiveinformation,coun-termeasuresemployedbyAppleandhowinmostcasestheyaretriviallybypassed.
Theinformationprovidedinthiswhitepaperisnotentirelymyownwork,andreferencespubliclyavail-abletoolsandinformation,ifIhavemissedanyattribution,pleasedonothesitatetocontactme.
Theintendedaudienceforthisistechnical/managerial,thatistosay,inpartsitwillbemoderatelytechnical,butthekeyfocuswillbetheprovisionofinformationtothoseplanningorevaluatingrolloutsofiOSbaseddevicesinorderthattheyareabletoaccuratelyunderstandtherisksassociatedwiththis.
ThereasonIamwritingthispaper,isduetothefactthatPortcullishavebeenapproachedwithincreasingfrequencywithregardtoperformingsecurityassessmentsoftheiPad,togiveourperceptionofthedevicessecurityortoprovideguidancewithregardtodeployingthemsecurely.
Inasensethisistobeconsideredasummationofmyndings,itisnotbyanymeansintendedtodissuade,impedeorscaremonger,butrathertoenableinformedunderstandingoftherisksthatthesedevicesmayintroduce.
WhereverpossibleIwillsuggestmitigatingstrategies,insomecasestheyarenotpossible.
AlsoIwillwhereverpossiblebesteeringawayfromnamingspecic3rdpartyapplications,orvendorsasitisnotmyintenttoeitherendorseorcondemnthem.
Alsotrademarksorregisteredtrademarksarethepropertyoftheirrespectiveowner(s).
4TheStateOfPlayForthesakeofthisdocumentwearegoingtoassumethatwearedealingwiththeiPad3GrunningiOS4.
2.
1.
AlthoughthereareotherversionsofhardwarethatruniOScurrentlyincirculation,andtheywillbementionedwhereitismeritoriousorusefulasacomparison,wearelookingintoiPaddeployments.
5EvolutionTheiPhonewasrstreleasedtothepublicin2007,runningaderivativeofMacOSX/DarwincompiledfortheARMprocessor,whichbecameknownasiOS.
ApplereleasedDarwin,anopensourceoperatingsystem,in2000;itisPOSIXcompliantandiscompat-iblewiththeSingleUNIXSpecicationversion3(SUSv3).
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page5of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceDespitetheinherentexibilityofthebaseoperatingsystem,initialreleasesofiOSprovidednointendedfacilityfortherunningof3rdpartyapplications,insteadrelyingonwebapplicationstodeliverfunction-alitybeyondthatdeliveredbythebuiltinapplications.
However,enterprisingindividualsontheinternetwerequicklyableto"Jailbreak"theoperatingsystem,effectivelygaininginteractiveaccesstotheunderlyingoperatingsystem.
CommonUNIXutilitieswereeasilyportedtoiOSandsoonmanyunofcial3rdpartyapplicationstartedtoappear.
PerhapsasareactiontothisAppleannouncedanofcialSDKonOctober2008.
InMarch2008ApplereleaseditsrstbetaoftheiPhoneSDKwhichwouldpermitdeveloperstoof-ciallydevelopnativeapplicationsfortheoperatingsystem.
TheapplicationswouldbedistributedviatheApple"AppStore"and,ofcourse,iTunes.
DespitethisJailbreakingremainedpopular,insomepartduetotherestrictionsplacedupondevelop-ers.
Forinstance,applicationswhichusedApple"Private"APIswere(andare)rejectedbyAppleandthereforetheonlyviablereleasevectorforthemwasthroughthe"unofcial"appstores(cydia,icyandrock).
Unofcal3rdpartyapplicationswhichextendthefunctionalityandcustomisabilityoftheiOSinter-face/launcher(Springboard)suchasWinterboardhavealsohelpedtoensurethatJailbreakingisapopularandsoughtafterprocedure.
NaturallyasizeablenumberofJailbreakersdosoinorderto"pirate"Ofcial3rdpartyapplications,andalsotoremovecarrierlocksfromtheiPhonebaseband.
Itisestimatedthatanywherebetween10and20%ofiOSdeviceshavebeenJailbroken.
Whichequatestoavastnumberofdevices.
ForinstanceanalystsanticipatethatApplewillhavesoldover100millioniPhonesby2011,andtheWallStreetJournalestimates20MillioniPadswillsellinthesameyear.
ApplerespondedwitheachsubsequentreleaseofiOSwithcountermeasuresintendedtoclosevulnera-bilitiesintheoperatingsystemanditscomponentseffectivelystoppingJailbreaking.
Howeverthishasledtoa"catandmouse"approachtovulnerabilityresearchanddevelopment.
i.
e.
vulnerabilitieswhichmayresultin"root"levelcompromiseofthedevicearecloselyguardedandsharedprincipallyamongstmembersoftheJailbreakingdevelopmentcommunity.
NaturallysuppressionofJailbreakinghasnotbeenthesolemotiveofupdatestoiOS.
Newfeaturesandfunctionalityhavebeengraduallyintroducedtoaddressmanyoftheperceivedshortcomingsoftheoperatingsystem,suchasMultitasking,copyandpaste,improvedbatteryusageetc.
SuccessiveiterationsofiOSdeviceshavealsosoughttoimproveperformanceandindeedsecurityofthedevice.
ForinstancewiththeiPhone3GSandtheiPadhardwareencryptionwasintroduced.
TheiPadwasactuallydevelopedbeforetheiPhone,butitwasrealisedthatthetechnologywouldworkwellasamobilephoneplatform,andemphasiswasshiftedinthatdirection.
TheiPadwasnallyannouncedinJanuary2010,andreleasedinApril.
VersionsofiOSrunningontheiPad,andiPhonewereconvergedinNovember2010withthereleaseofversion4.
2.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page6of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace6Deployments6.
1WhyarewedeployingTherearemanyreasonswhycompanies,institutionsandevenschoolsareseekingtodeploytheiPad.
Manyofthesearenotbusinessrelated:EaseofaccesstoinformationAconsistent,easilymaintainedplatformPortabilityRobusthardwareToreducepaperuseImprovedcommunicationsRelativelylowcostSecurityfeatures(Oftensaidwithastraightface)Theyare"shiny"6.
2WherearewedeployingAtPortculliswedealwithcompaniesfromallsectors,usuallythosewithaverylowriskappetite.
Wehavesofarbeenapproachedbyclientslookingatsmalldeployments(lessthan100)inareassuchas:FinancialMediaCommunicationsButanecdotallyandviathepressweareseeinglargedemandin:EducationLocalGovernmentHealthcareSothatcoversmostsectors.
Whatisinterestingisthatweareseeingtheprimarydemandanddeploymenttargetscomingfromandtothe"boardlevel".
Studentsandmedicalstaffseemtobetheprincipaltargetsinthepublicsector.
6.
3PersonalvsPrivatePropertyItisimportanttounderstandwho"owns"thedevice.
IsthisapersonaldevicethatisbeingconnectedtocorporateresourcesIsitacorporatedevicethatisbeingconnectedtopersonalresourcesReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page7of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceThedevicesaremediacentric,meaningthattheyaredesignedforgames,music,photos,lmsaswellasweb-browsingandinformationviewing/sharing.
Corporationsandinstitutionsneedtobeawarethatthereisastrongpossibilitythatdataonthedevicecanbecomeblended,i.
e.
thatcorporatedataisstoredalongsidepersonaldata.
Suchblendeddatacantheneitherbesynchronisedintoacorporateorahomeenvironment.
Obviousrisksarethatifadevicethathasbeenusedtoaccesscorporatedataisbackeduptoapersonalcomputer,thenthatcorporatedataistheneffectivelypropagatedtothatcomputer.
Converselytheremaybesupportandpolicyconsiderations,(nottomentionpotentialcopyrightissues)shouldadevicebesynchronisedwithacorporatecomputer.
ForinstanceitmaybeagainstcompanypolicyforiTunestobeinstalled.
OtherlessobviousrisksarefeatureswithinapplicationssuchasMobileMail.
The"uniedinbox"isagoodexampleofthis.
Ifmultipleemailaccountsareconguredonthedevice,theycanbecomeeffectivelymergedintoone"inbox",itcanthenbecomeveryeasytocomposeorforwardmailsviathe"wrong"account.
Thismaybypasscontentlteringrequirements,oremailarchivingpolicies.
6.
4WhydoesthismatterInessence,whousesiPadsshouldn'tmatter,howeverwhenyouconsiderthereasonsfordeployingthem,andwhotheyarebeingdeployedtoandthencontrastthattotheprobabilityofinformationexposurewehavearatherunappealingscenario.
Itwouldappearthathighlysensitiveinformationstorageisbeingcarriedoutbyalowsecuritysystem.
7CoreSecurityFeaturesHerewearegoingtotakealookatthecoresecurityfeaturesofiOSdevices,bothatthehardwareandsoftwarelevels:7.
1Devicepolicies/prolesPasscodescanbesetbyusers,orbyapplyinganMSExchangeActiveSyncpolicy.
Thedefaultisa4digitPIN,which,ifentered10timesincorrectlywillcausethedevicetowipe.
TheonlywaytochangefromthisdefaultisbyapplyinganExchangepolicywhichwillthenenablethefollowingtobeset:EnforcepasswordondeviceMinimumpasswordlengthMaximumfailedpasswordattemptsNumbersandlettersbothrequiredInactivitytimeinminutesWithMSExchangeServer2007thefollowingadditionalpoliciesaresupported.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page8of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceSimplepasswordallowedorprohibitedPasswordexpirationPasswordhistoryPolicyrefreshintervalMinimumnumberofcomplexcharactersinapasswordThesepoliciesareeitherdeployed"overtheair"oraspartofacongurationprolethatuserscaninstall.
Thepoliciescanbesigned,andpasswordprotectedrequiringan"administrator"toremovethem.
Apolicy"lock"canbeenforced,whichwillrequirethedevicetobewipeduponremovalofthepolicy.
CongurationprolesareXMLleswhichcancontaininformationsuchasserversettings,securitypoliciesthatwillbeappliedtothedevice.
Itsinterestingtonotethatwhencongurationprolesareencrypted,theyautomaticallyenforceencryp-tionofbackupsiniTunes.
Devicerestrictionscanbeappliedwhichcanpreventusersperformingcertainactions,suchasinstallingapplications,accessingYouTube,etc.
7.
2FilesystemEncryptionFallacyAlthoughiOSdevices(iPhone3GS+,andiPad)haveahardware-levelencryptedlesystem,thereisamisconceptionthattheinformationisactuallyprotected.
Thelesystemiseffectivelydecryptedatboot-time(thebootloaderneedstoaccessthelesystemtostartiOS),therebyeffectivelyrenderingtheencryptionredundantintermsofprotectinginformationonarunningiOSdevice.
Wheretheencryptioncomesintoplayiswhena"remotewipe"commandispushedtothedevice,viaeitherMSExchangeorMobileMe.
AtthispointiOSdeletestheencryptionkeysandforcesareboottherebyrenderingtheinformationonthedeviceinaccessible,andindeedunbootable.
8WhereisinformationstoredInordertounderstandtheriskofinformationexposureortheftweneedtounderstandwhereinformationisstoredandhow.
AlthoughiOSisaUNIXbasedoperatingsystemandusesHFSasthelesystem,iOSreliesontwomaintypesoflestostoreandretrieveinformation,andtostorecongurationinformation:Plists(preferencelists)areXMLbasedplaintextles,(orinsomecasebinary)thatcontainvarioussettingsandotherinformationpertainingtoapplicationsandhowtheoperatingsystemiscongured.
SQLitedatabasestypicallycontainapplicationspecicdata.
ToolsarefreelyavailabletointerrogatebothleseitherusingaGUIorviaacommandlineinterface.
ClearlytheselesarethekeypointofinterestforindividualsseekingtoextractinformationfromiOSdevices.
Indeed,thosefamiliarwithUNIXcommandlinetoolssuchasgrepwillbeabletoextractveryinterestinginformationfromeitheroftheseletypes.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page9of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceForallintentsandpurposeseachapplicationwilluseSQLitedatabasestostoredata,thiswillincludeEmails,Imagesandsoforth.
8.
1ProblemswithSQLiteSQLite,accordingtowikipediais:"anACID-compliantembeddedrelationaldatabasemanagementsystemcontainedinarelativelysmall(approx225kB)Cprogramminglibrary.
ThesourcecodeforSQLiteisinthepublicdomain.
"Whichmakesitidealforalowfootprint,swiftandeasytouseplatformfordatamanipulationonasmalldevice.
ThesedatabasescanbeaccessedeitherbycopyingthemoffthedeviceafterJailbreakorbyaccessingtheiTunesbackup.
OnceretrievedtherearemanySQLitedatabaseviewers,whichcomeinveryusefulinexamininglivedataonthedevice.
Whatwehavefoundinourinvestigationsisthatdatastoredinthesedatabasesispersistentandquitetenacious.
Forinstance,whenyoudeleteanotesentryitisjustaggedasdeleted,itisn'tactuallyremoved.
Thisin-formationcannotbeaccessedusingstandardSQLitebrowsers,howeversimpletoolslike"vi"or"strings"canbeusedtoviewthe"deleted"data:Figure1:DeletedDataAlso:theDynamicDictionaryfeaturestoreswholephrasesinadatabase(including,undercertaincir-cumstancescouldincludecreditcardnumbers,passwords,etc)Figure2:DynamicDictionaryiOSlogswhenandhowoftenapplicationshavebeenlaunched:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page10of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure3:ApplicationLaunchLogThe"EnvelopeIndex"storesEmailheaders,evenfordeletedaccounts,andaccountinformationpersistsinvariousles:Figure4:EnvelopeIndex8.
2iTunesEachtimeyouconnectyourdevicetoyourPC/MaciTunescanbeconguredtoautomaticallybackupyourdevice.
Thisisaveryusefulfeature,anditisaverythoroughbackup,totheextentthatifyouweretoloseyourdeviceandgetanewone,youcanrestorethisbackupandbarelyevennoticeyouhadanewone(moreonthislater).
Thesebackupsarestoredinthefollowinglocations:WindowsXP:C:\DocumentsandSettings\$USERNAME\ApplicationData\AppleComputer\MobileSync\BackupWindowsVistaand7:C:\Users\$USER\AppData\Roaming\AppleComputer\MobileSync\BackupOSX:~/Library/ApplicationSupport/MobileSync/Backup/IntherelevantfolderyouwillndwhatappearstobeafolderorfolderswhosenameconsistsofaUniqueIdentier.
Withinthisfolderareallthebackeduplespertainingtoyourdevice.
Thelesare,simplyput,preferencelistsandSQLitedatabases.
Theydonothavemeaningfulnames,butthatwontdeterusasyouwillseelater.
KeySQLitedatabasesandpliststhataresynchronisedarelistedinappendixA.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page11of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace8.
3LocalFilesystemiOSdeviceshavetwomainpartitions,the"root"orsystempartitionwhereoperatingsystemlesarestored:/dev/disk0s1/rw01andthe"media"partitionwhere"user"lesarestored:/dev/disk0s2/private/varhfsrw,noexec02Undernormal(i.
e.
non-Jailbroken)circumstances,itisonlypossibleforuserstoaccessthemediapartition;eventhenthisaccessisheavilyrestrictedbyapplicationsandboxing.
AccordingtoAppleap-plicationscanonlyaccesslesanddirectoriesintheir"area"onthelesystemforinstanceanexampledirectorystructurecouldbe:|ApplicationGUID||_Application.
app|_Documents/|_Library/Preferences/|_tmp/Thusanygivenapplicationshouldonlyhaveaccesstoits"own"les.
However,onceJailbrokenthefulllesystemisavailabletoapplications,whichaswewillseegreatlyimpactsthesecurityofthedevice.
9AccessingthedataAnefariousindividual'sobjectiveistoaccessthisinformationcovertly,withminimalphysicalaccess,leavinglittleornoevidenceoftampering,ideallypersistentlyandofcoursegettinglotsofsensitivestuffeitherforblackmailorcommercialadvantage.
9.
1SimpleattacksBydefaultiTunesstoredabackupofthedeviceunencrypted.
Whetherornotthebackupisencryptedisenforcedbyaagsetinaplistonthedeviceitself.
Auserspeciedencryptionkeyisalsostoredonthedeviceinthekeychain.
Thekeychainisanencrypteddatabaseofpasswordsstoredbythedevice.
AccessinganunencryptediTunesbackupistrivialaswehaveseenabove,butwhatelsecanwedowiththesebackupsWecancopythemformthehostcomputertoourcomputerforanalysis,wecanevenrestorethebackuptoourphone,effectivelycloningit.
Unfortunatelythekeychaindoesnotsurvivethis(duetothewayitisencrypted)sowewontbeabletoretrievepasswordsthisway.
Wecanalsoeditbackups.
Theyaren'tsigned.
Wecanthenrestorethemback.
IfwegobackalittlebitandlookathowiOSandiTuneshandlesbackupscrudelyputthisishowitoccurs:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page12of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure5:SynchronisationHandshakeInessenceweneedtoeitherhave"paired"theiOSdevicetoiTunesorweneedtoknowthepasscodeinordertogainaccesstoanunencryptedbackup.
Thereareotherspeedbumpsaswell,forinstanceanExchangepolicycouldmandateencryptedbackups,butagainwecanovercomethis.
Wecanremovethepasscodebyeditingtherelevantplist,(thisiswheregrepcomesinhandyasalltheplistshavewhatseemtobe"random"names)wearelookingforsomethinglikethis:PasswordInformationpinTimeStamp2010-07-20T11:46:22ZRemoveeverythingfromtheinner""savetheleandrestorethedevice.
Bingo.
Nopass-code.
Anothermeansofremovingthepasscodeistodeletethekeychainfromthebackup,butasthiswouldalsoeraseotherpasswordsstoredonthedevice,itiscounterproductiveinthatitwouldhinderourabilitytoretrievefurtherinformationfromthedeviceonceitisunlocked.
ThisbackuptamperingcanbeusedtodefeatalargenumberofsecurityfeaturesthatmaybeenforcedbyExchangepolicies.
Thingssuchas:Policyrefreshintervals,autolock,lockinterval.
Youcanalsousethistechniquetoincreaseyourhighscoresincertaingames.
Theonlylimitsareyourowningenuity.
RemembertokeepabackupofyourˇEbackup.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page13of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceWhatifthepasscodeispresentandactiveonthedeviceandithasn'tbeen"paired"withyourcomputerThisisnotassimpleasitmayseematrstglance.
iOSkeepstrackofwhichcomputersithaspairedwith,sowehavea"chickenandegg"scenario:Inordertoremovethepasscodebybackuptamperingwehavetorstbypassthepasscode.
Wecouldattempttobrute-forceguessthepasscode,however,bydefault,after10failedattemptsthedevicewillwipeitself,whichwouldrenderourmissiontoextractdata,afailure.
Thinkingbrieyaboutthedefault4digitPINbasedpasscode.
Thereare10,000possiblenumbers,(0000-9999).
Givingyoua1in1,000chanceofguessingtherightcombinationwithin10attempts.
Wecouldconceivablyreducethis,byshouldersurng,using"common"PINnumbers,usingsocialengineeringtacticsorinterestinglyexaminethescreentoseeiftherearengerprintsaroundthekeypadareaonthedevicewhichcouldexposedigitspresentinthePIN.
Theparingmechanismseemstobequiterobust,sotheratherobviousadvicehereisthatifyouwanttokeepyourdatasafe,ensurethatyouareverycautiousaboutwhatcomputersyouconnectyourdeviceto.
Backupencryptiondoespresentanotherchallenge.
Thereareonlyreallytwooptionsopentous;Eitherwehavetobruteforceguessthebackuppasswordorwearegoingtohavetoresorttoexploitingthedevice.
.
.
9.
2JailbreakingAsdiscussedearlier,iOSrestrictsaccesstotheentirelesystemtothebaseoperatingsystemitself.
Additionallyitprovidesnonativemeanstoaccesstheunderlyingoperatingsystem.
Jailbreakingessentiallyfoilsthatrestriction,allowingforunrestrictedaccesstothedevice.
Effectivelyputitmeanswecanrunanycodeonthedevicewelike,ignoringrestrictionssuchasapplicationsigning,adheringtoprescribedapplicationsandboxing,andread/writeaccesstothesystempartition.
InordertoJailbreak,vulnerabilitiesmustbeidentiedinthesoftwareorrmwarerunningonthedevice.
ThesevulnerabilitiesmusthavecertaincharacteristicsinordertobeusefulinJailbreaking.
Themostimportantoftheseisthatitmustenableustobeabletorunarbitrarycodeasthe"root"user.
Therearealargenumberof"Jailbreaking"toolsavailableforavarietyforversionsofiOS.
AsapplepatchesvulnerabilitiesiniOSortheBootromsoftheirdevices,Jailbreakershavetondnewvulnerabil-itiestoincorporateintotheirtools.
Jailbreakingisalsodividedintotwobroadcategories:Untethered-MeaningthatonceJailbrokenthedevice,ifrebooted,willstartnormallywithnointerventionTethered-withthistypeofJailbreak,userinterventionisrequiredinorderforthedevicetorestart.
Thedevicewillneedtobeconnectedtoacomputerandeffectivelybere-Jailbrokeninordertoboot.
WhetheradevicecanbeJailbrokenuntethered(whichistheoptimalroute)isdependantonthebootromversion,andthermwareversion.
CurrentlyiOSversions3.
2.
2andearliercanbeJailbrokenuntethered,morerecentversionswillrequirefurtherstepstobetakeninordertoremovethetether(suchasrunningGreenpois0n,analternateJail-breakingtool,afterJailbreakingthedevicewithredsn0w).
Incomingmonthstheseadditionalstepsarelikelytobecomeredundant,thusforbrevitythefollowingJailbreakstepswillworkcleanlyoniOSversionsearlierthan4.
2.
1.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page14of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceI.
e.
ifyouaregoingtoattemptwhatIwilldescribedosomeresearchrst:thereisahighdegreeofriskfortheuninitiatedandunlessyouareluckyorwellinformedyoumightendupwithahighlydesirable,expensiveplacemat.
Update:Asof16thFebruaryredsn0wwasupdatedtoversion4.
2,whichisanuntetheredjailbreak.
ThereforeallversionsofiOSuptoandincluding4.
2.
1canbejailbrokensafely,anduntethered.
ThusthefollowingstepscanbereplicatedonallversionofiOSfortheiPadandiPhone.
9.
3OwningtheDeviceAcommon,andexible,toolavailabletousewithiOS4.
2.
1(andearlier)isredsn0w.
AccuratelyspeakingwedonotneedtofullyJailbreakinordertoaccessdataonthedevice,wejustneedtobeabletobootthedevicewithacustomramdisk.
iOSdeviceshavethefacilitytodothiseitherbydroppinginto"recoverymode"(intendedforoperatingsystemrecoveryorupgrade)orDFUmode(intendedforrmwareupgrade).
Redsn0wdependsuponanexploitknownasLimera1n,whichtakesadvantageofbothofthesemodes,employingbothabootromexploitaswellasauserlandexploittofullyJailbreakthedevice.
Howeveraswedonothaveaccesstothecodeforredsn0w,wecan'tchangeitsbehaviourtostopitfullyJailbreakingthedevice.
Ifwewereabletocustomisetheactionsitwouldbeasimplemattertoremovethedevicepasscodebyeditingthefollowingle:/private/var/ManagedPreferences/mobile/com.
apple.
springboard.
plist(aswewouldhavedoneinthebackuptamperingmethod).
Howeverifwewantedtoremovethebackupencryptionaswell,wewouldhavetodoalittlemore.
Bydeleting(orrenaming)thekeychain:/var/Keychains/keychain-2.
dbwenotonlyremovethepasscode,butalsothekeyusedtoencryptthebackups,thusthebackupswillbeunencrypted.
Sadlywedosacriceotherpasswords,toosuchasemailpasswords,etc.
Redsn0w,thoughostensiblyaJailbreakingtool,isactuallyalittlemore:itcanbeusedtoinstallcustombundles.
Custombundlesareessentiallycompressedarchivescontainingcontent(suchasexecutablebinaries,orevenpreferencelists),whicharecopiedtothedevice.
Thuswecanusethisfeature,tofullyJailbreakthedevice,copysomescriptsandtoolstothedeviceinordertocompromiseit.
Andwecancompromiseitinsuchawaythatthedeviceshowsalmostnoevidencetotheuserthatithasbeen.
Redsn0wdependsonhavingacopyoftherestoreimageforthedevicebeingJailbroken(thesearefreelyavailablefromapple)andwillhavetobedownloadedinadvance.
So,wehavethefollowingscenario:AniPadwithapasscodeset,backupencryptionenabled.
Wehavealaptop(runningOSXorWindows)Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page15of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAnup-to-dateversionofredsn0wAcustombundle(withOpenSSH,APT,andafewothertoolsandscripts)Acollectionofrestoreimages5minutesleftalonewiththedevice.
AnetworkconnectionWedon'tneedtoworryaboutthedevicebeingpairedtoourlaptopasitsidestepsthedevicepairingrequirement.
Asapartofthe"Jailbreak"thedeviceisputintoDFUmode.
Inthismodethedeviceisinastatewhereitistoallintentsandpurposesunabletocheckwhetheritispairedtothecomputeritisconnectedto.
TheiPadWecantakeaguesstoseeifitisrunning4.
2.
1byickingthehardwareswitchontheside.
Ifitmutesthevolumeonthedevicethereitisquitelikelytobe4.
2.
x.
Priorversionsusedthishardwareswitchtoengagetheorientationlock.
Inlaterversionsusersweregiventheoptiontochoosebetweenmuteandlock;thedefaultbeingmute.
Guessingtheversionofthermwareincorrectlyisnotfatal,itwillsimplymeanthattheJailbreakwillfailandyouwillhavetogothroughitagain.
TheLaptopWehaveredsn0w,wehavelauncheditandselectedtherelevantrmwareforthedevice.
EvenbeforeweconnecttheiPadwecanallowredsn0wtoprocessthermwareandwearepresentedwiththefollowingchoice:Figure6:Redsn0wOptionsWedon'twantcydiatobeinstalled,orthevictimwillseetheiconontheirspringboardinsteadwearegoingtouseoneofourcustombundles.
Wecanthenfollowthestepsthroughredsn0w,thedevicewillreboot.
OncethishascompleteditwillbeJailbrokenandthepasscodewillhavebeenremoved.
Whatthiscustombundledoes:Installsalargenumberofbasicunixtools,andsomekeypackages:OpenSSH(andalaunchscriptsoitstartsatboot)andAPT(sowecaninstalladditionalpackagesfromtheshell).
Italsorunsashellscriptatstartupthatrenamesthekeychain.
Thisremovesthepassphrase.
InordertogetitsIPaddress(sowecanSSHintoit)wecanjustlookinthenetworkpreferencesforitsIPaddress.
OncewehavethatwecanthensimplySSHintothedeviceas"root"(thedefaultpasswordis"Alpine").
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page16of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceInordertoremoveanyobvioustracesofushavingcompromisedthedevicewecanrenamethekeychainback,thiswon'timmediatelyrestorethepasscode,wewillneedtorebootforthattohappen.
Firsttherearesomeotherthingswecando.
UsingAPTwecaninstallothertoolsandutilities:Using"recAudio"willcausetheipadtostartrecordingaudio,thisisahighlyeffectivewaytolisteninonmeetings.
Itstorestheaudioinaiffle,andthiscanthenbecopiedoffthedevice,orascriptcouldbegeneratedtorecordatpredeterminedintervalsandthenuploadtheresultingaudioletoaweborftpserver.
Othertoolssuchas"pirni"canbescheduledtorun,Pirniisanarp-spoongtoolthatactsasaman-in-the-middle,snifngalldataonthewirelessnetwork.
Again,theresultantdatacanbeuploadedtoanexternalserverforcollectionbytheattacker.
"Nmap"canbeusedtomapthewirelessnetwork,andmetasploitcanthenbeusedtoattackandcompro-misehostsidentied,therebyusingtheiPadto"pivot"intothecorporateenvironment.
"Netcat"canbeconguredtoinitiateareverseshelltoahostontheinternetforremotecontrol.
Howeverwealsohaveour"increasedstealth"custombundle,onethat:LeavesthekeychainintactInstallsOpenSSHInstallstheabovetoolsGathersinformationfromthedevice(thedynamicdictionary,Emails,calendarentriesetc)anduploadsittomywebserver.
SchedulesrecordingsanduploadsthemtomywebserverAttemptsareverseshelltomyservereachtimeitdetectsanetworkconnection.
Tweetsthegeographicallocationofthedevicedaily103rdPartyApplicationsecurityEvenlegitimateapplicationscanintroducerisksintoacorporateenvironment.
AsImentionedinthein-troductionIamgoingtoavoidnamingspecicapplicationsorvendors(theywillorhavebeencontacteddirectly)withregardtosecurityissues.
BroadlyspeakingIhaveidentiedtwoprevalentcategoriesofrisk:10.
1ApplicationsstoringsensitivedatainsecurelyManyapplicationshavetheabilitytoaccesssensitivedata.
Thisdatacouldbeasbasicassocialnet-workingsites,downloadingandviewingdocumentsorascomplexasremotedesktopfunctionalityforaccessingcorporateresources.
Inanycasewehaveidentiedalargenumberofapplicationsthatstorecredentialslocallyinplaintext.
Thesecredentialscanbeforcorporateservers,internetlestores,websitesorevenforlocalaccesstotheapplication.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page17of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceOtherapplicationswehaveseencacheinformationlocallyonthedevice,sothatitcanbeviewedormanipulatedofine.
Theselocalcachesarerarelyencrypted.
Inbothcasesinsecurestorageofcacheddataorcredentialsisabadthing,asitwillbesynchronisedbacktoiTunesincleartext(ifencryptedbackupsarenotenabled).
Failingthat,thedatacaneasilyberetrievedafteraJailbreak.
ThereforewhenassessingapplicationsforusewithinacorporateenvironmentitisimportanttoensurethatthedevelopershaveelectedtousetheiOSencryptedkeychain(asrecommendedbyapple)andthattheyareencryptinganylocallycacheddata.
Anotherinteresting"feature"ofiOSitselfcanintroduceweaknessesinapplicationindirectly:theDy-namicDictionary.
Evenifanapplicationisnotstoringinformationorcredentialsinaninsecureformat,itismrethanlikelythattheDynamicDictionarywill.
Iteffectivelyactsasakeyloggeronthedevice.
Wehaveseeninstanceswherethedictionaryhasstoredpasswords,contactinformationandallmannerofinformationthatwouldgiveanyindividualcausetopale.
10.
2ApplicationsthatopenservicesonanetworkThereareseveralmethodsthatapplicationscanusefacilitatethetransferofdatafromothersourcessuchasthelocalnetwork,theinternetoradesktopcomputer.
Itisfairlycommonforapplicationsthatviewormanipulatedocumentstorunawebservertofacilitateletransfers.
UsersthencanuseawebbrowseronanotherdeviceorcomputertoconnecttotheiPadtouploadcontent.
Thismaynotseemaparticularlyhighlevelrisk,howeverinsomecaseswehaveseentheseapplicationsbroadcasttheseservicesvia"bonjour"andalmostwithoutexceptionusepredictableTCPportsfortheirservicesmakingthemeasytoidentifyonanetwork.
Suchserversusually(ifnotalways)bydefaultrequirenoauthentication.
iPadsdeployedincorporateenvironmentswillalmostcertainlybeusedtoviewandsharesensitiveinformation.
Itmaybethatusersareinadvertentlysharingthisinformationwhentheyconnecttothefreewirelessattheirlocalcoffeeshop.
11GoodPractise(i.
e.
Howdowexit)11.
1PhysicalsecurityClearlyphysicalcontrolofthedeviceisparamount.
DetectingifadevicehasbeenstealthilyJailbrokenwithoutactuallyJailbreakingitistricky,itcanbedone,butitisbettertonotletithappen.
IfyoudolosephysicalcontrolofthedevicewhatthenIfitwasleftaloneforaperiodoftime,orifitwaslostandthenreturnedyoushouldassumethatithasbeencompromised.
Restorethedevice;thiswilleffectivelyremovetheJailbreak,(iTunesdoesn'tbackupanyoftheJailbreakoritsdata).
Ifithasgonemissingattempttoremotewipethedevice,howeverbeawarethatsimplyremovingtheSIMfromthedevicecandefeatthis.
AlsorememberdotheremotewipebeforeyoucanceltheSIM,forobviousreasons.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page18of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace11.
2PolicyControlsCorporatepoliciesshouldforbidJailbreaking.
ThereisnoguaranteethatevenifthedevicehasbeenJailbroken"legitimately"thatapplicationsinstalledvia3rdpartyapplicationstoressuchasCydiadonotcontainhostilecode.
Determinewhatdatashouldbepermittedonthedevice.
Corporateandpersonaldatashouldnotmix.
Highlysensitiveinformationshouldneverbestoredlocallyonthedeviceunlessappropriatelyencrypted.
Controlwhatapplicationsshouldberunonthedevice,3rdpartyapplicationscanintroducethreats.
Userawarenessandeducationisparamount.
Makecertainthatusersareeducatedastothethreatstotheirownaswellascompanydata.
11.
3TechnicalrestrictionsUseapplicationsthatenforcedatasegregation.
Thereareseveralapplicationsthatusetheirownemail,calendarandcontactprograms,andwhichenforcelocalencryptioneffectivelycreatingasecondary"sandbox"inwhichcorporatedatacanbehandled.
SomeoftheseapplicationsuseJailbreakdetectionandrefusetorunifapolicyissettothateffect.
EmployExchangesecuritypoliciestotheirbesteffect,lockdownasmuchaspossible.
Rememberifthedeviceissynchronisedregularlyitdoesn'tmatterifitiswipedafter3failedpasscodeattempts,itcanberestored.
Protectthecomputerthatthedeviceisbeingsynchronisedto!
Ifyoulosethebackupofthedevice,youlosecontrolofthedatathathasbeenstoredonit.
Examinethecapabilitiesof3rdpartyapps.
DotheyopennetworkportsfordocumentsharingHavethemsecuritytestedforvulnerabilitiesthatcouldexposesensitiveinformation.
Considerusingdevicesasthinclients.
Therearemanyremotedesktopclientsouttherethatareser-viceable.
(butagain,ensurethattheyaren'tcachingcredentialsinplaintextonthedevice.
Getthemtested!
)Restorefrequently.
Amonthlyrestoreofthedeviceshouldprovidesomeassurancethatitisnotcompro-mised.
EnsurethatdevicesaremaintainedattheirlatestrmwareversionReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page19of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixAListofkeylesbackedupbyiTunesLibrary_AddressBook_AddressBook.
sqlitedbLibrary_AddressBook_AddressBookImages.
sqlitedbLibrary_Calendar_Calendar.
sqlitedbLibrary_CallHistory_call_history.
dbLibrary_Cookies_Cookies.
plistLibrary_Keyboard_dynamic-text.
datLibrary_LockBackground.
jpgLibrary_Mail_Accounts.
plistLibrary_Mail_AutoFetchEnabledLibrary_Maps_Bookmarks.
plistLibrary_Maps_History.
plistLibrary_Notes_notes.
dbLibrary_Preferences_.
GlobalPreferences.
plistLibrary_Preferences_SBShutdownCookieLibrary_Preferences_SystemConguration_com.
apple.
AutoWake.
plistLibrary_Preferences_SystemConguration_com.
apple.
network.
identication.
plistLibrary_Preferences_SystemConguration_com.
apple.
wi.
plistLibrary_Preferences_SystemConguration_preferences.
plistLibrary_Preferences_com.
apple.
AppSupport.
plistLibrary_Preferences_com.
apple.
BTServer.
plistLibrary_Preferences_com.
apple.
Maps.
plistLibrary_Preferences_com.
apple.
MobileSMS.
plistLibrary_Preferences_com.
apple.
PeoplePicker.
plistLibrary_Preferences_com.
apple.
Preferences.
plistLibrary_Preferences_com.
apple.
WebFoundation.
plistLibrary_Preferences_com.
apple.
calculator.
plistLibrary_Preferences_com.
apple.
celestial.
plistLibrary_Preferences_com.
apple.
commcenter.
plistLibrary_Preferences_com.
apple.
mobilecal.
alarmengine.
plistLibrary_Preferences_com.
apple.
mobilecal.
plistLibrary_Preferences_com.
apple.
mobileipod.
plistLibrary_Preferences_com.
apple.
mobilemail.
plistLibrary_Preferences_com.
apple.
mobilenotes.
plistLibrary_Preferences_com.
apple.
mobilephone.
plistLibrary_Preferences_com.
apple.
mobilephone.
speeddial.
plistLibrary_Preferences_com.
apple.
mobilesafari.
plistLibrary_Preferences_com.
apple.
mobileslideshow.
plistLibrary_Preferences_com.
apple.
mobiletimer.
plistLibrary_Preferences_com.
apple.
mobilevpn.
plistLibrary_Preferences_com.
apple.
preferences.
network.
plistLibrary_Preferences_com.
apple.
preferences.
sounds.
plistLibrary_Preferences_com.
apple.
springboard.
plistLibrary_Preferences_com.
apple.
stocks.
plistLibrary_Preferences_com.
apple.
weather.
plistLibrary_Preferences_com.
apple.
youtube.
plistLibrary_Preferences_csidataLibrary_SMS_sms.
dbReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page20of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceLibrary_Safari_Bookmarks.
plistLibrary_Safari_History.
plistLibrary_Voicemail_.
tokenReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page21of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixBCitations/Furtherreadinghttp://www.
apple.
com/uk/ipad/business/integration/http://blog.
iphone-dev.
org/http://www.
theiphonespot.
net/p=7561http://www.
zdziarski.
com/blog/cat=11http://xsellize.
com/index.
phphttp://www.
greenpois0n.
comReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page22of22
丽萨主机:美国CN2 GIA精品网/KVM/9折,美国原生IP,最低27元/月
丽萨主机怎么样?丽萨主机,团队于2017年成立。成立之初主要做的是 CDN 和域名等相关业务。最近开辟新领域,新增了独立服务器出租、VPS 等业务,为了保证业务质量从一开始就选择了中美之间的 CN2 GIA 国际精品网络,三网回程 CN2 GIA,电信去程 CN2 GIA + BGP 直连智能路由,联通移动去程直连,原生IP。适合对网络要求较高的用户,同时价格也比较亲民。点击进入:丽萨主机官方网站...
Nocser:马来西亚独立服务器促销$60.00/月
Nocser刚刚在WHT发布了几款促销服务器,Intel Xeon X3430,8GB内存,1TB HDD,30M不限流量,月付$60.00。Nocser是一家注册于马来西亚的主机商,主要经营虚拟主机、VPS和马来西亚独立服务器业务,数据中心位于马来西亚AIMS机房,线路方面,AIMS到国内电信一般,绕日本NTT;联通和移动比较友好,联通走新加坡,移动走香港,延迟都在100左右。促销马来西亚服务器...
TMThosting夏季促销:VPS月付7折,年付65折,独立服务器95折,西雅图机房
TMThosting发布了一个2021 Summer Sale活动,针对西雅图VPS主机提供月付7折优惠码,年付65折优惠码,独立服务器提供95折优惠码,本轮促销活动到7月25日。这是一家成立于2018年的国外主机商,主要提供VPS和独立服务器租用业务,数据中心包括美国西雅图和达拉斯,其中VPS基于KVM架构,都有提供免费的DDoS保护,支持选择Windows或者Linux操作系统。Budget ...
ipad代理为你推荐
-
apple.com.cn苹果官方网址到底是http://store.apple.com/cn/?还是 http://www.apple.com.cn????phpcms模板请教 phpcms v9 如何设置新模板为系统默认模板?linux防火墙设置LINUX系统怎么关闭防火墙德国iphone禁售令德国IPHONE多少钱?急~中国企业信息网中国企业网怎么样什么是支付宝支付宝是什么意思?申请支付宝账户我要申请支付宝账户滴滴估值500亿开滴滴怎么才能月入一万,平均一天400纯收入,求指点小型汽车网上自主编号申请请问各位大虾,如何在网上选车牌号?瑞东集团海澜集团有限公司怎么样?