convergedipad代理
ipad代理 时间:2021-05-05 阅读:(
)
GeneralReleaseAppleiPadIntheWorkPlaceWrittenByRussSpoonerPortcullisComputerSecurityLTDTheGrangeBarnPike'sEndPinnerMiddlesexHA52EXTel:02088680098Fax:02088680017rus@portcullis-security.
comDocumentReferenceWhitepapers/WPIOS2011/wp_WPIOS2011_0.
3Version0.
3Date16February2011cCopyrightPortcullisComputerSecurityLimited2011PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace1DocumentHistoryRevisionAuthorRoleDateComments0.
1RUSAuthor09/02/2011InitialFirstDraft0.
2RUSAuthor15/02/2011MinorRevisions0.
3RUSAuthor16/02/2011Updatedtoreectnewversionofredsn0wTable1:DocumentRevisionHistoryReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page2of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceContents1DocumentHistory22TableOfContents32.
1ListOfFigures32.
2ListOfTables43Introduction54TheStateOfPlay55Evolution56Deployments76.
1Whyarewedeploying76.
2Wherearewedeploying76.
3PersonalvsPrivateProperty76.
4Whydoesthismatter87CoreSecurityFeatures87.
1Devicepolicies/proles87.
2FilesystemEncryptionFallacy98Whereisinformationstored98.
1ProblemswithSQLite108.
2iTunes118.
3LocalFilesystem129Accessingthedata129.
1Simpleattacks129.
2Jailbreaking149.
3OwningtheDevice15103rdPartyApplicationsecurity1710.
1Applicationsstoringsensitivedatainsecurely1710.
2Applicationsthatopenservicesonanetwork1811GoodPractise(i.
e.
Howdowexit)1811.
1Physicalsecurity1811.
2PolicyControls1911.
3Technicalrestrictions19AppendixAListofkeylesbackedupbyiTunes20AppendixBCitations/Furtherreading22ListofFigures1DeletedData102DynamicDictionary10Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page3of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3ApplicationLaunchLog114EnvelopeIndex115SynchronisationHandshake136Redsn0wOptions16ListofTables1DocumentRevisionHistory2Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page4of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace3IntroductionSecurityconsiderationsforiOS4.
2.
1andearlier,iPad.
iOSdevicessuchastheiPadarebecomingincreasinglyprevalentinworkenvironmentslargelyduetotheireaseofuseandexibility,butalsoduetotheso-called"haloeffect".
Whatmostusers,bothcorporateandindividual,oftendonotacknowledgearethesecurityweaknessesintheAppleiOSoperatingsystem,andadditionallyiTuneswhichcaneasilyresultintheexposureofhighlysensitiveinformationandthecompromiseofthedeviceitself.
InthiswhitepaperIwilloutlineandenumeratemanyoftheissuessurroundingtheintroductionoftheiPadintotheworkplacewithparticularregardtotheexposureandtheftofsensitiveinformation,coun-termeasuresemployedbyAppleandhowinmostcasestheyaretriviallybypassed.
Theinformationprovidedinthiswhitepaperisnotentirelymyownwork,andreferencespubliclyavail-abletoolsandinformation,ifIhavemissedanyattribution,pleasedonothesitatetocontactme.
Theintendedaudienceforthisistechnical/managerial,thatistosay,inpartsitwillbemoderatelytechnical,butthekeyfocuswillbetheprovisionofinformationtothoseplanningorevaluatingrolloutsofiOSbaseddevicesinorderthattheyareabletoaccuratelyunderstandtherisksassociatedwiththis.
ThereasonIamwritingthispaper,isduetothefactthatPortcullishavebeenapproachedwithincreasingfrequencywithregardtoperformingsecurityassessmentsoftheiPad,togiveourperceptionofthedevicessecurityortoprovideguidancewithregardtodeployingthemsecurely.
Inasensethisistobeconsideredasummationofmyndings,itisnotbyanymeansintendedtodissuade,impedeorscaremonger,butrathertoenableinformedunderstandingoftherisksthatthesedevicesmayintroduce.
WhereverpossibleIwillsuggestmitigatingstrategies,insomecasestheyarenotpossible.
AlsoIwillwhereverpossiblebesteeringawayfromnamingspecic3rdpartyapplications,orvendorsasitisnotmyintenttoeitherendorseorcondemnthem.
Alsotrademarksorregisteredtrademarksarethepropertyoftheirrespectiveowner(s).
4TheStateOfPlayForthesakeofthisdocumentwearegoingtoassumethatwearedealingwiththeiPad3GrunningiOS4.
2.
1.
AlthoughthereareotherversionsofhardwarethatruniOScurrentlyincirculation,andtheywillbementionedwhereitismeritoriousorusefulasacomparison,wearelookingintoiPaddeployments.
5EvolutionTheiPhonewasrstreleasedtothepublicin2007,runningaderivativeofMacOSX/DarwincompiledfortheARMprocessor,whichbecameknownasiOS.
ApplereleasedDarwin,anopensourceoperatingsystem,in2000;itisPOSIXcompliantandiscompat-iblewiththeSingleUNIXSpecicationversion3(SUSv3).
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page5of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceDespitetheinherentexibilityofthebaseoperatingsystem,initialreleasesofiOSprovidednointendedfacilityfortherunningof3rdpartyapplications,insteadrelyingonwebapplicationstodeliverfunction-alitybeyondthatdeliveredbythebuiltinapplications.
However,enterprisingindividualsontheinternetwerequicklyableto"Jailbreak"theoperatingsystem,effectivelygaininginteractiveaccesstotheunderlyingoperatingsystem.
CommonUNIXutilitieswereeasilyportedtoiOSandsoonmanyunofcial3rdpartyapplicationstartedtoappear.
PerhapsasareactiontothisAppleannouncedanofcialSDKonOctober2008.
InMarch2008ApplereleaseditsrstbetaoftheiPhoneSDKwhichwouldpermitdeveloperstoof-ciallydevelopnativeapplicationsfortheoperatingsystem.
TheapplicationswouldbedistributedviatheApple"AppStore"and,ofcourse,iTunes.
DespitethisJailbreakingremainedpopular,insomepartduetotherestrictionsplacedupondevelop-ers.
Forinstance,applicationswhichusedApple"Private"APIswere(andare)rejectedbyAppleandthereforetheonlyviablereleasevectorforthemwasthroughthe"unofcial"appstores(cydia,icyandrock).
Unofcal3rdpartyapplicationswhichextendthefunctionalityandcustomisabilityoftheiOSinter-face/launcher(Springboard)suchasWinterboardhavealsohelpedtoensurethatJailbreakingisapopularandsoughtafterprocedure.
NaturallyasizeablenumberofJailbreakersdosoinorderto"pirate"Ofcial3rdpartyapplications,andalsotoremovecarrierlocksfromtheiPhonebaseband.
Itisestimatedthatanywherebetween10and20%ofiOSdeviceshavebeenJailbroken.
Whichequatestoavastnumberofdevices.
ForinstanceanalystsanticipatethatApplewillhavesoldover100millioniPhonesby2011,andtheWallStreetJournalestimates20MillioniPadswillsellinthesameyear.
ApplerespondedwitheachsubsequentreleaseofiOSwithcountermeasuresintendedtoclosevulnera-bilitiesintheoperatingsystemanditscomponentseffectivelystoppingJailbreaking.
Howeverthishasledtoa"catandmouse"approachtovulnerabilityresearchanddevelopment.
i.
e.
vulnerabilitieswhichmayresultin"root"levelcompromiseofthedevicearecloselyguardedandsharedprincipallyamongstmembersoftheJailbreakingdevelopmentcommunity.
NaturallysuppressionofJailbreakinghasnotbeenthesolemotiveofupdatestoiOS.
Newfeaturesandfunctionalityhavebeengraduallyintroducedtoaddressmanyoftheperceivedshortcomingsoftheoperatingsystem,suchasMultitasking,copyandpaste,improvedbatteryusageetc.
SuccessiveiterationsofiOSdeviceshavealsosoughttoimproveperformanceandindeedsecurityofthedevice.
ForinstancewiththeiPhone3GSandtheiPadhardwareencryptionwasintroduced.
TheiPadwasactuallydevelopedbeforetheiPhone,butitwasrealisedthatthetechnologywouldworkwellasamobilephoneplatform,andemphasiswasshiftedinthatdirection.
TheiPadwasnallyannouncedinJanuary2010,andreleasedinApril.
VersionsofiOSrunningontheiPad,andiPhonewereconvergedinNovember2010withthereleaseofversion4.
2.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page6of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace6Deployments6.
1WhyarewedeployingTherearemanyreasonswhycompanies,institutionsandevenschoolsareseekingtodeploytheiPad.
Manyofthesearenotbusinessrelated:EaseofaccesstoinformationAconsistent,easilymaintainedplatformPortabilityRobusthardwareToreducepaperuseImprovedcommunicationsRelativelylowcostSecurityfeatures(Oftensaidwithastraightface)Theyare"shiny"6.
2WherearewedeployingAtPortculliswedealwithcompaniesfromallsectors,usuallythosewithaverylowriskappetite.
Wehavesofarbeenapproachedbyclientslookingatsmalldeployments(lessthan100)inareassuchas:FinancialMediaCommunicationsButanecdotallyandviathepressweareseeinglargedemandin:EducationLocalGovernmentHealthcareSothatcoversmostsectors.
Whatisinterestingisthatweareseeingtheprimarydemandanddeploymenttargetscomingfromandtothe"boardlevel".
Studentsandmedicalstaffseemtobetheprincipaltargetsinthepublicsector.
6.
3PersonalvsPrivatePropertyItisimportanttounderstandwho"owns"thedevice.
IsthisapersonaldevicethatisbeingconnectedtocorporateresourcesIsitacorporatedevicethatisbeingconnectedtopersonalresourcesReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page7of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceThedevicesaremediacentric,meaningthattheyaredesignedforgames,music,photos,lmsaswellasweb-browsingandinformationviewing/sharing.
Corporationsandinstitutionsneedtobeawarethatthereisastrongpossibilitythatdataonthedevicecanbecomeblended,i.
e.
thatcorporatedataisstoredalongsidepersonaldata.
Suchblendeddatacantheneitherbesynchronisedintoacorporateorahomeenvironment.
Obviousrisksarethatifadevicethathasbeenusedtoaccesscorporatedataisbackeduptoapersonalcomputer,thenthatcorporatedataistheneffectivelypropagatedtothatcomputer.
Converselytheremaybesupportandpolicyconsiderations,(nottomentionpotentialcopyrightissues)shouldadevicebesynchronisedwithacorporatecomputer.
ForinstanceitmaybeagainstcompanypolicyforiTunestobeinstalled.
OtherlessobviousrisksarefeatureswithinapplicationssuchasMobileMail.
The"uniedinbox"isagoodexampleofthis.
Ifmultipleemailaccountsareconguredonthedevice,theycanbecomeeffectivelymergedintoone"inbox",itcanthenbecomeveryeasytocomposeorforwardmailsviathe"wrong"account.
Thismaybypasscontentlteringrequirements,oremailarchivingpolicies.
6.
4WhydoesthismatterInessence,whousesiPadsshouldn'tmatter,howeverwhenyouconsiderthereasonsfordeployingthem,andwhotheyarebeingdeployedtoandthencontrastthattotheprobabilityofinformationexposurewehavearatherunappealingscenario.
Itwouldappearthathighlysensitiveinformationstorageisbeingcarriedoutbyalowsecuritysystem.
7CoreSecurityFeaturesHerewearegoingtotakealookatthecoresecurityfeaturesofiOSdevices,bothatthehardwareandsoftwarelevels:7.
1Devicepolicies/prolesPasscodescanbesetbyusers,orbyapplyinganMSExchangeActiveSyncpolicy.
Thedefaultisa4digitPIN,which,ifentered10timesincorrectlywillcausethedevicetowipe.
TheonlywaytochangefromthisdefaultisbyapplyinganExchangepolicywhichwillthenenablethefollowingtobeset:EnforcepasswordondeviceMinimumpasswordlengthMaximumfailedpasswordattemptsNumbersandlettersbothrequiredInactivitytimeinminutesWithMSExchangeServer2007thefollowingadditionalpoliciesaresupported.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page8of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceSimplepasswordallowedorprohibitedPasswordexpirationPasswordhistoryPolicyrefreshintervalMinimumnumberofcomplexcharactersinapasswordThesepoliciesareeitherdeployed"overtheair"oraspartofacongurationprolethatuserscaninstall.
Thepoliciescanbesigned,andpasswordprotectedrequiringan"administrator"toremovethem.
Apolicy"lock"canbeenforced,whichwillrequirethedevicetobewipeduponremovalofthepolicy.
CongurationprolesareXMLleswhichcancontaininformationsuchasserversettings,securitypoliciesthatwillbeappliedtothedevice.
Itsinterestingtonotethatwhencongurationprolesareencrypted,theyautomaticallyenforceencryp-tionofbackupsiniTunes.
Devicerestrictionscanbeappliedwhichcanpreventusersperformingcertainactions,suchasinstallingapplications,accessingYouTube,etc.
7.
2FilesystemEncryptionFallacyAlthoughiOSdevices(iPhone3GS+,andiPad)haveahardware-levelencryptedlesystem,thereisamisconceptionthattheinformationisactuallyprotected.
Thelesystemiseffectivelydecryptedatboot-time(thebootloaderneedstoaccessthelesystemtostartiOS),therebyeffectivelyrenderingtheencryptionredundantintermsofprotectinginformationonarunningiOSdevice.
Wheretheencryptioncomesintoplayiswhena"remotewipe"commandispushedtothedevice,viaeitherMSExchangeorMobileMe.
AtthispointiOSdeletestheencryptionkeysandforcesareboottherebyrenderingtheinformationonthedeviceinaccessible,andindeedunbootable.
8WhereisinformationstoredInordertounderstandtheriskofinformationexposureortheftweneedtounderstandwhereinformationisstoredandhow.
AlthoughiOSisaUNIXbasedoperatingsystemandusesHFSasthelesystem,iOSreliesontwomaintypesoflestostoreandretrieveinformation,andtostorecongurationinformation:Plists(preferencelists)areXMLbasedplaintextles,(orinsomecasebinary)thatcontainvarioussettingsandotherinformationpertainingtoapplicationsandhowtheoperatingsystemiscongured.
SQLitedatabasestypicallycontainapplicationspecicdata.
ToolsarefreelyavailabletointerrogatebothleseitherusingaGUIorviaacommandlineinterface.
ClearlytheselesarethekeypointofinterestforindividualsseekingtoextractinformationfromiOSdevices.
Indeed,thosefamiliarwithUNIXcommandlinetoolssuchasgrepwillbeabletoextractveryinterestinginformationfromeitheroftheseletypes.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page9of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceForallintentsandpurposeseachapplicationwilluseSQLitedatabasestostoredata,thiswillincludeEmails,Imagesandsoforth.
8.
1ProblemswithSQLiteSQLite,accordingtowikipediais:"anACID-compliantembeddedrelationaldatabasemanagementsystemcontainedinarelativelysmall(approx225kB)Cprogramminglibrary.
ThesourcecodeforSQLiteisinthepublicdomain.
"Whichmakesitidealforalowfootprint,swiftandeasytouseplatformfordatamanipulationonasmalldevice.
ThesedatabasescanbeaccessedeitherbycopyingthemoffthedeviceafterJailbreakorbyaccessingtheiTunesbackup.
OnceretrievedtherearemanySQLitedatabaseviewers,whichcomeinveryusefulinexamininglivedataonthedevice.
Whatwehavefoundinourinvestigationsisthatdatastoredinthesedatabasesispersistentandquitetenacious.
Forinstance,whenyoudeleteanotesentryitisjustaggedasdeleted,itisn'tactuallyremoved.
Thisin-formationcannotbeaccessedusingstandardSQLitebrowsers,howeversimpletoolslike"vi"or"strings"canbeusedtoviewthe"deleted"data:Figure1:DeletedDataAlso:theDynamicDictionaryfeaturestoreswholephrasesinadatabase(including,undercertaincir-cumstancescouldincludecreditcardnumbers,passwords,etc)Figure2:DynamicDictionaryiOSlogswhenandhowoftenapplicationshavebeenlaunched:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page10of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure3:ApplicationLaunchLogThe"EnvelopeIndex"storesEmailheaders,evenfordeletedaccounts,andaccountinformationpersistsinvariousles:Figure4:EnvelopeIndex8.
2iTunesEachtimeyouconnectyourdevicetoyourPC/MaciTunescanbeconguredtoautomaticallybackupyourdevice.
Thisisaveryusefulfeature,anditisaverythoroughbackup,totheextentthatifyouweretoloseyourdeviceandgetanewone,youcanrestorethisbackupandbarelyevennoticeyouhadanewone(moreonthislater).
Thesebackupsarestoredinthefollowinglocations:WindowsXP:C:\DocumentsandSettings\$USERNAME\ApplicationData\AppleComputer\MobileSync\BackupWindowsVistaand7:C:\Users\$USER\AppData\Roaming\AppleComputer\MobileSync\BackupOSX:~/Library/ApplicationSupport/MobileSync/Backup/IntherelevantfolderyouwillndwhatappearstobeafolderorfolderswhosenameconsistsofaUniqueIdentier.
Withinthisfolderareallthebackeduplespertainingtoyourdevice.
Thelesare,simplyput,preferencelistsandSQLitedatabases.
Theydonothavemeaningfulnames,butthatwontdeterusasyouwillseelater.
KeySQLitedatabasesandpliststhataresynchronisedarelistedinappendixA.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page11of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace8.
3LocalFilesystemiOSdeviceshavetwomainpartitions,the"root"orsystempartitionwhereoperatingsystemlesarestored:/dev/disk0s1/rw01andthe"media"partitionwhere"user"lesarestored:/dev/disk0s2/private/varhfsrw,noexec02Undernormal(i.
e.
non-Jailbroken)circumstances,itisonlypossibleforuserstoaccessthemediapartition;eventhenthisaccessisheavilyrestrictedbyapplicationsandboxing.
AccordingtoAppleap-plicationscanonlyaccesslesanddirectoriesintheir"area"onthelesystemforinstanceanexampledirectorystructurecouldbe:|ApplicationGUID||_Application.
app|_Documents/|_Library/Preferences/|_tmp/Thusanygivenapplicationshouldonlyhaveaccesstoits"own"les.
However,onceJailbrokenthefulllesystemisavailabletoapplications,whichaswewillseegreatlyimpactsthesecurityofthedevice.
9AccessingthedataAnefariousindividual'sobjectiveistoaccessthisinformationcovertly,withminimalphysicalaccess,leavinglittleornoevidenceoftampering,ideallypersistentlyandofcoursegettinglotsofsensitivestuffeitherforblackmailorcommercialadvantage.
9.
1SimpleattacksBydefaultiTunesstoredabackupofthedeviceunencrypted.
Whetherornotthebackupisencryptedisenforcedbyaagsetinaplistonthedeviceitself.
Auserspeciedencryptionkeyisalsostoredonthedeviceinthekeychain.
Thekeychainisanencrypteddatabaseofpasswordsstoredbythedevice.
AccessinganunencryptediTunesbackupistrivialaswehaveseenabove,butwhatelsecanwedowiththesebackupsWecancopythemformthehostcomputertoourcomputerforanalysis,wecanevenrestorethebackuptoourphone,effectivelycloningit.
Unfortunatelythekeychaindoesnotsurvivethis(duetothewayitisencrypted)sowewontbeabletoretrievepasswordsthisway.
Wecanalsoeditbackups.
Theyaren'tsigned.
Wecanthenrestorethemback.
IfwegobackalittlebitandlookathowiOSandiTuneshandlesbackupscrudelyputthisishowitoccurs:Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page12of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceFigure5:SynchronisationHandshakeInessenceweneedtoeitherhave"paired"theiOSdevicetoiTunesorweneedtoknowthepasscodeinordertogainaccesstoanunencryptedbackup.
Thereareotherspeedbumpsaswell,forinstanceanExchangepolicycouldmandateencryptedbackups,butagainwecanovercomethis.
Wecanremovethepasscodebyeditingtherelevantplist,(thisiswheregrepcomesinhandyasalltheplistshavewhatseemtobe"random"names)wearelookingforsomethinglikethis:PasswordInformationpinTimeStamp2010-07-20T11:46:22ZRemoveeverythingfromtheinner""savetheleandrestorethedevice.
Bingo.
Nopass-code.
Anothermeansofremovingthepasscodeistodeletethekeychainfromthebackup,butasthiswouldalsoeraseotherpasswordsstoredonthedevice,itiscounterproductiveinthatitwouldhinderourabilitytoretrievefurtherinformationfromthedeviceonceitisunlocked.
ThisbackuptamperingcanbeusedtodefeatalargenumberofsecurityfeaturesthatmaybeenforcedbyExchangepolicies.
Thingssuchas:Policyrefreshintervals,autolock,lockinterval.
Youcanalsousethistechniquetoincreaseyourhighscoresincertaingames.
Theonlylimitsareyourowningenuity.
RemembertokeepabackupofyourˇEbackup.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page13of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceWhatifthepasscodeispresentandactiveonthedeviceandithasn'tbeen"paired"withyourcomputerThisisnotassimpleasitmayseematrstglance.
iOSkeepstrackofwhichcomputersithaspairedwith,sowehavea"chickenandegg"scenario:Inordertoremovethepasscodebybackuptamperingwehavetorstbypassthepasscode.
Wecouldattempttobrute-forceguessthepasscode,however,bydefault,after10failedattemptsthedevicewillwipeitself,whichwouldrenderourmissiontoextractdata,afailure.
Thinkingbrieyaboutthedefault4digitPINbasedpasscode.
Thereare10,000possiblenumbers,(0000-9999).
Givingyoua1in1,000chanceofguessingtherightcombinationwithin10attempts.
Wecouldconceivablyreducethis,byshouldersurng,using"common"PINnumbers,usingsocialengineeringtacticsorinterestinglyexaminethescreentoseeiftherearengerprintsaroundthekeypadareaonthedevicewhichcouldexposedigitspresentinthePIN.
Theparingmechanismseemstobequiterobust,sotheratherobviousadvicehereisthatifyouwanttokeepyourdatasafe,ensurethatyouareverycautiousaboutwhatcomputersyouconnectyourdeviceto.
Backupencryptiondoespresentanotherchallenge.
Thereareonlyreallytwooptionsopentous;Eitherwehavetobruteforceguessthebackuppasswordorwearegoingtohavetoresorttoexploitingthedevice.
.
.
9.
2JailbreakingAsdiscussedearlier,iOSrestrictsaccesstotheentirelesystemtothebaseoperatingsystemitself.
Additionallyitprovidesnonativemeanstoaccesstheunderlyingoperatingsystem.
Jailbreakingessentiallyfoilsthatrestriction,allowingforunrestrictedaccesstothedevice.
Effectivelyputitmeanswecanrunanycodeonthedevicewelike,ignoringrestrictionssuchasapplicationsigning,adheringtoprescribedapplicationsandboxing,andread/writeaccesstothesystempartition.
InordertoJailbreak,vulnerabilitiesmustbeidentiedinthesoftwareorrmwarerunningonthedevice.
ThesevulnerabilitiesmusthavecertaincharacteristicsinordertobeusefulinJailbreaking.
Themostimportantoftheseisthatitmustenableustobeabletorunarbitrarycodeasthe"root"user.
Therearealargenumberof"Jailbreaking"toolsavailableforavarietyforversionsofiOS.
AsapplepatchesvulnerabilitiesiniOSortheBootromsoftheirdevices,Jailbreakershavetondnewvulnerabil-itiestoincorporateintotheirtools.
Jailbreakingisalsodividedintotwobroadcategories:Untethered-MeaningthatonceJailbrokenthedevice,ifrebooted,willstartnormallywithnointerventionTethered-withthistypeofJailbreak,userinterventionisrequiredinorderforthedevicetorestart.
Thedevicewillneedtobeconnectedtoacomputerandeffectivelybere-Jailbrokeninordertoboot.
WhetheradevicecanbeJailbrokenuntethered(whichistheoptimalroute)isdependantonthebootromversion,andthermwareversion.
CurrentlyiOSversions3.
2.
2andearliercanbeJailbrokenuntethered,morerecentversionswillrequirefurtherstepstobetakeninordertoremovethetether(suchasrunningGreenpois0n,analternateJail-breakingtool,afterJailbreakingthedevicewithredsn0w).
Incomingmonthstheseadditionalstepsarelikelytobecomeredundant,thusforbrevitythefollowingJailbreakstepswillworkcleanlyoniOSversionsearlierthan4.
2.
1.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page14of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceI.
e.
ifyouaregoingtoattemptwhatIwilldescribedosomeresearchrst:thereisahighdegreeofriskfortheuninitiatedandunlessyouareluckyorwellinformedyoumightendupwithahighlydesirable,expensiveplacemat.
Update:Asof16thFebruaryredsn0wwasupdatedtoversion4.
2,whichisanuntetheredjailbreak.
ThereforeallversionsofiOSuptoandincluding4.
2.
1canbejailbrokensafely,anduntethered.
ThusthefollowingstepscanbereplicatedonallversionofiOSfortheiPadandiPhone.
9.
3OwningtheDeviceAcommon,andexible,toolavailabletousewithiOS4.
2.
1(andearlier)isredsn0w.
AccuratelyspeakingwedonotneedtofullyJailbreakinordertoaccessdataonthedevice,wejustneedtobeabletobootthedevicewithacustomramdisk.
iOSdeviceshavethefacilitytodothiseitherbydroppinginto"recoverymode"(intendedforoperatingsystemrecoveryorupgrade)orDFUmode(intendedforrmwareupgrade).
Redsn0wdependsuponanexploitknownasLimera1n,whichtakesadvantageofbothofthesemodes,employingbothabootromexploitaswellasauserlandexploittofullyJailbreakthedevice.
Howeveraswedonothaveaccesstothecodeforredsn0w,wecan'tchangeitsbehaviourtostopitfullyJailbreakingthedevice.
Ifwewereabletocustomisetheactionsitwouldbeasimplemattertoremovethedevicepasscodebyeditingthefollowingle:/private/var/ManagedPreferences/mobile/com.
apple.
springboard.
plist(aswewouldhavedoneinthebackuptamperingmethod).
Howeverifwewantedtoremovethebackupencryptionaswell,wewouldhavetodoalittlemore.
Bydeleting(orrenaming)thekeychain:/var/Keychains/keychain-2.
dbwenotonlyremovethepasscode,butalsothekeyusedtoencryptthebackups,thusthebackupswillbeunencrypted.
Sadlywedosacriceotherpasswords,toosuchasemailpasswords,etc.
Redsn0w,thoughostensiblyaJailbreakingtool,isactuallyalittlemore:itcanbeusedtoinstallcustombundles.
Custombundlesareessentiallycompressedarchivescontainingcontent(suchasexecutablebinaries,orevenpreferencelists),whicharecopiedtothedevice.
Thuswecanusethisfeature,tofullyJailbreakthedevice,copysomescriptsandtoolstothedeviceinordertocompromiseit.
Andwecancompromiseitinsuchawaythatthedeviceshowsalmostnoevidencetotheuserthatithasbeen.
Redsn0wdependsonhavingacopyoftherestoreimageforthedevicebeingJailbroken(thesearefreelyavailablefromapple)andwillhavetobedownloadedinadvance.
So,wehavethefollowingscenario:AniPadwithapasscodeset,backupencryptionenabled.
Wehavealaptop(runningOSXorWindows)Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page15of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAnup-to-dateversionofredsn0wAcustombundle(withOpenSSH,APT,andafewothertoolsandscripts)Acollectionofrestoreimages5minutesleftalonewiththedevice.
AnetworkconnectionWedon'tneedtoworryaboutthedevicebeingpairedtoourlaptopasitsidestepsthedevicepairingrequirement.
Asapartofthe"Jailbreak"thedeviceisputintoDFUmode.
Inthismodethedeviceisinastatewhereitistoallintentsandpurposesunabletocheckwhetheritispairedtothecomputeritisconnectedto.
TheiPadWecantakeaguesstoseeifitisrunning4.
2.
1byickingthehardwareswitchontheside.
Ifitmutesthevolumeonthedevicethereitisquitelikelytobe4.
2.
x.
Priorversionsusedthishardwareswitchtoengagetheorientationlock.
Inlaterversionsusersweregiventheoptiontochoosebetweenmuteandlock;thedefaultbeingmute.
Guessingtheversionofthermwareincorrectlyisnotfatal,itwillsimplymeanthattheJailbreakwillfailandyouwillhavetogothroughitagain.
TheLaptopWehaveredsn0w,wehavelauncheditandselectedtherelevantrmwareforthedevice.
EvenbeforeweconnecttheiPadwecanallowredsn0wtoprocessthermwareandwearepresentedwiththefollowingchoice:Figure6:Redsn0wOptionsWedon'twantcydiatobeinstalled,orthevictimwillseetheiconontheirspringboardinsteadwearegoingtouseoneofourcustombundles.
Wecanthenfollowthestepsthroughredsn0w,thedevicewillreboot.
OncethishascompleteditwillbeJailbrokenandthepasscodewillhavebeenremoved.
Whatthiscustombundledoes:Installsalargenumberofbasicunixtools,andsomekeypackages:OpenSSH(andalaunchscriptsoitstartsatboot)andAPT(sowecaninstalladditionalpackagesfromtheshell).
Italsorunsashellscriptatstartupthatrenamesthekeychain.
Thisremovesthepassphrase.
InordertogetitsIPaddress(sowecanSSHintoit)wecanjustlookinthenetworkpreferencesforitsIPaddress.
OncewehavethatwecanthensimplySSHintothedeviceas"root"(thedefaultpasswordis"Alpine").
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page16of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceInordertoremoveanyobvioustracesofushavingcompromisedthedevicewecanrenamethekeychainback,thiswon'timmediatelyrestorethepasscode,wewillneedtorebootforthattohappen.
Firsttherearesomeotherthingswecando.
UsingAPTwecaninstallothertoolsandutilities:Using"recAudio"willcausetheipadtostartrecordingaudio,thisisahighlyeffectivewaytolisteninonmeetings.
Itstorestheaudioinaiffle,andthiscanthenbecopiedoffthedevice,orascriptcouldbegeneratedtorecordatpredeterminedintervalsandthenuploadtheresultingaudioletoaweborftpserver.
Othertoolssuchas"pirni"canbescheduledtorun,Pirniisanarp-spoongtoolthatactsasaman-in-the-middle,snifngalldataonthewirelessnetwork.
Again,theresultantdatacanbeuploadedtoanexternalserverforcollectionbytheattacker.
"Nmap"canbeusedtomapthewirelessnetwork,andmetasploitcanthenbeusedtoattackandcompro-misehostsidentied,therebyusingtheiPadto"pivot"intothecorporateenvironment.
"Netcat"canbeconguredtoinitiateareverseshelltoahostontheinternetforremotecontrol.
Howeverwealsohaveour"increasedstealth"custombundle,onethat:LeavesthekeychainintactInstallsOpenSSHInstallstheabovetoolsGathersinformationfromthedevice(thedynamicdictionary,Emails,calendarentriesetc)anduploadsittomywebserver.
SchedulesrecordingsanduploadsthemtomywebserverAttemptsareverseshelltomyservereachtimeitdetectsanetworkconnection.
Tweetsthegeographicallocationofthedevicedaily103rdPartyApplicationsecurityEvenlegitimateapplicationscanintroducerisksintoacorporateenvironment.
AsImentionedinthein-troductionIamgoingtoavoidnamingspecicapplicationsorvendors(theywillorhavebeencontacteddirectly)withregardtosecurityissues.
BroadlyspeakingIhaveidentiedtwoprevalentcategoriesofrisk:10.
1ApplicationsstoringsensitivedatainsecurelyManyapplicationshavetheabilitytoaccesssensitivedata.
Thisdatacouldbeasbasicassocialnet-workingsites,downloadingandviewingdocumentsorascomplexasremotedesktopfunctionalityforaccessingcorporateresources.
Inanycasewehaveidentiedalargenumberofapplicationsthatstorecredentialslocallyinplaintext.
Thesecredentialscanbeforcorporateservers,internetlestores,websitesorevenforlocalaccesstotheapplication.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page17of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceOtherapplicationswehaveseencacheinformationlocallyonthedevice,sothatitcanbeviewedormanipulatedofine.
Theselocalcachesarerarelyencrypted.
Inbothcasesinsecurestorageofcacheddataorcredentialsisabadthing,asitwillbesynchronisedbacktoiTunesincleartext(ifencryptedbackupsarenotenabled).
Failingthat,thedatacaneasilyberetrievedafteraJailbreak.
ThereforewhenassessingapplicationsforusewithinacorporateenvironmentitisimportanttoensurethatthedevelopershaveelectedtousetheiOSencryptedkeychain(asrecommendedbyapple)andthattheyareencryptinganylocallycacheddata.
Anotherinteresting"feature"ofiOSitselfcanintroduceweaknessesinapplicationindirectly:theDy-namicDictionary.
Evenifanapplicationisnotstoringinformationorcredentialsinaninsecureformat,itismrethanlikelythattheDynamicDictionarywill.
Iteffectivelyactsasakeyloggeronthedevice.
Wehaveseeninstanceswherethedictionaryhasstoredpasswords,contactinformationandallmannerofinformationthatwouldgiveanyindividualcausetopale.
10.
2ApplicationsthatopenservicesonanetworkThereareseveralmethodsthatapplicationscanusefacilitatethetransferofdatafromothersourcessuchasthelocalnetwork,theinternetoradesktopcomputer.
Itisfairlycommonforapplicationsthatviewormanipulatedocumentstorunawebservertofacilitateletransfers.
UsersthencanuseawebbrowseronanotherdeviceorcomputertoconnecttotheiPadtouploadcontent.
Thismaynotseemaparticularlyhighlevelrisk,howeverinsomecaseswehaveseentheseapplicationsbroadcasttheseservicesvia"bonjour"andalmostwithoutexceptionusepredictableTCPportsfortheirservicesmakingthemeasytoidentifyonanetwork.
Suchserversusually(ifnotalways)bydefaultrequirenoauthentication.
iPadsdeployedincorporateenvironmentswillalmostcertainlybeusedtoviewandsharesensitiveinformation.
Itmaybethatusersareinadvertentlysharingthisinformationwhentheyconnecttothefreewirelessattheirlocalcoffeeshop.
11GoodPractise(i.
e.
Howdowexit)11.
1PhysicalsecurityClearlyphysicalcontrolofthedeviceisparamount.
DetectingifadevicehasbeenstealthilyJailbrokenwithoutactuallyJailbreakingitistricky,itcanbedone,butitisbettertonotletithappen.
IfyoudolosephysicalcontrolofthedevicewhatthenIfitwasleftaloneforaperiodoftime,orifitwaslostandthenreturnedyoushouldassumethatithasbeencompromised.
Restorethedevice;thiswilleffectivelyremovetheJailbreak,(iTunesdoesn'tbackupanyoftheJailbreakoritsdata).
Ifithasgonemissingattempttoremotewipethedevice,howeverbeawarethatsimplyremovingtheSIMfromthedevicecandefeatthis.
AlsorememberdotheremotewipebeforeyoucanceltheSIM,forobviousreasons.
Reference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page18of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlace11.
2PolicyControlsCorporatepoliciesshouldforbidJailbreaking.
ThereisnoguaranteethatevenifthedevicehasbeenJailbroken"legitimately"thatapplicationsinstalledvia3rdpartyapplicationstoressuchasCydiadonotcontainhostilecode.
Determinewhatdatashouldbepermittedonthedevice.
Corporateandpersonaldatashouldnotmix.
Highlysensitiveinformationshouldneverbestoredlocallyonthedeviceunlessappropriatelyencrypted.
Controlwhatapplicationsshouldberunonthedevice,3rdpartyapplicationscanintroducethreats.
Userawarenessandeducationisparamount.
Makecertainthatusersareeducatedastothethreatstotheirownaswellascompanydata.
11.
3TechnicalrestrictionsUseapplicationsthatenforcedatasegregation.
Thereareseveralapplicationsthatusetheirownemail,calendarandcontactprograms,andwhichenforcelocalencryptioneffectivelycreatingasecondary"sandbox"inwhichcorporatedatacanbehandled.
SomeoftheseapplicationsuseJailbreakdetectionandrefusetorunifapolicyissettothateffect.
EmployExchangesecuritypoliciestotheirbesteffect,lockdownasmuchaspossible.
Rememberifthedeviceissynchronisedregularlyitdoesn'tmatterifitiswipedafter3failedpasscodeattempts,itcanberestored.
Protectthecomputerthatthedeviceisbeingsynchronisedto!
Ifyoulosethebackupofthedevice,youlosecontrolofthedatathathasbeenstoredonit.
Examinethecapabilitiesof3rdpartyapps.
DotheyopennetworkportsfordocumentsharingHavethemsecuritytestedforvulnerabilitiesthatcouldexposesensitiveinformation.
Considerusingdevicesasthinclients.
Therearemanyremotedesktopclientsouttherethatareser-viceable.
(butagain,ensurethattheyaren'tcachingcredentialsinplaintextonthedevice.
Getthemtested!
)Restorefrequently.
Amonthlyrestoreofthedeviceshouldprovidesomeassurancethatitisnotcompro-mised.
EnsurethatdevicesaremaintainedattheirlatestrmwareversionReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page19of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixAListofkeylesbackedupbyiTunesLibrary_AddressBook_AddressBook.
sqlitedbLibrary_AddressBook_AddressBookImages.
sqlitedbLibrary_Calendar_Calendar.
sqlitedbLibrary_CallHistory_call_history.
dbLibrary_Cookies_Cookies.
plistLibrary_Keyboard_dynamic-text.
datLibrary_LockBackground.
jpgLibrary_Mail_Accounts.
plistLibrary_Mail_AutoFetchEnabledLibrary_Maps_Bookmarks.
plistLibrary_Maps_History.
plistLibrary_Notes_notes.
dbLibrary_Preferences_.
GlobalPreferences.
plistLibrary_Preferences_SBShutdownCookieLibrary_Preferences_SystemConguration_com.
apple.
AutoWake.
plistLibrary_Preferences_SystemConguration_com.
apple.
network.
identication.
plistLibrary_Preferences_SystemConguration_com.
apple.
wi.
plistLibrary_Preferences_SystemConguration_preferences.
plistLibrary_Preferences_com.
apple.
AppSupport.
plistLibrary_Preferences_com.
apple.
BTServer.
plistLibrary_Preferences_com.
apple.
Maps.
plistLibrary_Preferences_com.
apple.
MobileSMS.
plistLibrary_Preferences_com.
apple.
PeoplePicker.
plistLibrary_Preferences_com.
apple.
Preferences.
plistLibrary_Preferences_com.
apple.
WebFoundation.
plistLibrary_Preferences_com.
apple.
calculator.
plistLibrary_Preferences_com.
apple.
celestial.
plistLibrary_Preferences_com.
apple.
commcenter.
plistLibrary_Preferences_com.
apple.
mobilecal.
alarmengine.
plistLibrary_Preferences_com.
apple.
mobilecal.
plistLibrary_Preferences_com.
apple.
mobileipod.
plistLibrary_Preferences_com.
apple.
mobilemail.
plistLibrary_Preferences_com.
apple.
mobilenotes.
plistLibrary_Preferences_com.
apple.
mobilephone.
plistLibrary_Preferences_com.
apple.
mobilephone.
speeddial.
plistLibrary_Preferences_com.
apple.
mobilesafari.
plistLibrary_Preferences_com.
apple.
mobileslideshow.
plistLibrary_Preferences_com.
apple.
mobiletimer.
plistLibrary_Preferences_com.
apple.
mobilevpn.
plistLibrary_Preferences_com.
apple.
preferences.
network.
plistLibrary_Preferences_com.
apple.
preferences.
sounds.
plistLibrary_Preferences_com.
apple.
springboard.
plistLibrary_Preferences_com.
apple.
stocks.
plistLibrary_Preferences_com.
apple.
weather.
plistLibrary_Preferences_com.
apple.
youtube.
plistLibrary_Preferences_csidataLibrary_SMS_sms.
dbReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page20of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceLibrary_Safari_Bookmarks.
plistLibrary_Safari_History.
plistLibrary_Voicemail_.
tokenReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page21of22PortcullisWhitepaperGeneralReleaseAppleiPadIntheWorkPlaceAppendixBCitations/Furtherreadinghttp://www.
apple.
com/uk/ipad/business/integration/http://blog.
iphone-dev.
org/http://www.
theiphonespot.
net/p=7561http://www.
zdziarski.
com/blog/cat=11http://xsellize.
com/index.
phphttp://www.
greenpois0n.
comReference:WPIOS2011cCopyrightPortcullisComputerSecurityLimited201116February2011Page22of22
近日快云科技发布了最新的夏季优惠促销活动,主要针对旗下的香港CN2 GIA系列的VPS云服务器产品推送的最新的75折优惠码,国内回程三网CN2 GIA,平均延迟50ms以下,硬件配置方面采用E5 2696v2、E5 2696V4 铂金Platinum等,基于KVM虚拟架构,采用SSD硬盘存储,RAID10阵列保障数据安全,有需要香港免备案CN2服务器的朋友可以关注一下。快云科技怎么样?快云科技好不...
国外主机测评昨天接到Hostigger(现Hostiger)商家邮件推送,称其又推出了一款特价大内存VPS,机房位于土耳其的亚欧交界城市伊斯坦布尔,核50G SSD硬盘200Mbps带宽不限月流量只要$59/年。 最近一次分享的促销信息还是5月底,当时商家推出的是同机房同配置的大内存VPS,价格是$59.99/年,不过内存只有10G,虽然同样是大内存,但想必这次商家给出16G,价格却是$59/年,...
HostKvm是一家成立于2013年的国外主机服务商,主要提供基于KVM架构的VPS主机,可选数据中心包括日本、新加坡、韩国、美国、中国香港等多个地区机房,均为国内直连或优化线路,延迟较低,适合建站或者远程办公等。目前商家发布了夏季特别促销活动,针对香港国际/韩国机房VPS主机提供7折优惠码,其他机房全场8折,优惠后2GB内存套餐月付5.95美元起。下面分别列出几款主机套餐配置信息。套餐:韩国KR...
ipad代理为你推荐
diskmedia企业cmscms是什么sqlserver数据库电脑如何找到sql server数据库字节跳动回应TikTok易主#北京字节跳动科技有限公司#小说审核有三面么?我面试了两轮就叫我回家等消息了 要是刷下来了也该告台北市cuteftp文档下载怎样把手机里的文件直接下载或复制到U盘里抢米网怎么样才能在小米官方网站抢到手机?三友网怎么是“三友”pintang俏品堂是干什么的?很多论坛都有他们的踪迹。三五互联股票三五互联是什么股票
虚拟主机测评 vps租用 西部数码vps krypt 名片模板psd 免费博客空间 789电视网 域名评估 美国网站服务器 根服务器 空间首页登陆 免费外链相册 云营销系统 ledlamp 空间申请 腾讯服务器 phpinfo sonya forwarder 海外加速 更多