iOS MITM Attack
description
Transcript of iOS MITM Attack
![Page 1: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/1.jpg)
iOS MITM Attack Technology and effects
sieg.in 1
![Page 2: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/2.jpg)
sieg.in 2
![Page 3: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/3.jpg)
Boot validation
• CA – Apple Certificate Authority
• SIGN – Signature
sieg.in 3
![Page 4: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/4.jpg)
Files Protection
sieg.in 4
![Page 5: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/5.jpg)
Classic provisioning
sieg.in 5
![Page 6: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/6.jpg)
Actual provisioning
sieg.in 6
![Page 7: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/7.jpg)
Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60
Why we can’t create fake signature?
sieg.in 7
![Page 8: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/8.jpg)
SSL
sieg.in 8
![Page 9: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/9.jpg)
Certificate Authority Storage
Few from 186 are quite interesting :
– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
– C=JP, O=Japanese Government, OU=ApplicationCA
– C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root
…
sieg.in 9
![Page 10: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/10.jpg)
Certificate authentication
sieg.in 10
![Page 11: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/11.jpg)
I want my CA in your iOS
sieg.in 11
![Page 12: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/12.jpg)
Ways to install CA in iOS
o Safari
o Email attachment
o MDM
With configuration profile
Can be installed with Safari
sieg.in 12
![Page 13: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/13.jpg)
Attack
sieg.in 13
![Page 14: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/14.jpg)
Mobileconfig contains
WiFi settings (pass, SSID) for “Gate”
CA
Proxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6)
iCloud backup (enable it, if not)
sieg.in 14
![Page 15: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/15.jpg)
Mobileconfig installation
sieg.in 15
![Page 16: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/16.jpg)
Looks bad =(
sieg.in 16
![Page 17: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/17.jpg)
Let’s take a look on default CA list...
sieg.in 17
![Page 18: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/18.jpg)
COMODO trial certificate
• You only need valid [email protected] mail for confirmation
• Can be used for signing
sieg.in 18
![Page 19: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/19.jpg)
How to sign
sieg.in 19
![Page 20: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/20.jpg)
Looks much better
sieg.in 20
![Page 21: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/21.jpg)
SSL Defeated But we want more
sieg.in 21
![Page 22: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/22.jpg)
How to get files from device
sieg.in 22
![Page 23: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/23.jpg)
Elcomsoft Phone Password Breaker
sieg.in 23
![Page 24: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/24.jpg)
Once again
sieg.in 24
![Page 25: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/25.jpg)
What’s in backup?
• SMS • Private photo • Emails • Application data • And more …
sieg.in 25
![Page 26: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/26.jpg)
Files done But we want more
sieg.in 26
![Page 27: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/27.jpg)
Apple Push Notification Service
sieg.in 27
![Page 28: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/28.jpg)
Fake! Fake! Fake!
sieg.in 28
![Page 29: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/29.jpg)
Wipe Tragedy (act 1/1)
sieg.in 29
![Page 30: iOS MITM Attack](https://reader033.fdocuments.us/reader033/viewer/2022042506/547ddd995906b5ab718b45f1/html5/thumbnails/30.jpg)
Summary
User only have to tap ‘Install’ two times to make us able to :
– Sniff all his SSL traffic (cookies,passwords, etc)
– Steal his backup (call log, sms log, photos and application data)
– Send him funny push messages or just wipe device
sieg.in 30