Steve Jobs for Fortune magazine a cc nc nd image from tsevis's Flick stream

By Jean-Baptiste Bédrune and Jean Sigwald

Slides on the HitB Materials page.

This talk is about data security and the iPhone. Almost all iPhone like deices (excluding the iPad2 for the moment) can book usigned code when they are in recovery mode. It is also possible to create acustom ram disk, thee are techniques used by jailbreakers and phone forensics people.

Data in the iPhone is encrypted with either the UID (unique iPhone key) or GID (key unique to each model).

In the iPhone (iOS < 4) the UID key was only used  to facilitate fast wipe (change key, cannot read flash anymore), it did not provide data security. The iPhone 4 was designed with data security in mind. Jean and Jean demonstrate the tools they wrote to get around the data protection of iOS 4

Because the unlock code is used for data security data can be set to be only available when:

• The Phone is unlocked
• After the phone is unlocked for the first time
• Always

In iOS 4 there is an escrow key which allows MobileMe and iTunes to access the phone for backup or passcode reset without unlocking the phone.

The first tool that they developed and demonstrated was the keyChainViewer which can be used to view the contents of keyChain, but not the keys.

Using the built in iOS functions (that use the passwcode) you can actually bruto force the passcode of the phone with a small application on the phone. If you boot the phone from a ram disc you can do this without knowing the passcode. Using the brute forced passcode the keyChain can be read and decrypted.

Next tools where demoed to browse the encrypted filesystem and to decrypt iTunes backup files.

Conclusion of the researchers:

• iOS4 offers far better protection then iOS3
• Mail files (with the exception of exchange) are protected by the passcode this offers additional protection, but it can be obtained if you have the phone

Tools are available on http://code.google.com/p/iphone-dataprotection/

About Jean-Baptiste Bédrune

Jean-Baptiste works at the Software security R&D team at Sogeti for 4 years. His domains of research include code (un)protection, audit of DRM solutions, applied cryptography, reverse engineering on embedded devices and distributed computing. Jean joined Sogeti in early 2010. His research topics include reverse engineering, embedded devices and smartphones security.

About Jean Sigwald

Jean Sigwald is a security researcher working at Sogeti ESEC R&D lab. His research is mainly focused on smartphones security and the services offered by the network operators.

In their presentation they first looked at SMS.  SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.

So how is an SMS processed? Phones have two processors: CPU and Modem which talk via an (often simulated) serial line. The modem is controlled by a specific set of AT commands. If an SMS is received by the modem, the modem sends an unsolicited AT result to the CPU. This is what can be fuzzed.

For practical reasons they did not want to send all these SMS’s that where coming out of their fuzzer over the network. First of all I would cost too much money. During the tests they sent over 500,000 messages. Secondly if the messages where sent over the air, it would mean that the would be able to watch the fuzzing going on. Last but not least they might get into trouble because the tests might actually crash the equipment of the telco’s. So for various different phones (iPhone, Android and Windows Mobile) they developed a MitM SMS injection application which sits in the middle of the virtual serial line. This gave them a fast way to send messages and gives free SMS sniffing capabilities

The testing results had to be tested in real life because not all messages could be sent through all mobile networks.

It turns out that it is very easy to perform a DoS attack on various phones. While DoS may be a lame attack, it is still a very useful attack.

On the iPhone the bugs are in the section of code that handles concatenated test messages. If a single message gets too big, it is split up in multiple messages. It turn out that these routines act funny when they are presented with the number -1.

If you tell the iPhone to expect -1 messafes parts of it crash and prevent the phone from working normally. They demoed this attack agains a guy from Vodafone who volunteered.

It turns out that if you tell the iPhone to expect a reasonable amount of messages and you then send it message number -1 you get, under the right conditions, the ability to overwrite memory. But, is it possible to exploit the heap via SMS?

Via subtle SMS manipulation the heap can be controlled via “mini heap feng shui”. And actuall exploitation is possible even though it takes about 519 SMS’s (@ 1/sec)

The is also a DoS against Android powered phones. Google was notified June 19 and fixed the vulnerability last week.

Windows Mobile Phone: Any text messages with %n crashes an HTC Windows mobile phone.

Large SMS messages are cut up in smaller SMS messages, this means that the SMS messages need to be parsed by the phone to put it back together and thus can be used as an attack vector to breach the phone. By using a technique known as fuzzing, Miller and Mulliner where able to find exploitable conditions that could be turned into an attack and an iPhone virus. The attack takes a total of 519 SMS messages, but will work without any user interaction.

Charlie Miller urges anybody with an iPhone to turn it off if they get a text message with a single square character. “That small cipher will likely be the only warning that someone has taken advantage of the bug”.

Apple was notified on the 18th of June and to date has not released a fix.

They also showed that smart phones like the iPhone and Adraoid and Windows mobile phone based devices can be forced to stop working with a single crafted SMS. The simplest attack was against HTC Windows Mobile phones which crash on any SMS containing the character sequence: “%n”.

“A new augmented reality app called Layar is making the rounds on the web as an example of what can be done with Augmented Reality. Layer  is described as the world’s first mobile augmented reality browser.

Layar shows you what is around you by displaying realtime digital information on top of reality through the camera of the mobile phone. Just flip through the directory of layers and find ATM’s, bars, houses for sale, hotels and other cool stuff around you. The app accomplishes this through the use of the Compass, camera and GPS embedded within the phone…

The app is first available for the Android devices but they are working hard on porting it to other platforms “with a prime focus on the iPhone 3G S.”

Click here to view the embedded video.