convergedipad代理

GeneralReleaseAppleiPadIntheWorkPlaceWrittenByRussSpoonerPortcullisComputerSecurityLTDTheGrangeBarnPike'sEndPinnerMiddlesexHA52EXTel:02088680098Fax:02088680017rus@portcullis-security.
comDocumentReferenceWhitepapers/WPIOS2011/wp_WPIOS2011_0.
3Version0.
3Date16February2011cCopyrightPortcullisComputerSecurityLimited2011PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace1DocumentHistoryRevisionAuthorRoleDateComments0.
1RUSAuthor09/02/2011InitialFirstDraft0.
2RUSAuthor15/02/2011MinorRevisions0.
3RUSAuthor16/02/2011Updatedtoreectnewversionofredsn0wTable1:DocumentRevisionHistoryReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page2of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceContents1DocumentHistory22TableOfContents32.
1ListOfFigures32.
2ListOfTables43Introduction54TheStateOfPlay55Evolution56Deployments76.
1Whyarewedeploying76.
2Wherearewedeploying76.
3PersonalvsPrivateProperty76.
4Whydoesthismatter87CoreSecurityFeatures87.
1Devicepolicies/proles87.
2FilesystemEncryptionFallacy98Whereisinformationstored98.
1ProblemswithSQLite108.
2iTunes118.
3LocalFilesystem129Accessingthedata129.
1Simpleattacks129.
2Jailbreaking149.
3OwningtheDevice15103rdPartyApplicationsecurity1710.
1Applicationsstoringsensitivedatainsecurely1710.
2Applicationsthatopenservicesonanetwork1811GoodPractise(i.
e.
Howdowexit)1811.
1Physicalsecurity1811.
2PolicyControls1911.
3Technicalrestrictions19AppendixAListofkeylesbackedupbyiTunes20AppendixBCitations/Furtherreading22ListofFigures1DeletedData102DynamicDictionary10Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page3of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3ApplicationLaunchLog114EnvelopeIndex115SynchronisationHandshake136Redsn0wOptions16ListofTables1DocumentRevisionHistory2Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page4of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3IntroductionSecurityconsiderationsforiOS4.
2.
1andearlier,iPad.
iOSdevicessuchastheiPadarebecomingincreasinglyprevalentinworkenvironmentslargelyduetotheireaseofuseandexibility,butalsoduetotheso-called"haloeffect".
Whatmostusers,bothcorporateandindividual,oftendonotacknowledgearethesecurityweaknessesintheAppleiOSoperatingsystem,andadditionallyiTuneswhichcaneasilyresultintheexposureofhighlysensitiveinformationandthecompromiseofthedeviceitself.
InthiswhitepaperIwilloutlineandenumeratemanyoftheissuessurroundingtheintroductionoftheiPadintotheworkplacewithparticularregardtotheexposureandtheftofsensitiveinformation,coun-termeasuresemployedbyAppleandhowinmostcasestheyaretriviallybypassed.
Theinformationprovidedinthiswhitepaperisnotentirelymyownwork,andreferencespubliclyavail-abletoolsandinformation,ifIhavemissedanyattribution,pleasedonothesitatetocontactme.
Theintendedaudienceforthisistechnical/managerial,thatistosay,inpartsitwillbemoderatelytechnical,butthekeyfocuswillbetheprovisionofinformationtothoseplanningorevaluatingrolloutsofiOSbaseddevicesinorderthattheyareabletoaccuratelyunderstandtherisksassociatedwiththis.
ThereasonIamwritingthispaper,isduetothefactthatPortcullishavebeenapproachedwithincreasingfrequencywithregardtoperformingsecurityassessmentsoftheiPad,togiveourperceptionofthedevicessecurityortoprovideguidancewithregardtodeployingthemsecurely.
Inasensethisistobeconsideredasummationofmyndings,itisnotbyanymeansintendedtodissuade,impedeorscaremonger,butrathertoenableinformedunderstandingoftherisksthatthesedevicesmayintroduce.
WhereverpossibleIwillsuggestmitigatingstrategies,insomecasestheyarenotpossible.
AlsoIwillwhereverpossiblebesteeringawayfromnamingspecic3rdpartyapplications,orvendorsasitisnotmyintenttoeitherendorseorcondemnthem.
Alsotrademarksorregisteredtrademarksarethepropertyoftheirrespectiveowner(s).
4TheStateOfPlayForthesakeofthisdocumentwearegoingtoassumethatwearedealingwiththeiPad3GrunningiOS4.
2.
1.
AlthoughthereareotherversionsofhardwarethatruniOScurrentlyincirculation,andtheywillbementionedwhereitismeritoriousorusefulasacomparison,wearelookingintoiPaddeployments.
5EvolutionTheiPhonewasrstreleasedtothepublicin2007,runningaderivativeofMacOSX/DarwincompiledfortheARMprocessor,whichbecameknownasiOS.
ApplereleasedDarwin,anopensourceoperatingsystem,in2000;itisPOSIXcompliantandiscompat-iblewiththeSingleUNIXSpecicationversion3(SUSv3).
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page5of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceDespitetheinherentexibilityofthebaseoperatingsystem,initialreleasesofiOSprovidednointendedfacilityfortherunningof3rdpartyapplications,insteadrelyingonwebapplicationstodeliverfunction-alitybeyondthatdeliveredbythebuiltinapplications.
However,enterprisingindividualsontheinternetwerequicklyableto"Jailbreak"theoperatingsystem,effectivelygaininginteractiveaccesstotheunderlyingoperatingsystem.
CommonUNIXutilitieswereeasilyportedtoiOSandsoonmanyunofcial3rdpartyapplicationstartedtoappear.
PerhapsasareactiontothisAppleannouncedanofcialSDKonOctober2008.
InMarch2008ApplereleaseditsrstbetaoftheiPhoneSDKwhichwouldpermitdeveloperstoof-ciallydevelopnativeapplicationsfortheoperatingsystem.
TheapplicationswouldbedistributedviatheApple"AppStore"and,ofcourse,iTunes.
DespitethisJailbreakingremainedpopular,insomepartduetotherestrictionsplacedupondevelop-ers.
Forinstance,applicationswhichusedApple"Private"APIswere(andare)rejectedbyAppleandthereforetheonlyviablereleasevectorforthemwasthroughthe"unofcial"appstores(cydia,icyandrock).
Unofcal3rdpartyapplicationswhichextendthefunctionalityandcustomisabilityoftheiOSinter-face/launcher(Springboard)suchasWinterboardhavealsohelpedtoensurethatJailbreakingisapopularandsoughtafterprocedure.
NaturallyasizeablenumberofJailbreakersdosoinorderto"pirate"Ofcial3rdpartyapplications,andalsotoremovecarrierlocksfromtheiPhonebaseband.
Itisestimatedthatanywherebetween10and20%ofiOSdeviceshavebeenJailbroken.
Whichequatestoavastnumberofdevices.
ForinstanceanalystsanticipatethatApplewillhavesoldover100millioniPhonesby2011,andtheWallStreetJournalestimates20MillioniPadswillsellinthesameyear.
ApplerespondedwitheachsubsequentreleaseofiOSwithcountermeasuresintendedtoclosevulnera-bilitiesintheoperatingsystemanditscomponentseffectivelystoppingJailbreaking.
Howeverthishasledtoa"catandmouse"approachtovulnerabilityresearchanddevelopment.
i.
e.
vulnerabilitieswhichmayresultin"root"levelcompromiseofthedevicearecloselyguardedandsharedprincipallyamongstmembersoftheJailbreakingdevelopmentcommunity.
NaturallysuppressionofJailbreakinghasnotbeenthesolemotiveofupdatestoiOS.
Newfeaturesandfunctionalityhavebeengraduallyintroducedtoaddressmanyoftheperceivedshortcomingsoftheoperatingsystem,suchasMultitasking,copyandpaste,improvedbatteryusageetc.
SuccessiveiterationsofiOSdeviceshavealsosoughttoimproveperformanceandindeedsecurityofthedevice.
ForinstancewiththeiPhone3GSandtheiPadhardwareencryptionwasintroduced.
TheiPadwasactuallydevelopedbeforetheiPhone,butitwasrealisedthatthetechnologywouldworkwellasamobilephoneplatform,andemphasiswasshiftedinthatdirection.
TheiPadwasnallyannouncedinJanuary2010,andreleasedinApril.
VersionsofiOSrunningontheiPad,andiPhonewereconvergedinNovember2010withthereleaseofversion4.
2.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page6of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace6Deployments6.
1WhyarewedeployingTherearemanyreasonswhycompanies,institutionsandevenschoolsareseekingtodeploytheiPad.
Manyofthesearenotbusinessrelated:EaseofaccesstoinformationAconsistent,easilymaintainedplatformPortabilityRobusthardwareToreducepaperuseImprovedcommunicationsRelativelylowcostSecurityfeatures(Oftensaidwithastraightface)Theyare"shiny"6.
2WherearewedeployingAtPortculliswedealwithcompaniesfromallsectors,usuallythosewithaverylowriskappetite.
Wehavesofarbeenapproachedbyclientslookingatsmalldeployments(lessthan100)inareassuchas:FinancialMediaCommunicationsButanecdotallyandviathepressweareseeinglargedemandin:EducationLocalGovernmentHealthcareSothatcoversmostsectors.
Whatisinterestingisthatweareseeingtheprimarydemandanddeploymenttargetscomingfromandtothe"boardlevel".
Studentsandmedicalstaffseemtobetheprincipaltargetsinthepublicsector.
6.
3PersonalvsPrivatePropertyItisimportanttounderstandwho"owns"thedevice.
IsthisapersonaldevicethatisbeingconnectedtocorporateresourcesIsitacorporatedevicethatisbeingconnectedtopersonalresourcesReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page7of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceThedevicesaremediacentric,meaningthattheyaredesignedforgames,music,photos,lmsaswellasweb-browsingandinformationviewing/sharing.
Corporationsandinstitutionsneedtobeawarethatthereisastrongpossibilitythatdataonthedevicecanbecomeblended,i.
e.
thatcorporatedataisstoredalongsidepersonaldata.
Suchblendeddatacantheneitherbesynchronisedintoacorporateorahomeenvironment.
Obviousrisksarethatifadevicethathasbeenusedtoaccesscorporatedataisbackeduptoapersonalcomputer,thenthatcorporatedataistheneffectivelypropagatedtothatcomputer.
Converselytheremaybesupportandpolicyconsiderations,(nottomentionpotentialcopyrightissues)shouldadevicebesynchronisedwithacorporatecomputer.
ForinstanceitmaybeagainstcompanypolicyforiTunestobeinstalled.
OtherlessobviousrisksarefeatureswithinapplicationssuchasMobileMail.
The"uniedinbox"isagoodexampleofthis.
Ifmultipleemailaccountsareconguredonthedevice,theycanbecomeeffectivelymergedintoone"inbox",itcanthenbecomeveryeasytocomposeorforwardmailsviathe"wrong"account.
Thismaybypasscontentlteringrequirements,oremailarchivingpolicies.
6.
4WhydoesthismatterInessence,whousesiPadsshouldn'tmatter,howeverwhenyouconsiderthereasonsfordeployingthem,andwhotheyarebeingdeployedtoandthencontrastthattotheprobabilityofinformationexposurewehavearatherunappealingscenario.
Itwouldappearthathighlysensitiveinformationstorageisbeingcarriedoutbyalowsecuritysystem.
7CoreSecurityFeaturesHerewearegoingtotakealookatthecoresecurityfeaturesofiOSdevices,bothatthehardwareandsoftwarelevels:7.
1Devicepolicies/prolesPasscodescanbesetbyusers,orbyapplyinganMSExchangeActiveSyncpolicy.
Thedefaultisa4digitPIN,which,ifentered10timesincorrectlywillcausethedevicetowipe.
TheonlywaytochangefromthisdefaultisbyapplyinganExchangepolicywhichwillthenenablethefollowingtobeset:EnforcepasswordondeviceMinimumpasswordlengthMaximumfailedpasswordattemptsNumbersandlettersbothrequiredInactivitytimeinminutesWithMSExchangeServer2007thefollowingadditionalpoliciesaresupported.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page8of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceSimplepasswordallowedorprohibitedPasswordexpirationPasswordhistoryPolicyrefreshintervalMinimumnumberofcomplexcharactersinapasswordThesepoliciesareeitherdeployed"overtheair"oraspartofacongurationprolethatuserscaninstall.
Thepoliciescanbesigned,andpasswordprotectedrequiringan"administrator"toremovethem.
Apolicy"lock"canbeenforced,whichwillrequirethedevicetobewipeduponremovalofthepolicy.
CongurationprolesareXMLleswhichcancontaininformationsuchasserversettings,securitypoliciesthatwillbeappliedtothedevice.
Itsinterestingtonotethatwhencongurationprolesareencrypted,theyautomaticallyenforceencryp-tionofbackupsiniTunes.
Devicerestrictionscanbeappliedwhichcanpreventusersperformingcertainactions,suchasinstallingapplications,accessingYouTube,etc.
7.
2FilesystemEncryptionFallacyAlthoughiOSdevices(iPhone3GS+,andiPad)haveahardware-levelencryptedlesystem,thereisamisconceptionthattheinformationisactuallyprotected.
Thelesystemiseffectivelydecryptedatboot-time(thebootloaderneedstoaccessthelesystemtostartiOS),therebyeffectivelyrenderingtheencryptionredundantintermsofprotectinginformationonarunningiOSdevice.
Wheretheencryptioncomesintoplayiswhena"remotewipe"commandispushedtothedevice,viaeitherMSExchangeorMobileMe.
AtthispointiOSdeletestheencryptionkeysandforcesareboottherebyrenderingtheinformationonthedeviceinaccessible,andindeedunbootable.
8WhereisinformationstoredInordertounderstandtheriskofinformationexposureortheftweneedtounderstandwhereinformationisstoredandhow.
AlthoughiOSisaUNIXbasedoperatingsystemandusesHFSasthelesystem,iOSreliesontwomaintypesoflestostoreandretrieveinformation,andtostorecongurationinformation:Plists(preferencelists)areXMLbasedplaintextles,(orinsomecasebinary)thatcontainvarioussettingsandotherinformationpertainingtoapplicationsandhowtheoperatingsystemiscongured.
SQLitedatabasestypicallycontainapplicationspecicdata.
ToolsarefreelyavailabletointerrogatebothleseitherusingaGUIorviaacommandlineinterface.
ClearlytheselesarethekeypointofinterestforindividualsseekingtoextractinformationfromiOSdevices.
Indeed,thosefamiliarwithUNIXcommandlinetoolssuchasgrepwillbeabletoextractveryinterestinginformationfromeitheroftheseletypes.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page9of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceForallintentsandpurposeseachapplicationwilluseSQLitedatabasestostoredata,thiswillincludeEmails,Imagesandsoforth.
8.
1ProblemswithSQLiteSQLite,accordingtowikipediais:"anACID-compliantembeddedrelationaldatabasemanagementsystemcontainedinarelativelysmall(approx225kB)Cprogramminglibrary.
ThesourcecodeforSQLiteisinthepublicdomain.
"Whichmakesitidealforalowfootprint,swiftandeasytouseplatformfordatamanipulationonasmalldevice.
ThesedatabasescanbeaccessedeitherbycopyingthemoffthedeviceafterJailbreakorbyaccessingtheiTunesbackup.
OnceretrievedtherearemanySQLitedatabaseviewers,whichcomeinveryusefulinexamininglivedataonthedevice.
Whatwehavefoundinourinvestigationsisthatdatastoredinthesedatabasesispersistentandquitetenacious.
Forinstance,whenyoudeleteanotesentryitisjustaggedasdeleted,itisn'tactuallyremoved.
Thisin-formationcannotbeaccessedusingstandardSQLitebrowsers,howeversimpletoolslike"vi"or"strings"canbeusedtoviewthe"deleted"data:Figure1:DeletedDataAlso:theDynamicDictionaryfeaturestoreswholephrasesinadatabase(including,undercertaincir-cumstancescouldincludecreditcardnumbers,passwords,etc)Figure2:DynamicDictionaryiOSlogswhenandhowoftenapplicationshavebeenlaunched:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page10of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure3:ApplicationLaunchLogThe"EnvelopeIndex"storesEmailheaders,evenfordeletedaccounts,andaccountinformationpersistsinvariousles:Figure4:EnvelopeIndex8.
2iTunesEachtimeyouconnectyourdevicetoyourPC/MaciTunescanbeconguredtoautomaticallybackupyourdevice.
Thisisaveryusefulfeature,anditisaverythoroughbackup,totheextentthatifyouweretoloseyourdeviceandgetanewone,youcanrestorethisbackupandbarelyevennoticeyouhadanewone(moreonthislater).
Thesebackupsarestoredinthefollowinglocations:WindowsXP:C:\DocumentsandSettings\$USERNAME\ApplicationData\AppleComputer\MobileSync\BackupWindowsVistaand7:C:\Users\$USER\AppData\Roaming\AppleComputer\MobileSync\BackupOSX:~/Library/ApplicationSupport/MobileSync/Backup/IntherelevantfolderyouwillndwhatappearstobeafolderorfolderswhosenameconsistsofaUniqueIdentier.
Withinthisfolderareallthebackeduplespertainingtoyourdevice.
Thelesare,simplyput,preferencelistsandSQLitedatabases.
Theydonothavemeaningfulnames,butthatwontdeterusasyouwillseelater.
KeySQLitedatabasesandpliststhataresynchronisedarelistedinappendixA.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page11of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace8.
3LocalFilesystemiOSdeviceshavetwomainpartitions,the"root"orsystempartitionwhereoperatingsystemlesarestored:/dev/disk0s1/rw01andthe"media"partitionwhere"user"lesarestored:/dev/disk0s2/private/varhfsrw,noexec02Undernormal(i.
e.
non-Jailbroken)circumstances,itisonlypossibleforuserstoaccessthemediapartition;eventhenthisaccessisheavilyrestrictedbyapplicationsandboxing.
AccordingtoAppleap-plicationscanonlyaccesslesanddirectoriesintheir"area"onthelesystemforinstanceanexampledirectorystructurecouldbe:|ApplicationGUID||_Application.
app|_Documents/|_Library/Preferences/|_tmp/Thusanygivenapplicationshouldonlyhaveaccesstoits"own"les.
However,onceJailbrokenthefulllesystemisavailabletoapplications,whichaswewillseegreatlyimpactsthesecurityofthedevice.
9AccessingthedataAnefariousindividual'sobjectiveistoaccessthisinformationcovertly,withminimalphysicalaccess,leavinglittleornoevidenceoftampering,ideallypersistentlyandofcoursegettinglotsofsensitivestuffeitherforblackmailorcommercialadvantage.
9.
1SimpleattacksBydefaultiTunesstoredabackupofthedeviceunencrypted.
Whetherornotthebackupisencryptedisenforcedbyaagsetinaplistonthedeviceitself.
Auserspeciedencryptionkeyisalsostoredonthedeviceinthekeychain.
Thekeychainisanencrypteddatabaseofpasswordsstoredbythedevice.
AccessinganunencryptediTunesbackupistrivialaswehaveseenabove,butwhatelsecanwedowiththesebackupsWecancopythemformthehostcomputertoourcomputerforanalysis,wecanevenrestorethebackuptoourphone,effectivelycloningit.
Unfortunatelythekeychaindoesnotsurvivethis(duetothewayitisencrypted)sowewontbeabletoretrievepasswordsthisway.
Wecanalsoeditbackups.
Theyaren'tsigned.
Wecanthenrestorethemback.
IfwegobackalittlebitandlookathowiOSandiTuneshandlesbackupscrudelyputthisishowitoccurs:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page12of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure5:SynchronisationHandshakeInessenceweneedtoeitherhave"paired"theiOSdevicetoiTunesorweneedtoknowthepasscodeinordertogainaccesstoanunencryptedbackup.
Thereareotherspeedbumpsaswell,forinstanceanExchangepolicycouldmandateencryptedbackups,butagainwecanovercomethis.
Wecanremovethepasscodebyeditingtherelevantplist,(thisiswheregrepcomesinhandyasalltheplistshavewhatseemtobe"random"names)wearelookingforsomethinglikethis:PasswordInformationpinTimeStamp2010-07-20T11:46:22ZRemoveeverythingfromtheinner""savetheleandrestorethedevice.
Bingo.
Nopass-code.
Anothermeansofremovingthepasscodeistodeletethekeychainfromthebackup,butasthiswouldalsoeraseotherpasswordsstoredonthedevice,itiscounterproductiveinthatitwouldhinderourabilitytoretrievefurtherinformationfromthedeviceonceitisunlocked.
ThisbackuptamperingcanbeusedtodefeatalargenumberofsecurityfeaturesthatmaybeenforcedbyExchangepolicies.
Thingssuchas:Policyrefreshintervals,autolock,lockinterval.
Youcanalsousethistechniquetoincreaseyourhighscoresincertaingames.
Theonlylimitsareyourowningenuity.
RemembertokeepabackupofyourˇEbackup.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page13of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceWhatifthepasscodeispresentandactiveonthedeviceandithasn'tbeen"paired"withyourcomputerThisisnotassimpleasitmayseematrstglance.
iOSkeepstrackofwhichcomputersithaspairedwith,sowehavea"chickenandegg"scenario:Inordertoremovethepasscodebybackuptamperingwehavetorstbypassthepasscode.
Wecouldattempttobrute-forceguessthepasscode,however,bydefault,after10failedattemptsthedevicewillwipeitself,whichwouldrenderourmissiontoextractdata,afailure.
Thinkingbrieyaboutthedefault4digitPINbasedpasscode.
Thereare10,000possiblenumbers,(0000-9999).
Givingyoua1in1,000chanceofguessingtherightcombinationwithin10attempts.
Wecouldconceivablyreducethis,byshouldersurng,using"common"PINnumbers,usingsocialengineeringtacticsorinterestinglyexaminethescreentoseeiftherearengerprintsaroundthekeypadareaonthedevicewhichcouldexposedigitspresentinthePIN.
Theparingmechanismseemstobequiterobust,sotheratherobviousadvicehereisthatifyouwanttokeepyourdatasafe,ensurethatyouareverycautiousaboutwhatcomputersyouconnectyourdeviceto.
Backupencryptiondoespresentanotherchallenge.
Thereareonlyreallytwooptionsopentous;Eitherwehavetobruteforceguessthebackuppasswordorwearegoingtohavetoresorttoexploitingthedevice.
.
.
9.
2JailbreakingAsdiscussedearlier,iOSrestrictsaccesstotheentirelesystemtothebaseoperatingsystemitself.
Additionallyitprovidesnonativemeanstoaccesstheunderlyingoperatingsystem.
Jailbreakingessentiallyfoilsthatrestriction,allowingforunrestrictedaccesstothedevice.
Effectivelyputitmeanswecanrunanycodeonthedevicewelike,ignoringrestrictionssuchasapplicationsigning,adheringtoprescribedapplicationsandboxing,andread/writeaccesstothesystempartition.
InordertoJailbreak,vulnerabilitiesmustbeidentiedinthesoftwareorrmwarerunningonthedevice.
ThesevulnerabilitiesmusthavecertaincharacteristicsinordertobeusefulinJailbreaking.
Themostimportantoftheseisthatitmustenableustobeabletorunarbitrarycodeasthe"root"user.
Therearealargenumberof"Jailbreaking"toolsavailableforavarietyforversionsofiOS.
AsapplepatchesvulnerabilitiesiniOSortheBootromsoftheirdevices,Jailbreakershavetondnewvulnerabil-itiestoincorporateintotheirtools.
Jailbreakingisalsodividedintotwobroadcategories:Untethered-MeaningthatonceJailbrokenthedevice,ifrebooted,willstartnormallywithnointerventionTethered-withthistypeofJailbreak,userinterventionisrequiredinorderforthedevicetorestart.
Thedevicewillneedtobeconnectedtoacomputerandeffectivelybere-Jailbrokeninordertoboot.
WhetheradevicecanbeJailbrokenuntethered(whichistheoptimalroute)isdependantonthebootromversion,andthermwareversion.
CurrentlyiOSversions3.
2.
2andearliercanbeJailbrokenuntethered,morerecentversionswillrequirefurtherstepstobetakeninordertoremovethetether(suchasrunningGreenpois0n,analternateJail-breakingtool,afterJailbreakingthedevicewithredsn0w).
Incomingmonthstheseadditionalstepsarelikelytobecomeredundant,thusforbrevitythefollowingJailbreakstepswillworkcleanlyoniOSversionsearlierthan4.
2.
1.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page14of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceI.
e.
ifyouaregoingtoattemptwhatIwilldescribedosomeresearchrst:thereisahighdegreeofriskfortheuninitiatedandunlessyouareluckyorwellinformedyoumightendupwithahighlydesirable,expensiveplacemat.
Update:Asof16thFebruaryredsn0wwasupdatedtoversion4.
2,whichisanuntetheredjailbreak.
ThereforeallversionsofiOSuptoandincluding4.
2.
1canbejailbrokensafely,anduntethered.
ThusthefollowingstepscanbereplicatedonallversionofiOSfortheiPadandiPhone.
9.
3OwningtheDeviceAcommon,andexible,toolavailabletousewithiOS4.
2.
1(andearlier)isredsn0w.
AccuratelyspeakingwedonotneedtofullyJailbreakinordertoaccessdataonthedevice,wejustneedtobeabletobootthedevicewithacustomramdisk.
iOSdeviceshavethefacilitytodothiseitherbydroppinginto"recoverymode"(intendedforoperatingsystemrecoveryorupgrade)orDFUmode(intendedforrmwareupgrade).
Redsn0wdependsuponanexploitknownasLimera1n,whichtakesadvantageofbothofthesemodes,employingbothabootromexploitaswellasauserlandexploittofullyJailbreakthedevice.
Howeveraswedonothaveaccesstothecodeforredsn0w,wecan'tchangeitsbehaviourtostopitfullyJailbreakingthedevice.
Ifwewereabletocustomisetheactionsitwouldbeasimplemattertoremovethedevicepasscodebyeditingthefollowingle:/private/var/ManagedPreferences/mobile/com.
apple.
springboard.
plist(aswewouldhavedoneinthebackuptamperingmethod).
Howeverifwewantedtoremovethebackupencryptionaswell,wewouldhavetodoalittlemore.
Bydeleting(orrenaming)thekeychain:/var/Keychains/keychain-2.
dbwenotonlyremovethepasscode,butalsothekeyusedtoencryptthebackups,thusthebackupswillbeunencrypted.
Sadlywedosacriceotherpasswords,toosuchasemailpasswords,etc.
Redsn0w,thoughostensiblyaJailbreakingtool,isactuallyalittlemore:itcanbeusedtoinstallcustombundles.
Custombundlesareessentiallycompressedarchivescontainingcontent(suchasexecutablebinaries,orevenpreferencelists),whicharecopiedtothedevice.
Thuswecanusethisfeature,tofullyJailbreakthedevice,copysomescriptsandtoolstothedeviceinordertocompromiseit.
Andwecancompromiseitinsuchawaythatthedeviceshowsalmostnoevidencetotheuserthatithasbeen.
Redsn0wdependsonhavingacopyoftherestoreimageforthedevicebeingJailbroken(thesearefreelyavailablefromapple)andwillhavetobedownloadedinadvance.
So,wehavethefollowingscenario:AniPadwithapasscodeset,backupencryptionenabled.
Wehavealaptop(runningOSXorWindows)Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page15of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAnup-to-dateversionofredsn0wAcustombundle(withOpenSSH,APT,andafewothertoolsandscripts)Acollectionofrestoreimages5minutesleftalonewiththedevice.
AnetworkconnectionWedon'tneedtoworryaboutthedevicebeingpairedtoourlaptopasitsidestepsthedevicepairingrequirement.
Asapartofthe"Jailbreak"thedeviceisputintoDFUmode.
Inthismodethedeviceisinastatewhereitistoallintentsandpurposesunabletocheckwhetheritispairedtothecomputeritisconnectedto.
TheiPadWecantakeaguesstoseeifitisrunning4.
2.
1byickingthehardwareswitchontheside.
Ifitmutesthevolumeonthedevicethereitisquitelikelytobe4.
2.
x.
Priorversionsusedthishardwareswitchtoengagetheorientationlock.
Inlaterversionsusersweregiventheoptiontochoosebetweenmuteandlock;thedefaultbeingmute.
Guessingtheversionofthermwareincorrectlyisnotfatal,itwillsimplymeanthattheJailbreakwillfailandyouwillhavetogothroughitagain.
TheLaptopWehaveredsn0w,wehavelauncheditandselectedtherelevantrmwareforthedevice.
EvenbeforeweconnecttheiPadwecanallowredsn0wtoprocessthermwareandwearepresentedwiththefollowingchoice:Figure6:Redsn0wOptionsWedon'twantcydiatobeinstalled,orthevictimwillseetheiconontheirspringboardinsteadwearegoingtouseoneofourcustombundles.
Wecanthenfollowthestepsthroughredsn0w,thedevicewillreboot.
OncethishascompleteditwillbeJailbrokenandthepasscodewillhavebeenremoved.
Whatthiscustombundledoes:Installsalargenumberofbasicunixtools,andsomekeypackages:OpenSSH(andalaunchscriptsoitstartsatboot)andAPT(sowecaninstalladditionalpackagesfromtheshell).
Italsorunsashellscriptatstartupthatrenamesthekeychain.
Thisremovesthepassphrase.
InordertogetitsIPaddress(sowecanSSHintoit)wecanjustlookinthenetworkpreferencesforitsIPaddress.
OncewehavethatwecanthensimplySSHintothedeviceas"root"(thedefaultpasswordis"Alpine").
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page16of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceInordertoremoveanyobvioustracesofushavingcompromisedthedevicewecanrenamethekeychainback,thiswon'timmediatelyrestorethepasscode,wewillneedtorebootforthattohappen.
Firsttherearesomeotherthingswecando.
UsingAPTwecaninstallothertoolsandutilities:Using"recAudio"willcausetheipadtostartrecordingaudio,thisisahighlyeffectivewaytolisteninonmeetings.
Itstorestheaudioinaiffle,andthiscanthenbecopiedoffthedevice,orascriptcouldbegeneratedtorecordatpredeterminedintervalsandthenuploadtheresultingaudioletoaweborftpserver.
Othertoolssuchas"pirni"canbescheduledtorun,Pirniisanarp-spoongtoolthatactsasaman-in-the-middle,snifngalldataonthewirelessnetwork.
Again,theresultantdatacanbeuploadedtoanexternalserverforcollectionbytheattacker.
"Nmap"canbeusedtomapthewirelessnetwork,andmetasploitcanthenbeusedtoattackandcompro-misehostsidentied,therebyusingtheiPadto"pivot"intothecorporateenvironment.
"Netcat"canbeconguredtoinitiateareverseshelltoahostontheinternetforremotecontrol.
Howeverwealsohaveour"increasedstealth"custombundle,onethat:LeavesthekeychainintactInstallsOpenSSHInstallstheabovetoolsGathersinformationfromthedevice(thedynamicdictionary,Emails,calendarentriesetc)anduploadsittomywebserver.
SchedulesrecordingsanduploadsthemtomywebserverAttemptsareverseshelltomyservereachtimeitdetectsanetworkconnection.
Tweetsthegeographicallocationofthedevicedaily103rdPartyApplicationsecurityEvenlegitimateapplicationscanintroducerisksintoacorporateenvironment.
AsImentionedinthein-troductionIamgoingtoavoidnamingspecicapplicationsorvendors(theywillorhavebeencontacteddirectly)withregardtosecurityissues.
BroadlyspeakingIhaveidentiedtwoprevalentcategoriesofrisk:10.
1ApplicationsstoringsensitivedatainsecurelyManyapplicationshavetheabilitytoaccesssensitivedata.
Thisdatacouldbeasbasicassocialnet-workingsites,downloadingandviewingdocumentsorascomplexasremotedesktopfunctionalityforaccessingcorporateresources.
Inanycasewehaveidentiedalargenumberofapplicationsthatstorecredentialslocallyinplaintext.
Thesecredentialscanbeforcorporateservers,internetlestores,websitesorevenforlocalaccesstotheapplication.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page17of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceOtherapplicationswehaveseencacheinformationlocallyonthedevice,sothatitcanbeviewedormanipulatedofine.
Theselocalcachesarerarelyencrypted.
Inbothcasesinsecurestorageofcacheddataorcredentialsisabadthing,asitwillbesynchronisedbacktoiTunesincleartext(ifencryptedbackupsarenotenabled).
Failingthat,thedatacaneasilyberetrievedafteraJailbreak.
ThereforewhenassessingapplicationsforusewithinacorporateenvironmentitisimportanttoensurethatthedevelopershaveelectedtousetheiOSencryptedkeychain(asrecommendedbyapple)andthattheyareencryptinganylocallycacheddata.
Anotherinteresting"feature"ofiOSitselfcanintroduceweaknessesinapplicationindirectly:theDy-namicDictionary.
Evenifanapplicationisnotstoringinformationorcredentialsinaninsecureformat,itismrethanlikelythattheDynamicDictionarywill.
Iteffectivelyactsasakeyloggeronthedevice.
Wehaveseeninstanceswherethedictionaryhasstoredpasswords,contactinformationandallmannerofinformationthatwouldgiveanyindividualcausetopale.
10.
2ApplicationsthatopenservicesonanetworkThereareseveralmethodsthatapplicationscanusefacilitatethetransferofdatafromothersourcessuchasthelocalnetwork,theinternetoradesktopcomputer.
Itisfairlycommonforapplicationsthatviewormanipulatedocumentstorunawebservertofacilitateletransfers.
UsersthencanuseawebbrowseronanotherdeviceorcomputertoconnecttotheiPadtouploadcontent.
Thismaynotseemaparticularlyhighlevelrisk,howeverinsomecaseswehaveseentheseapplicationsbroadcasttheseservicesvia"bonjour"andalmostwithoutexceptionusepredictableTCPportsfortheirservicesmakingthemeasytoidentifyonanetwork.
Suchserversusually(ifnotalways)bydefaultrequirenoauthentication.
iPadsdeployedincorporateenvironmentswillalmostcertainlybeusedtoviewandsharesensitiveinformation.
Itmaybethatusersareinadvertentlysharingthisinformationwhentheyconnecttothefreewirelessattheirlocalcoffeeshop.
11GoodPractise(i.
e.
Howdowexit)11.
1PhysicalsecurityClearlyphysicalcontrolofthedeviceisparamount.
DetectingifadevicehasbeenstealthilyJailbrokenwithoutactuallyJailbreakingitistricky,itcanbedone,butitisbettertonotletithappen.
IfyoudolosephysicalcontrolofthedevicewhatthenIfitwasleftaloneforaperiodoftime,orifitwaslostandthenreturnedyoushouldassumethatithasbeencompromised.
Restorethedevice;thiswilleffectivelyremovetheJailbreak,(iTunesdoesn'tbackupanyoftheJailbreakoritsdata).
Ifithasgonemissingattempttoremotewipethedevice,howeverbeawarethatsimplyremovingtheSIMfromthedevicecandefeatthis.
AlsorememberdotheremotewipebeforeyoucanceltheSIM,forobviousreasons.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page18of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace11.
2PolicyControlsCorporatepoliciesshouldforbidJailbreaking.
ThereisnoguaranteethatevenifthedevicehasbeenJailbroken"legitimately"thatapplicationsinstalledvia3rdpartyapplicationstoressuchasCydiadonotcontainhostilecode.
Determinewhatdatashouldbepermittedonthedevice.
Corporateandpersonaldatashouldnotmix.
Highlysensitiveinformationshouldneverbestoredlocallyonthedeviceunlessappropriatelyencrypted.
Controlwhatapplicationsshouldberunonthedevice,3rdpartyapplicationscanintroducethreats.
Userawarenessandeducationisparamount.
Makecertainthatusersareeducatedastothethreatstotheirownaswellascompanydata.
11.
3TechnicalrestrictionsUseapplicationsthatenforcedatasegregation.
Thereareseveralapplicationsthatusetheirownemail,calendarandcontactprograms,andwhichenforcelocalencryptioneffectivelycreatingasecondary"sandbox"inwhichcorporatedatacanbehandled.
SomeoftheseapplicationsuseJailbreakdetectionandrefusetorunifapolicyissettothateffect.
EmployExchangesecuritypoliciestotheirbesteffect,lockdownasmuchaspossible.
Rememberifthedeviceissynchronisedregularlyitdoesn'tmatterifitiswipedafter3failedpasscodeattempts,itcanberestored.
Protectthecomputerthatthedeviceisbeingsynchronisedto!
Ifyoulosethebackupofthedevice,youlosecontrolofthedatathathasbeenstoredonit.
Examinethecapabilitiesof3rdpartyapps.
DotheyopennetworkportsfordocumentsharingHavethemsecuritytestedforvulnerabilitiesthatcouldexposesensitiveinformation.
Considerusingdevicesasthinclients.
Therearemanyremotedesktopclientsouttherethatareser-viceable.
(butagain,ensurethattheyaren'tcachingcredentialsinplaintextonthedevice.
Getthemtested!
)Restorefrequently.
Amonthlyrestoreofthedeviceshouldprovidesomeassurancethatitisnotcompro-mised.
EnsurethatdevicesaremaintainedattheirlatestrmwareversionReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page19of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixAListofkeylesbackedupbyiTunesLibrary_AddressBook_AddressBook.
sqlitedbLibrary_AddressBook_AddressBookImages.
sqlitedbLibrary_Calendar_Calendar.
sqlitedbLibrary_CallHistory_call_history.
dbLibrary_Cookies_Cookies.
plistLibrary_Keyboard_dynamic-text.
datLibrary_LockBackground.
jpgLibrary_Mail_Accounts.
plistLibrary_Mail_AutoFetchEnabledLibrary_Maps_Bookmarks.
plistLibrary_Maps_History.
plistLibrary_Notes_notes.
dbLibrary_Preferences_.
GlobalPreferences.
plistLibrary_Preferences_SBShutdownCookieLibrary_Preferences_SystemConguration_com.
apple.
AutoWake.
plistLibrary_Preferences_SystemConguration_com.
apple.
network.
identication.
plistLibrary_Preferences_SystemConguration_com.
apple.
wi.
plistLibrary_Preferences_SystemConguration_preferences.
plistLibrary_Preferences_com.
apple.
AppSupport.
plistLibrary_Preferences_com.
apple.
BTServer.
plistLibrary_Preferences_com.
apple.
Maps.
plistLibrary_Preferences_com.
apple.
MobileSMS.
plistLibrary_Preferences_com.
apple.
PeoplePicker.
plistLibrary_Preferences_com.
apple.
Preferences.
plistLibrary_Preferences_com.
apple.
WebFoundation.
plistLibrary_Preferences_com.
apple.
calculator.
plistLibrary_Preferences_com.
apple.
celestial.
plistLibrary_Preferences_com.
apple.
commcenter.
plistLibrary_Preferences_com.
apple.
mobilecal.
alarmengine.
plistLibrary_Preferences_com.
apple.
mobilecal.
plistLibrary_Preferences_com.
apple.
mobileipod.
plistLibrary_Preferences_com.
apple.
mobilemail.
plistLibrary_Preferences_com.
apple.
mobilenotes.
plistLibrary_Preferences_com.
apple.
mobilephone.
plistLibrary_Preferences_com.
apple.
mobilephone.
speeddial.
plistLibrary_Preferences_com.
apple.
mobilesafari.
plistLibrary_Preferences_com.
apple.
mobileslideshow.
plistLibrary_Preferences_com.
apple.
mobiletimer.
plistLibrary_Preferences_com.
apple.
mobilevpn.
plistLibrary_Preferences_com.
apple.
preferences.
network.
plistLibrary_Preferences_com.
apple.
preferences.
sounds.
plistLibrary_Preferences_com.
apple.
springboard.
plistLibrary_Preferences_com.
apple.
stocks.
plistLibrary_Preferences_com.
apple.
weather.
plistLibrary_Preferences_com.
apple.
youtube.
plistLibrary_Preferences_csidataLibrary_SMS_sms.
dbReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page20of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceLibrary_Safari_Bookmarks.
plistLibrary_Safari_History.
plistLibrary_Voicemail_.
tokenReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page21of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixBCitations/Furtherreadinghttp://www.
apple.
com/uk/ipad/business/integration/http://blog.
iphone-dev.
org/http://www.
theiphonespot.
net/p=7561http://www.
zdziarski.
com/blog/cat=11http://xsellize.
com/index.
phphttp://www.
greenpois0n.
comReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page22of22