convergedipad代理
ipad代理 时间:2021-05-05 阅读:(
)
GeneralReleaseAppleiPadIntheWorkPlaceWrittenByRussSpoonerPortcullisComputerSecurityLTDTheGrangeBarnPike'sEndPinnerMiddlesexHA52EXTel:02088680098Fax:02088680017rus@portcullis-security.
comDocumentReferenceWhitepapers/WPIOS2011/wp_WPIOS2011_0.
3Version0.
3Date16February2011cCopyrightPortcullisComputerSecurityLimited2011PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace1DocumentHistoryRevisionAuthorRoleDateComments0.
1RUSAuthor09/02/2011InitialFirstDraft0.
2RUSAuthor15/02/2011MinorRevisions0.
3RUSAuthor16/02/2011Updatedtoreectnewversionofredsn0wTable1:DocumentRevisionHistoryReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page2of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceContents1DocumentHistory22TableOfContents32.
1ListOfFigures32.
2ListOfTables43Introduction54TheStateOfPlay55Evolution56Deployments76.
1Whyarewedeploying76.
2Wherearewedeploying76.
3PersonalvsPrivateProperty76.
4Whydoesthismatter87CoreSecurityFeatures87.
1Devicepolicies/proles87.
2FilesystemEncryptionFallacy98Whereisinformationstored98.
1ProblemswithSQLite108.
2iTunes118.
3LocalFilesystem129Accessingthedata129.
1Simpleattacks129.
2Jailbreaking149.
3OwningtheDevice15103rdPartyApplicationsecurity1710.
1Applicationsstoringsensitivedatainsecurely1710.
2Applicationsthatopenservicesonanetwork1811GoodPractise(i.
e.
Howdowexit)1811.
1Physicalsecurity1811.
2PolicyControls1911.
3Technicalrestrictions19AppendixAListofkeylesbackedupbyiTunes20AppendixBCitations/Furtherreading22ListofFigures1DeletedData102DynamicDictionary10Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page3of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3ApplicationLaunchLog114EnvelopeIndex115SynchronisationHandshake136Redsn0wOptions16ListofTables1DocumentRevisionHistory2Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page4of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3IntroductionSecurityconsiderationsforiOS4.
2.
1andearlier,iPad.
iOSdevicessuchastheiPadarebecomingincreasinglyprevalentinworkenvironmentslargelyduetotheireaseofuseandexibility,butalsoduetotheso-called"haloeffect".
Whatmostusers,bothcorporateandindividual,oftendonotacknowledgearethesecurityweaknessesintheAppleiOSoperatingsystem,andadditionallyiTuneswhichcaneasilyresultintheexposureofhighlysensitiveinformationandthecompromiseofthedeviceitself.
InthiswhitepaperIwilloutlineandenumeratemanyoftheissuessurroundingtheintroductionoftheiPadintotheworkplacewithparticularregardtotheexposureandtheftofsensitiveinformation,coun-termeasuresemployedbyAppleandhowinmostcasestheyaretriviallybypassed.
Theinformationprovidedinthiswhitepaperisnotentirelymyownwork,andreferencespubliclyavail-abletoolsandinformation,ifIhavemissedanyattribution,pleasedonothesitatetocontactme.
Theintendedaudienceforthisistechnical/managerial,thatistosay,inpartsitwillbemoderatelytechnical,butthekeyfocuswillbetheprovisionofinformationtothoseplanningorevaluatingrolloutsofiOSbaseddevicesinorderthattheyareabletoaccuratelyunderstandtherisksassociatedwiththis.
ThereasonIamwritingthispaper,isduetothefactthatPortcullishavebeenapproachedwithincreasingfrequencywithregardtoperformingsecurityassessmentsoftheiPad,togiveourperceptionofthedevicessecurityortoprovideguidancewithregardtodeployingthemsecurely.
Inasensethisistobeconsideredasummationofmyndings,itisnotbyanymeansintendedtodissuade,impedeorscaremonger,butrathertoenableinformedunderstandingoftherisksthatthesedevicesmayintroduce.
WhereverpossibleIwillsuggestmitigatingstrategies,insomecasestheyarenotpossible.
AlsoIwillwhereverpossiblebesteeringawayfromnamingspecic3rdpartyapplications,orvendorsasitisnotmyintenttoeitherendorseorcondemnthem.
Alsotrademarksorregisteredtrademarksarethepropertyoftheirrespectiveowner(s).
4TheStateOfPlayForthesakeofthisdocumentwearegoingtoassumethatwearedealingwiththeiPad3GrunningiOS4.
2.
1.
AlthoughthereareotherversionsofhardwarethatruniOScurrentlyincirculation,andtheywillbementionedwhereitismeritoriousorusefulasacomparison,wearelookingintoiPaddeployments.
5EvolutionTheiPhonewasrstreleasedtothepublicin2007,runningaderivativeofMacOSX/DarwincompiledfortheARMprocessor,whichbecameknownasiOS.
ApplereleasedDarwin,anopensourceoperatingsystem,in2000;itisPOSIXcompliantandiscompat-iblewiththeSingleUNIXSpecicationversion3(SUSv3).
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page5of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceDespitetheinherentexibilityofthebaseoperatingsystem,initialreleasesofiOSprovidednointendedfacilityfortherunningof3rdpartyapplications,insteadrelyingonwebapplicationstodeliverfunction-alitybeyondthatdeliveredbythebuiltinapplications.
However,enterprisingindividualsontheinternetwerequicklyableto"Jailbreak"theoperatingsystem,effectivelygaininginteractiveaccesstotheunderlyingoperatingsystem.
CommonUNIXutilitieswereeasilyportedtoiOSandsoonmanyunofcial3rdpartyapplicationstartedtoappear.
PerhapsasareactiontothisAppleannouncedanofcialSDKonOctober2008.
InMarch2008ApplereleaseditsrstbetaoftheiPhoneSDKwhichwouldpermitdeveloperstoof-ciallydevelopnativeapplicationsfortheoperatingsystem.
TheapplicationswouldbedistributedviatheApple"AppStore"and,ofcourse,iTunes.
DespitethisJailbreakingremainedpopular,insomepartduetotherestrictionsplacedupondevelop-ers.
Forinstance,applicationswhichusedApple"Private"APIswere(andare)rejectedbyAppleandthereforetheonlyviablereleasevectorforthemwasthroughthe"unofcial"appstores(cydia,icyandrock).
Unofcal3rdpartyapplicationswhichextendthefunctionalityandcustomisabilityoftheiOSinter-face/launcher(Springboard)suchasWinterboardhavealsohelpedtoensurethatJailbreakingisapopularandsoughtafterprocedure.
NaturallyasizeablenumberofJailbreakersdosoinorderto"pirate"Ofcial3rdpartyapplications,andalsotoremovecarrierlocksfromtheiPhonebaseband.
Itisestimatedthatanywherebetween10and20%ofiOSdeviceshavebeenJailbroken.
Whichequatestoavastnumberofdevices.
ForinstanceanalystsanticipatethatApplewillhavesoldover100millioniPhonesby2011,andtheWallStreetJournalestimates20MillioniPadswillsellinthesameyear.
ApplerespondedwitheachsubsequentreleaseofiOSwithcountermeasuresintendedtoclosevulnera-bilitiesintheoperatingsystemanditscomponentseffectivelystoppingJailbreaking.
Howeverthishasledtoa"catandmouse"approachtovulnerabilityresearchanddevelopment.
i.
e.
vulnerabilitieswhichmayresultin"root"levelcompromiseofthedevicearecloselyguardedandsharedprincipallyamongstmembersoftheJailbreakingdevelopmentcommunity.
NaturallysuppressionofJailbreakinghasnotbeenthesolemotiveofupdatestoiOS.
Newfeaturesandfunctionalityhavebeengraduallyintroducedtoaddressmanyoftheperceivedshortcomingsoftheoperatingsystem,suchasMultitasking,copyandpaste,improvedbatteryusageetc.
SuccessiveiterationsofiOSdeviceshavealsosoughttoimproveperformanceandindeedsecurityofthedevice.
ForinstancewiththeiPhone3GSandtheiPadhardwareencryptionwasintroduced.
TheiPadwasactuallydevelopedbeforetheiPhone,butitwasrealisedthatthetechnologywouldworkwellasamobilephoneplatform,andemphasiswasshiftedinthatdirection.
TheiPadwasnallyannouncedinJanuary2010,andreleasedinApril.
VersionsofiOSrunningontheiPad,andiPhonewereconvergedinNovember2010withthereleaseofversion4.
2.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page6of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace6Deployments6.
1WhyarewedeployingTherearemanyreasonswhycompanies,institutionsandevenschoolsareseekingtodeploytheiPad.
Manyofthesearenotbusinessrelated:EaseofaccesstoinformationAconsistent,easilymaintainedplatformPortabilityRobusthardwareToreducepaperuseImprovedcommunicationsRelativelylowcostSecurityfeatures(Oftensaidwithastraightface)Theyare"shiny"6.
2WherearewedeployingAtPortculliswedealwithcompaniesfromallsectors,usuallythosewithaverylowriskappetite.
Wehavesofarbeenapproachedbyclientslookingatsmalldeployments(lessthan100)inareassuchas:FinancialMediaCommunicationsButanecdotallyandviathepressweareseeinglargedemandin:EducationLocalGovernmentHealthcareSothatcoversmostsectors.
Whatisinterestingisthatweareseeingtheprimarydemandanddeploymenttargetscomingfromandtothe"boardlevel".
Studentsandmedicalstaffseemtobetheprincipaltargetsinthepublicsector.
6.
3PersonalvsPrivatePropertyItisimportanttounderstandwho"owns"thedevice.
IsthisapersonaldevicethatisbeingconnectedtocorporateresourcesIsitacorporatedevicethatisbeingconnectedtopersonalresourcesReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page7of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceThedevicesaremediacentric,meaningthattheyaredesignedforgames,music,photos,lmsaswellasweb-browsingandinformationviewing/sharing.
Corporationsandinstitutionsneedtobeawarethatthereisastrongpossibilitythatdataonthedevicecanbecomeblended,i.
e.
thatcorporatedataisstoredalongsidepersonaldata.
Suchblendeddatacantheneitherbesynchronisedintoacorporateorahomeenvironment.
Obviousrisksarethatifadevicethathasbeenusedtoaccesscorporatedataisbackeduptoapersonalcomputer,thenthatcorporatedataistheneffectivelypropagatedtothatcomputer.
Converselytheremaybesupportandpolicyconsiderations,(nottomentionpotentialcopyrightissues)shouldadevicebesynchronisedwithacorporatecomputer.
ForinstanceitmaybeagainstcompanypolicyforiTunestobeinstalled.
OtherlessobviousrisksarefeatureswithinapplicationssuchasMobileMail.
The"uniedinbox"isagoodexampleofthis.
Ifmultipleemailaccountsareconguredonthedevice,theycanbecomeeffectivelymergedintoone"inbox",itcanthenbecomeveryeasytocomposeorforwardmailsviathe"wrong"account.
Thismaybypasscontentlteringrequirements,oremailarchivingpolicies.
6.
4WhydoesthismatterInessence,whousesiPadsshouldn'tmatter,howeverwhenyouconsiderthereasonsfordeployingthem,andwhotheyarebeingdeployedtoandthencontrastthattotheprobabilityofinformationexposurewehavearatherunappealingscenario.
Itwouldappearthathighlysensitiveinformationstorageisbeingcarriedoutbyalowsecuritysystem.
7CoreSecurityFeaturesHerewearegoingtotakealookatthecoresecurityfeaturesofiOSdevices,bothatthehardwareandsoftwarelevels:7.
1Devicepolicies/prolesPasscodescanbesetbyusers,orbyapplyinganMSExchangeActiveSyncpolicy.
Thedefaultisa4digitPIN,which,ifentered10timesincorrectlywillcausethedevicetowipe.
TheonlywaytochangefromthisdefaultisbyapplyinganExchangepolicywhichwillthenenablethefollowingtobeset:EnforcepasswordondeviceMinimumpasswordlengthMaximumfailedpasswordattemptsNumbersandlettersbothrequiredInactivitytimeinminutesWithMSExchangeServer2007thefollowingadditionalpoliciesaresupported.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page8of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceSimplepasswordallowedorprohibitedPasswordexpirationPasswordhistoryPolicyrefreshintervalMinimumnumberofcomplexcharactersinapasswordThesepoliciesareeitherdeployed"overtheair"oraspartofacongurationprolethatuserscaninstall.
Thepoliciescanbesigned,andpasswordprotectedrequiringan"administrator"toremovethem.
Apolicy"lock"canbeenforced,whichwillrequirethedevicetobewipeduponremovalofthepolicy.
CongurationprolesareXMLleswhichcancontaininformationsuchasserversettings,securitypoliciesthatwillbeappliedtothedevice.
Itsinterestingtonotethatwhencongurationprolesareencrypted,theyautomaticallyenforceencryp-tionofbackupsiniTunes.
Devicerestrictionscanbeappliedwhichcanpreventusersperformingcertainactions,suchasinstallingapplications,accessingYouTube,etc.
7.
2FilesystemEncryptionFallacyAlthoughiOSdevices(iPhone3GS+,andiPad)haveahardware-levelencryptedlesystem,thereisamisconceptionthattheinformationisactuallyprotected.
Thelesystemiseffectivelydecryptedatboot-time(thebootloaderneedstoaccessthelesystemtostartiOS),therebyeffectivelyrenderingtheencryptionredundantintermsofprotectinginformationonarunningiOSdevice.
Wheretheencryptioncomesintoplayiswhena"remotewipe"commandispushedtothedevice,viaeitherMSExchangeorMobileMe.
AtthispointiOSdeletestheencryptionkeysandforcesareboottherebyrenderingtheinformationonthedeviceinaccessible,andindeedunbootable.
8WhereisinformationstoredInordertounderstandtheriskofinformationexposureortheftweneedtounderstandwhereinformationisstoredandhow.
AlthoughiOSisaUNIXbasedoperatingsystemandusesHFSasthelesystem,iOSreliesontwomaintypesoflestostoreandretrieveinformation,andtostorecongurationinformation:Plists(preferencelists)areXMLbasedplaintextles,(orinsomecasebinary)thatcontainvarioussettingsandotherinformationpertainingtoapplicationsandhowtheoperatingsystemiscongured.
SQLitedatabasestypicallycontainapplicationspecicdata.
ToolsarefreelyavailabletointerrogatebothleseitherusingaGUIorviaacommandlineinterface.
ClearlytheselesarethekeypointofinterestforindividualsseekingtoextractinformationfromiOSdevices.
Indeed,thosefamiliarwithUNIXcommandlinetoolssuchasgrepwillbeabletoextractveryinterestinginformationfromeitheroftheseletypes.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page9of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceForallintentsandpurposeseachapplicationwilluseSQLitedatabasestostoredata,thiswillincludeEmails,Imagesandsoforth.
8.
1ProblemswithSQLiteSQLite,accordingtowikipediais:"anACID-compliantembeddedrelationaldatabasemanagementsystemcontainedinarelativelysmall(approx225kB)Cprogramminglibrary.
ThesourcecodeforSQLiteisinthepublicdomain.
"Whichmakesitidealforalowfootprint,swiftandeasytouseplatformfordatamanipulationonasmalldevice.
ThesedatabasescanbeaccessedeitherbycopyingthemoffthedeviceafterJailbreakorbyaccessingtheiTunesbackup.
OnceretrievedtherearemanySQLitedatabaseviewers,whichcomeinveryusefulinexamininglivedataonthedevice.
Whatwehavefoundinourinvestigationsisthatdatastoredinthesedatabasesispersistentandquitetenacious.
Forinstance,whenyoudeleteanotesentryitisjustaggedasdeleted,itisn'tactuallyremoved.
Thisin-formationcannotbeaccessedusingstandardSQLitebrowsers,howeversimpletoolslike"vi"or"strings"canbeusedtoviewthe"deleted"data:Figure1:DeletedDataAlso:theDynamicDictionaryfeaturestoreswholephrasesinadatabase(including,undercertaincir-cumstancescouldincludecreditcardnumbers,passwords,etc)Figure2:DynamicDictionaryiOSlogswhenandhowoftenapplicationshavebeenlaunched:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page10of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure3:ApplicationLaunchLogThe"EnvelopeIndex"storesEmailheaders,evenfordeletedaccounts,andaccountinformationpersistsinvariousles:Figure4:EnvelopeIndex8.
2iTunesEachtimeyouconnectyourdevicetoyourPC/MaciTunescanbeconguredtoautomaticallybackupyourdevice.
Thisisaveryusefulfeature,anditisaverythoroughbackup,totheextentthatifyouweretoloseyourdeviceandgetanewone,youcanrestorethisbackupandbarelyevennoticeyouhadanewone(moreonthislater).
Thesebackupsarestoredinthefollowinglocations:WindowsXP:C:\DocumentsandSettings\$USERNAME\ApplicationData\AppleComputer\MobileSync\BackupWindowsVistaand7:C:\Users\$USER\AppData\Roaming\AppleComputer\MobileSync\BackupOSX:~/Library/ApplicationSupport/MobileSync/Backup/IntherelevantfolderyouwillndwhatappearstobeafolderorfolderswhosenameconsistsofaUniqueIdentier.
Withinthisfolderareallthebackeduplespertainingtoyourdevice.
Thelesare,simplyput,preferencelistsandSQLitedatabases.
Theydonothavemeaningfulnames,butthatwontdeterusasyouwillseelater.
KeySQLitedatabasesandpliststhataresynchronisedarelistedinappendixA.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page11of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace8.
3LocalFilesystemiOSdeviceshavetwomainpartitions,the"root"orsystempartitionwhereoperatingsystemlesarestored:/dev/disk0s1/rw01andthe"media"partitionwhere"user"lesarestored:/dev/disk0s2/private/varhfsrw,noexec02Undernormal(i.
e.
non-Jailbroken)circumstances,itisonlypossibleforuserstoaccessthemediapartition;eventhenthisaccessisheavilyrestrictedbyapplicationsandboxing.
AccordingtoAppleap-plicationscanonlyaccesslesanddirectoriesintheir"area"onthelesystemforinstanceanexampledirectorystructurecouldbe:|ApplicationGUID||_Application.
app|_Documents/|_Library/Preferences/|_tmp/Thusanygivenapplicationshouldonlyhaveaccesstoits"own"les.
However,onceJailbrokenthefulllesystemisavailabletoapplications,whichaswewillseegreatlyimpactsthesecurityofthedevice.
9AccessingthedataAnefariousindividual'sobjectiveistoaccessthisinformationcovertly,withminimalphysicalaccess,leavinglittleornoevidenceoftampering,ideallypersistentlyandofcoursegettinglotsofsensitivestuffeitherforblackmailorcommercialadvantage.
9.
1SimpleattacksBydefaultiTunesstoredabackupofthedeviceunencrypted.
Whetherornotthebackupisencryptedisenforcedbyaagsetinaplistonthedeviceitself.
Auserspeciedencryptionkeyisalsostoredonthedeviceinthekeychain.
Thekeychainisanencrypteddatabaseofpasswordsstoredbythedevice.
AccessinganunencryptediTunesbackupistrivialaswehaveseenabove,butwhatelsecanwedowiththesebackupsWecancopythemformthehostcomputertoourcomputerforanalysis,wecanevenrestorethebackuptoourphone,effectivelycloningit.
Unfortunatelythekeychaindoesnotsurvivethis(duetothewayitisencrypted)sowewontbeabletoretrievepasswordsthisway.
Wecanalsoeditbackups.
Theyaren'tsigned.
Wecanthenrestorethemback.
IfwegobackalittlebitandlookathowiOSandiTuneshandlesbackupscrudelyputthisishowitoccurs:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page12of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure5:SynchronisationHandshakeInessenceweneedtoeitherhave"paired"theiOSdevicetoiTunesorweneedtoknowthepasscodeinordertogainaccesstoanunencryptedbackup.
Thereareotherspeedbumpsaswell,forinstanceanExchangepolicycouldmandateencryptedbackups,butagainwecanovercomethis.
Wecanremovethepasscodebyeditingtherelevantplist,(thisiswheregrepcomesinhandyasalltheplistshavewhatseemtobe"random"names)wearelookingforsomethinglikethis:PasswordInformationpinTimeStamp2010-07-20T11:46:22ZRemoveeverythingfromtheinner""savetheleandrestorethedevice.
Bingo.
Nopass-code.
Anothermeansofremovingthepasscodeistodeletethekeychainfromthebackup,butasthiswouldalsoeraseotherpasswordsstoredonthedevice,itiscounterproductiveinthatitwouldhinderourabilitytoretrievefurtherinformationfromthedeviceonceitisunlocked.
ThisbackuptamperingcanbeusedtodefeatalargenumberofsecurityfeaturesthatmaybeenforcedbyExchangepolicies.
Thingssuchas:Policyrefreshintervals,autolock,lockinterval.
Youcanalsousethistechniquetoincreaseyourhighscoresincertaingames.
Theonlylimitsareyourowningenuity.
RemembertokeepabackupofyourˇEbackup.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page13of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceWhatifthepasscodeispresentandactiveonthedeviceandithasn'tbeen"paired"withyourcomputerThisisnotassimpleasitmayseematrstglance.
iOSkeepstrackofwhichcomputersithaspairedwith,sowehavea"chickenandegg"scenario:Inordertoremovethepasscodebybackuptamperingwehavetorstbypassthepasscode.
Wecouldattempttobrute-forceguessthepasscode,however,bydefault,after10failedattemptsthedevicewillwipeitself,whichwouldrenderourmissiontoextractdata,afailure.
Thinkingbrieyaboutthedefault4digitPINbasedpasscode.
Thereare10,000possiblenumbers,(0000-9999).
Givingyoua1in1,000chanceofguessingtherightcombinationwithin10attempts.
Wecouldconceivablyreducethis,byshouldersurng,using"common"PINnumbers,usingsocialengineeringtacticsorinterestinglyexaminethescreentoseeiftherearengerprintsaroundthekeypadareaonthedevicewhichcouldexposedigitspresentinthePIN.
Theparingmechanismseemstobequiterobust,sotheratherobviousadvicehereisthatifyouwanttokeepyourdatasafe,ensurethatyouareverycautiousaboutwhatcomputersyouconnectyourdeviceto.
Backupencryptiondoespresentanotherchallenge.
Thereareonlyreallytwooptionsopentous;Eitherwehavetobruteforceguessthebackuppasswordorwearegoingtohavetoresorttoexploitingthedevice.
.
.
9.
2JailbreakingAsdiscussedearlier,iOSrestrictsaccesstotheentirelesystemtothebaseoperatingsystemitself.
Additionallyitprovidesnonativemeanstoaccesstheunderlyingoperatingsystem.
Jailbreakingessentiallyfoilsthatrestriction,allowingforunrestrictedaccesstothedevice.
Effectivelyputitmeanswecanrunanycodeonthedevicewelike,ignoringrestrictionssuchasapplicationsigning,adheringtoprescribedapplicationsandboxing,andread/writeaccesstothesystempartition.
InordertoJailbreak,vulnerabilitiesmustbeidentiedinthesoftwareorrmwarerunningonthedevice.
ThesevulnerabilitiesmusthavecertaincharacteristicsinordertobeusefulinJailbreaking.
Themostimportantoftheseisthatitmustenableustobeabletorunarbitrarycodeasthe"root"user.
Therearealargenumberof"Jailbreaking"toolsavailableforavarietyforversionsofiOS.
AsapplepatchesvulnerabilitiesiniOSortheBootromsoftheirdevices,Jailbreakershavetondnewvulnerabil-itiestoincorporateintotheirtools.
Jailbreakingisalsodividedintotwobroadcategories:Untethered-MeaningthatonceJailbrokenthedevice,ifrebooted,willstartnormallywithnointerventionTethered-withthistypeofJailbreak,userinterventionisrequiredinorderforthedevicetorestart.
Thedevicewillneedtobeconnectedtoacomputerandeffectivelybere-Jailbrokeninordertoboot.
WhetheradevicecanbeJailbrokenuntethered(whichistheoptimalroute)isdependantonthebootromversion,andthermwareversion.
CurrentlyiOSversions3.
2.
2andearliercanbeJailbrokenuntethered,morerecentversionswillrequirefurtherstepstobetakeninordertoremovethetether(suchasrunningGreenpois0n,analternateJail-breakingtool,afterJailbreakingthedevicewithredsn0w).
Incomingmonthstheseadditionalstepsarelikelytobecomeredundant,thusforbrevitythefollowingJailbreakstepswillworkcleanlyoniOSversionsearlierthan4.
2.
1.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page14of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceI.
e.
ifyouaregoingtoattemptwhatIwilldescribedosomeresearchrst:thereisahighdegreeofriskfortheuninitiatedandunlessyouareluckyorwellinformedyoumightendupwithahighlydesirable,expensiveplacemat.
Update:Asof16thFebruaryredsn0wwasupdatedtoversion4.
2,whichisanuntetheredjailbreak.
ThereforeallversionsofiOSuptoandincluding4.
2.
1canbejailbrokensafely,anduntethered.
ThusthefollowingstepscanbereplicatedonallversionofiOSfortheiPadandiPhone.
9.
3OwningtheDeviceAcommon,andexible,toolavailabletousewithiOS4.
2.
1(andearlier)isredsn0w.
AccuratelyspeakingwedonotneedtofullyJailbreakinordertoaccessdataonthedevice,wejustneedtobeabletobootthedevicewithacustomramdisk.
iOSdeviceshavethefacilitytodothiseitherbydroppinginto"recoverymode"(intendedforoperatingsystemrecoveryorupgrade)orDFUmode(intendedforrmwareupgrade).
Redsn0wdependsuponanexploitknownasLimera1n,whichtakesadvantageofbothofthesemodes,employingbothabootromexploitaswellasauserlandexploittofullyJailbreakthedevice.
Howeveraswedonothaveaccesstothecodeforredsn0w,wecan'tchangeitsbehaviourtostopitfullyJailbreakingthedevice.
Ifwewereabletocustomisetheactionsitwouldbeasimplemattertoremovethedevicepasscodebyeditingthefollowingle:/private/var/ManagedPreferences/mobile/com.
apple.
springboard.
plist(aswewouldhavedoneinthebackuptamperingmethod).
Howeverifwewantedtoremovethebackupencryptionaswell,wewouldhavetodoalittlemore.
Bydeleting(orrenaming)thekeychain:/var/Keychains/keychain-2.
dbwenotonlyremovethepasscode,butalsothekeyusedtoencryptthebackups,thusthebackupswillbeunencrypted.
Sadlywedosacriceotherpasswords,toosuchasemailpasswords,etc.
Redsn0w,thoughostensiblyaJailbreakingtool,isactuallyalittlemore:itcanbeusedtoinstallcustombundles.
Custombundlesareessentiallycompressedarchivescontainingcontent(suchasexecutablebinaries,orevenpreferencelists),whicharecopiedtothedevice.
Thuswecanusethisfeature,tofullyJailbreakthedevice,copysomescriptsandtoolstothedeviceinordertocompromiseit.
Andwecancompromiseitinsuchawaythatthedeviceshowsalmostnoevidencetotheuserthatithasbeen.
Redsn0wdependsonhavingacopyoftherestoreimageforthedevicebeingJailbroken(thesearefreelyavailablefromapple)andwillhavetobedownloadedinadvance.
So,wehavethefollowingscenario:AniPadwithapasscodeset,backupencryptionenabled.
Wehavealaptop(runningOSXorWindows)Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page15of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAnup-to-dateversionofredsn0wAcustombundle(withOpenSSH,APT,andafewothertoolsandscripts)Acollectionofrestoreimages5minutesleftalonewiththedevice.
AnetworkconnectionWedon'tneedtoworryaboutthedevicebeingpairedtoourlaptopasitsidestepsthedevicepairingrequirement.
Asapartofthe"Jailbreak"thedeviceisputintoDFUmode.
Inthismodethedeviceisinastatewhereitistoallintentsandpurposesunabletocheckwhetheritispairedtothecomputeritisconnectedto.
TheiPadWecantakeaguesstoseeifitisrunning4.
2.
1byickingthehardwareswitchontheside.
Ifitmutesthevolumeonthedevicethereitisquitelikelytobe4.
2.
x.
Priorversionsusedthishardwareswitchtoengagetheorientationlock.
Inlaterversionsusersweregiventheoptiontochoosebetweenmuteandlock;thedefaultbeingmute.
Guessingtheversionofthermwareincorrectlyisnotfatal,itwillsimplymeanthattheJailbreakwillfailandyouwillhavetogothroughitagain.
TheLaptopWehaveredsn0w,wehavelauncheditandselectedtherelevantrmwareforthedevice.
EvenbeforeweconnecttheiPadwecanallowredsn0wtoprocessthermwareandwearepresentedwiththefollowingchoice:Figure6:Redsn0wOptionsWedon'twantcydiatobeinstalled,orthevictimwillseetheiconontheirspringboardinsteadwearegoingtouseoneofourcustombundles.
Wecanthenfollowthestepsthroughredsn0w,thedevicewillreboot.
OncethishascompleteditwillbeJailbrokenandthepasscodewillhavebeenremoved.
Whatthiscustombundledoes:Installsalargenumberofbasicunixtools,andsomekeypackages:OpenSSH(andalaunchscriptsoitstartsatboot)andAPT(sowecaninstalladditionalpackagesfromtheshell).
Italsorunsashellscriptatstartupthatrenamesthekeychain.
Thisremovesthepassphrase.
InordertogetitsIPaddress(sowecanSSHintoit)wecanjustlookinthenetworkpreferencesforitsIPaddress.
OncewehavethatwecanthensimplySSHintothedeviceas"root"(thedefaultpasswordis"Alpine").
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page16of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceInordertoremoveanyobvioustracesofushavingcompromisedthedevicewecanrenamethekeychainback,thiswon'timmediatelyrestorethepasscode,wewillneedtorebootforthattohappen.
Firsttherearesomeotherthingswecando.
UsingAPTwecaninstallothertoolsandutilities:Using"recAudio"willcausetheipadtostartrecordingaudio,thisisahighlyeffectivewaytolisteninonmeetings.
Itstorestheaudioinaiffle,andthiscanthenbecopiedoffthedevice,orascriptcouldbegeneratedtorecordatpredeterminedintervalsandthenuploadtheresultingaudioletoaweborftpserver.
Othertoolssuchas"pirni"canbescheduledtorun,Pirniisanarp-spoongtoolthatactsasaman-in-the-middle,snifngalldataonthewirelessnetwork.
Again,theresultantdatacanbeuploadedtoanexternalserverforcollectionbytheattacker.
"Nmap"canbeusedtomapthewirelessnetwork,andmetasploitcanthenbeusedtoattackandcompro-misehostsidentied,therebyusingtheiPadto"pivot"intothecorporateenvironment.
"Netcat"canbeconguredtoinitiateareverseshelltoahostontheinternetforremotecontrol.
Howeverwealsohaveour"increasedstealth"custombundle,onethat:LeavesthekeychainintactInstallsOpenSSHInstallstheabovetoolsGathersinformationfromthedevice(thedynamicdictionary,Emails,calendarentriesetc)anduploadsittomywebserver.
SchedulesrecordingsanduploadsthemtomywebserverAttemptsareverseshelltomyservereachtimeitdetectsanetworkconnection.
Tweetsthegeographicallocationofthedevicedaily103rdPartyApplicationsecurityEvenlegitimateapplicationscanintroducerisksintoacorporateenvironment.
AsImentionedinthein-troductionIamgoingtoavoidnamingspecicapplicationsorvendors(theywillorhavebeencontacteddirectly)withregardtosecurityissues.
BroadlyspeakingIhaveidentiedtwoprevalentcategoriesofrisk:10.
1ApplicationsstoringsensitivedatainsecurelyManyapplicationshavetheabilitytoaccesssensitivedata.
Thisdatacouldbeasbasicassocialnet-workingsites,downloadingandviewingdocumentsorascomplexasremotedesktopfunctionalityforaccessingcorporateresources.
Inanycasewehaveidentiedalargenumberofapplicationsthatstorecredentialslocallyinplaintext.
Thesecredentialscanbeforcorporateservers,internetlestores,websitesorevenforlocalaccesstotheapplication.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page17of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceOtherapplicationswehaveseencacheinformationlocallyonthedevice,sothatitcanbeviewedormanipulatedofine.
Theselocalcachesarerarelyencrypted.
Inbothcasesinsecurestorageofcacheddataorcredentialsisabadthing,asitwillbesynchronisedbacktoiTunesincleartext(ifencryptedbackupsarenotenabled).
Failingthat,thedatacaneasilyberetrievedafteraJailbreak.
ThereforewhenassessingapplicationsforusewithinacorporateenvironmentitisimportanttoensurethatthedevelopershaveelectedtousetheiOSencryptedkeychain(asrecommendedbyapple)andthattheyareencryptinganylocallycacheddata.
Anotherinteresting"feature"ofiOSitselfcanintroduceweaknessesinapplicationindirectly:theDy-namicDictionary.
Evenifanapplicationisnotstoringinformationorcredentialsinaninsecureformat,itismrethanlikelythattheDynamicDictionarywill.
Iteffectivelyactsasakeyloggeronthedevice.
Wehaveseeninstanceswherethedictionaryhasstoredpasswords,contactinformationandallmannerofinformationthatwouldgiveanyindividualcausetopale.
10.
2ApplicationsthatopenservicesonanetworkThereareseveralmethodsthatapplicationscanusefacilitatethetransferofdatafromothersourcessuchasthelocalnetwork,theinternetoradesktopcomputer.
Itisfairlycommonforapplicationsthatviewormanipulatedocumentstorunawebservertofacilitateletransfers.
UsersthencanuseawebbrowseronanotherdeviceorcomputertoconnecttotheiPadtouploadcontent.
Thismaynotseemaparticularlyhighlevelrisk,howeverinsomecaseswehaveseentheseapplicationsbroadcasttheseservicesvia"bonjour"andalmostwithoutexceptionusepredictableTCPportsfortheirservicesmakingthemeasytoidentifyonanetwork.
Suchserversusually(ifnotalways)bydefaultrequirenoauthentication.
iPadsdeployedincorporateenvironmentswillalmostcertainlybeusedtoviewandsharesensitiveinformation.
Itmaybethatusersareinadvertentlysharingthisinformationwhentheyconnecttothefreewirelessattheirlocalcoffeeshop.
11GoodPractise(i.
e.
Howdowexit)11.
1PhysicalsecurityClearlyphysicalcontrolofthedeviceisparamount.
DetectingifadevicehasbeenstealthilyJailbrokenwithoutactuallyJailbreakingitistricky,itcanbedone,butitisbettertonotletithappen.
IfyoudolosephysicalcontrolofthedevicewhatthenIfitwasleftaloneforaperiodoftime,orifitwaslostandthenreturnedyoushouldassumethatithasbeencompromised.
Restorethedevice;thiswilleffectivelyremovetheJailbreak,(iTunesdoesn'tbackupanyoftheJailbreakoritsdata).
Ifithasgonemissingattempttoremotewipethedevice,howeverbeawarethatsimplyremovingtheSIMfromthedevicecandefeatthis.
AlsorememberdotheremotewipebeforeyoucanceltheSIM,forobviousreasons.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page18of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace11.
2PolicyControlsCorporatepoliciesshouldforbidJailbreaking.
ThereisnoguaranteethatevenifthedevicehasbeenJailbroken"legitimately"thatapplicationsinstalledvia3rdpartyapplicationstoressuchasCydiadonotcontainhostilecode.
Determinewhatdatashouldbepermittedonthedevice.
Corporateandpersonaldatashouldnotmix.
Highlysensitiveinformationshouldneverbestoredlocallyonthedeviceunlessappropriatelyencrypted.
Controlwhatapplicationsshouldberunonthedevice,3rdpartyapplicationscanintroducethreats.
Userawarenessandeducationisparamount.
Makecertainthatusersareeducatedastothethreatstotheirownaswellascompanydata.
11.
3TechnicalrestrictionsUseapplicationsthatenforcedatasegregation.
Thereareseveralapplicationsthatusetheirownemail,calendarandcontactprograms,andwhichenforcelocalencryptioneffectivelycreatingasecondary"sandbox"inwhichcorporatedatacanbehandled.
SomeoftheseapplicationsuseJailbreakdetectionandrefusetorunifapolicyissettothateffect.
EmployExchangesecuritypoliciestotheirbesteffect,lockdownasmuchaspossible.
Rememberifthedeviceissynchronisedregularlyitdoesn'tmatterifitiswipedafter3failedpasscodeattempts,itcanberestored.
Protectthecomputerthatthedeviceisbeingsynchronisedto!
Ifyoulosethebackupofthedevice,youlosecontrolofthedatathathasbeenstoredonit.
Examinethecapabilitiesof3rdpartyapps.
DotheyopennetworkportsfordocumentsharingHavethemsecuritytestedforvulnerabilitiesthatcouldexposesensitiveinformation.
Considerusingdevicesasthinclients.
Therearemanyremotedesktopclientsouttherethatareser-viceable.
(butagain,ensurethattheyaren'tcachingcredentialsinplaintextonthedevice.
Getthemtested!
)Restorefrequently.
Amonthlyrestoreofthedeviceshouldprovidesomeassurancethatitisnotcompro-mised.
EnsurethatdevicesaremaintainedattheirlatestrmwareversionReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page19of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixAListofkeylesbackedupbyiTunesLibrary_AddressBook_AddressBook.
sqlitedbLibrary_AddressBook_AddressBookImages.
sqlitedbLibrary_Calendar_Calendar.
sqlitedbLibrary_CallHistory_call_history.
dbLibrary_Cookies_Cookies.
plistLibrary_Keyboard_dynamic-text.
datLibrary_LockBackground.
jpgLibrary_Mail_Accounts.
plistLibrary_Mail_AutoFetchEnabledLibrary_Maps_Bookmarks.
plistLibrary_Maps_History.
plistLibrary_Notes_notes.
dbLibrary_Preferences_.
GlobalPreferences.
plistLibrary_Preferences_SBShutdownCookieLibrary_Preferences_SystemConguration_com.
apple.
AutoWake.
plistLibrary_Preferences_SystemConguration_com.
apple.
network.
identication.
plistLibrary_Preferences_SystemConguration_com.
apple.
wi.
plistLibrary_Preferences_SystemConguration_preferences.
plistLibrary_Preferences_com.
apple.
AppSupport.
plistLibrary_Preferences_com.
apple.
BTServer.
plistLibrary_Preferences_com.
apple.
Maps.
plistLibrary_Preferences_com.
apple.
MobileSMS.
plistLibrary_Preferences_com.
apple.
PeoplePicker.
plistLibrary_Preferences_com.
apple.
Preferences.
plistLibrary_Preferences_com.
apple.
WebFoundation.
plistLibrary_Preferences_com.
apple.
calculator.
plistLibrary_Preferences_com.
apple.
celestial.
plistLibrary_Preferences_com.
apple.
commcenter.
plistLibrary_Preferences_com.
apple.
mobilecal.
alarmengine.
plistLibrary_Preferences_com.
apple.
mobilecal.
plistLibrary_Preferences_com.
apple.
mobileipod.
plistLibrary_Preferences_com.
apple.
mobilemail.
plistLibrary_Preferences_com.
apple.
mobilenotes.
plistLibrary_Preferences_com.
apple.
mobilephone.
plistLibrary_Preferences_com.
apple.
mobilephone.
speeddial.
plistLibrary_Preferences_com.
apple.
mobilesafari.
plistLibrary_Preferences_com.
apple.
mobileslideshow.
plistLibrary_Preferences_com.
apple.
mobiletimer.
plistLibrary_Preferences_com.
apple.
mobilevpn.
plistLibrary_Preferences_com.
apple.
preferences.
network.
plistLibrary_Preferences_com.
apple.
preferences.
sounds.
plistLibrary_Preferences_com.
apple.
springboard.
plistLibrary_Preferences_com.
apple.
stocks.
plistLibrary_Preferences_com.
apple.
weather.
plistLibrary_Preferences_com.
apple.
youtube.
plistLibrary_Preferences_csidataLibrary_SMS_sms.
dbReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page20of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceLibrary_Safari_Bookmarks.
plistLibrary_Safari_History.
plistLibrary_Voicemail_.
tokenReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page21of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixBCitations/Furtherreadinghttp://www.
apple.
com/uk/ipad/business/integration/http://blog.
iphone-dev.
org/http://www.
theiphonespot.
net/p=7561http://www.
zdziarski.
com/blog/cat=11http://xsellize.
com/index.
phphttp://www.
greenpois0n.
comReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page22of22
digital-vm怎么样?digital-vm在今年1月份就新增了日本、新加坡独立服务器业务,但是不知为何,期间终止了销售日本服务器和新加坡服务器,今天无意中在webhostingtalk论坛看到Digital-VM在发日本和新加坡独立服务器销售信息。服务器硬件是 Supermicro、采用最新一代 Intel CPU、DDR4 RAM 和 Enterprise Samsung SSD内存,默认...
适逢中国农历新年,RAKsmart也发布了2月促销活动,裸机云、云服务器、VPS主机全场7折优惠,新用户注册送10美元,独立服务器每天限量秒杀最低30.62美元/月起,美国洛杉矶/圣何塞、日本、香港站群服务器大量补货,1-10Gbps大带宽、高IO等特色服务器抄底价格,机器可选大陆优化、国际BGP、精品网及CN2等线路,感兴趣的朋友可以持续关注下。裸机云新品7折,秒杀产品5台/天优惠码:Bare-...
ihostart怎么样?ihostart是一家国外新商家,主要提供cPanel主机、KVM VPS、大硬盘存储VPS和独立服务器,数据中心位于罗马尼亚,官方明确说明无视DMCA,对版权内容较为宽松。有需要的可以关注一下。目前,iHostART给出了罗马尼亚vps的优惠信息,罗马尼亚VPS无视DMCA、抗投诉vps/2核4G内存/40GB SSD/100M端口月流量2TB,€20/年。点击直达:ih...
ipad代理为你推荐
操作httpsns平台sns是什么平台flashfxp用Flashfxp上传网站的具体步骤linux防火墙设置如何使用iptables命令为Linux系统配置防火墙重庆电信断网为什么重庆电信沙坪坝天星桥这网络老是掉线建企业网站怎么建企业网站企业信息查询系统查企业信息哪个的软件好?163yeah163,126,yeah哪个更好啊,各有什么特点啊加多宝与王老吉加多宝王老吉有什么区别吗?缤纷网缤纷的意思是什么
大庆服务器租用 google镜像 美国主机评测 cpanel 申请空间 嘟牛 中国电信测速112 卡巴斯基官方免费版 中国电信测网速 100m独享 服务器托管什么意思 鲁诺 怎么建立邮箱 银盘服务 web服务器是什么 路由跟踪 cxz 免费的域名 xuni 国外免费云空间 更多