Tech Segment: iPhone Security - Part I
Yes, I broke down and bought an iPhone. There were two reasons for this, first my other phone (XV6700 with Windows Mobile) sucked big time. Second, there is this buzz about the iPhone and security, and I think that there are many people out there who just don't get it. Now, as an added bonus much of the discussion and technical details here can be applied to the security of other smartphones. There was a great video posted on how to hack the iPhone using Metasploit and make it a remote monitoring device. Unfortunately, it was light on details and the comments to the posting were all along the fanboy influenced lines of "so what, I love Steve Jobs and he would never let anyone spy on us". So, I felt it my job, no my duty, to go out and buy the latest, hottest tech gadget, and provide my feedback on security. I intend to cover security from both angles as well, how we can protect ourselves and our users from getting ipwned, and how we as security assessors can use the iPhone (and similar smartphones) to our advantage.
Lets begin by looking as some of the things that I liked about the iPhone's security:
- Bluetooth was disabled by default - This is a nice feature, and implements the principle of only enabling something when you need it.
- It came with the latest firmware pre-installed (1.1.2) - So many devices ship with older firmware, i.e. the WRT54G routers, and its left up to the user to install the latest firmware, which may or may not happen.
- It asks me before connecting to wireless networks - This is a feature that is much appreciated, and one that Windows is terrible at implementing. If I want to connect to an open wireless network, I will give you, the device, permission to do so.
As an attacker, lets start with some basic identification and recon.
Network Identification & Recon
I setup a netcat listener, and then used MobileSafari to connect to that port on my machine:
paimei:~/framework-3.1/trunk owny$ nc -l -p 80 GET / HTTP/1.1 Accept-Language: en Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Connection: keep-alive Host: 192.168.1.249:80
Sweet, so if we are monitoring the network, either as an attacker sitting on an open wireless network or as an organization monitoring for iPhone usage, we have a nice little string to key off of and find iPhones. My next logical step was to then Nmap the iPhone's IP address:
paimei:~ root# nmap -O -P0 -sS -p1-65535 192.168.1.209
This scan produced the following results:
Interesting ports on 192.168.1.209: Not shown: 65534 closed ports PORT STATE SERVICE 62078/tcp open unknown MAC Address: 00:1E:52:0B:FD:97 (Unknown) No exact OS matches for host (If you know what OS is running on it, see http://insecure.org/nmap/submit/ ). TCP/IP fingerprint: OS:SCAN(V=4.20%D=11/23%OT=62078%CT=1%CU=33312%PV=Y%DS=1%G=Y%M=001E52%TM=474 OS:6EEA8%P=i386-apple-darwin8.8.2)SEQ(SP=0%GCD=1%ISR=1B%TI=I%II=I%SS=S)OPS( OS:O1=M5B4NW0NNT11SLL%O2=M5B4NW0NNT11SLL%O3=M5B4NW0NNT11%O4=M5B4NW0NNT11SLL OS:%O5=M5B4NW0NNT11SLL%O6=M5B4NNT11SLL)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF% OS:W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%W=FFFF%O=M5B4NW0SLL%CC=N%Q=)T1(R=Y%DF= OS:Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q OS:=)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W= OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T OS:7(R=Y%DF=N%T=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=0%IPL=3 OS:8%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=0%RUL=G%RUD=G)IE(R=Y%DFI=S%T=40%TOSI=S% OS:CD=S%SI=S%DLI=S) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ . Nmap finished: 1 IP address (1 host up) scanned in 5203.700 seconds
Stories Of Interest
Using CSRF To Attack Mobile Phones - [Paul] - This attack abuses the cell phone providers web site which has the capability to send SMS messages. Particularly the ads on the web site allow you to enter your phone number to receive a text message with more information. Crafting an HTTP request and sending it to the web site allows you to flood a users phone with SMS messages. This not only can DoS your phone, but if you do not have a plan with unlimited text messages could be quite costly.
CSRF protection tool for Firefox - [Larry] - Neat!
XSS in mysql_error function - [Paul] - Debugging code is helpful, however you should be maintaining two copies of your web site if possible. One copy should be used for development, and only be accessible by developers. The other should be production and accessible to the world. Before code goes into production things like "mysql_error" should be removed. You could even write some custom scripts and use them in your build process to flag places in the code where you may have left some debugging statements.
VOIP Security? - [Larry] - A new VOIP sniffing tool, SIPTap can do "remote" SIP eavesdropping on multiple calls, recording them to wav files. It can retain all if the SIP identifier info for easier identification of the recorded calls.
Google as a Password Cracker - [Paul] -
Retail wireless security? - [Larry] - A study by Airtight networks revealed that 85% of 200 devices surveyed in retail stores were vulnerable to hacks - some information disclosure with poor SSIDs, no or poor encryption, and many instances on POS and scanning/inventory equipment! Looks like TJX might just be the tip of the iceberg. Time to bust out my N770 when I go shopping next...
Stealin Your Slingboxez - [Paul] - Poor password policies, i.e. not changing the default, could allow anyone to view your videos/tv/movies. One word for that, handy :)
Talk about a change of heart - [Larry] - In a follow up to last week's story, Microsoft admits that there is a flaw with ransom number generation in XP, and will fix it in SP3 in the second half of 2008. However, Ms is still arguing that admin rights are needed to "read any file on the system" to make this attack possible, and that is needs to be combined with other attacks. DUH! MS, you just aren't getting this one - see the MS folks in the UK that saw a machine compromised in 11 minutes. However they are still being quiet about windows 2000 patches, as the OS is largely unsupported - and they are required to supply security patches for free. MS says this isn't a security problem, so they don;t have to supply a patch. Proof is in the pudding - write a tool and demo it to MS!
New Security For Firmware? - [Paul] - So, is remote access a security feature?
UK Govt. loses personal info too! - [Larry] - They wrote personal info (including the equivalent to SSNs) to optical disk, and protected with a password, and then dropped them in the post. They never showed up at the destination. Now, most of the common tools that I can think of that might use a password (such as winzip, PDFs, Word or Excel) are VERY easily crackable.
Wireshark Vulns - [Larry] - Wireshark can be made to crash or deny service when analyzing several types of traffic/files - but note some of the real common stuff, such as MP3 files, SSL, HTTP and RPC Portmapper traffic. The updated version .99.6a is available.
Security 2.0? - [Paul] - Some stuff for discussion...
Other Stories Of Interest
Wifi Soda Can Antennas - [Paul] - Neat little hack, just don't get a cut handling the cans!