Tag Archive for 'attack surface'

Jan 20

Iphone communication attack surface

in Analysis and production. Comments Printable version Printable version

Ever wonder how you Iphone is potentially vulnerable to attack ? Does leaving the bluetooth on or the wifi on leak information ? Does jailbreaking the iphone have an impact (Hint: yes)?

To answers theses question, I have run a couple of test on every Iphone communication channel namely:

  1. Inbound Net (TCP) Connections
  2. Out bound Net Connections
  3. Bluetooth communication
  4. Synchronization communication

To be the most accurate possible, I have run these tests on two iphone. A 1.1.3 freshly upgraded iphone (The one on the left of the photo), and a jailbreaked 1.1.2 one (The one on the right).

2iphone

 

 

Inbound Net Connections

I used Nmap for testing what service are open on each devices. First a good point, they do not answer to ping probe, neither the standard icmp or the TCP ping used by Nmap.

Firmeware 1.1.3

Nmap return the folowing result for the 1.1.3 iphone. As you can see, on port is open (62078) and the device is accuratly detected as an iPhone or a touch.

62078/tcp open unknown
MAC Address: 00:1E:52:04:B0:E3 (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

Firmware 1.1.2

When Nmap is launched against the 1.1.2 jailbreakded iPhone, the following result is returned:

Not shown: 65507 closed ports, 26 filtered ports
PORT STATE SERVICE VERSION
22/tap open ssh?
62078/tap open unknown
MAC Address: 00:1C:B3:3E:00:2A (Apple)
Device type: phone|media device
Running: Apple embedded
OS details: Apple iPhone mobile phone or iPod Touch audio player (Darwin 9.0.0d1)
Network Distance: 1 hop

As you can see, an extra port is open (port 22) and 26 ports are announced as filtered. I am not sure why they are filtered. It might be my wireless network, the fact the iphone might have been turned off, or they are really filtered which seems unlikely. Other blogs report, random filtered port also.

As you can see, jailbreaking the iPhone open a port (used to upload software and execute command). This is not an issue because openSSH is used for secure access all around the world even on sensitive server. What is an issue, is people who jailbreak their iPhone and then leave the default password (”alpine” if you want to know). So either you turn off the ssh server (you have an applet for that) or you change the password. Brute force attack against iPhone ssh server is still possible but with the appropriate lengh it should be reasonnably secure to leave it on.

What about the mystery 62078 port ? Well, this a feature introduced by apple :) This port is used internally for sync purpose. This rise the following question: Since there is no wireless syncing why this port is open on the wirless interface ?

Outboud Net connections

Outbound connections are mostly done through Safari. Therefore, I looked at the headers sent by the Iphone will requesting a page to see what information are sended by the iphone. I did so by writing a little PHP script to analyze the posted variables.

iphone language

First, it is possible to know in which language your iphone is thanks to the HTTP_ACCEPT_LANGUAGE. There is a direct correlation between the iphone language and the HTTP_ACCEPT_LANGUAGE variable. When I switch my iphone to French the HTTP_ACCEPT_LANGUAGE change too.

Firmware version

Secondly, two variables where different between the two iphone. The USER-AGENT and the CACHE-CONTROL

Firmware 1.1.2 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/3B48b Safari/419.3

Firmware 1.1.3 send this:

HTTP_USER_AGENT Mozilla/5.0 (iPhone; U; CPU like Mac OS X; fr) AppleWebKit/420.1 (KHTML, like Gecko) Version/3.0 Mobile/4A93 Safari/419.3
HTTP_CACHE_CONTROL max-age=0

First of all, it is normal both iphone send a user-agent string that say they are indeed iphone. What bother me is the number behind the Mobile string (They are in bold). I guess they are firmware related because when I look at browser database there is only a limited number of iphone strings.

That may pose a security issue because it allows the target site to know if you are vulnerable to a certain type of attack or not. This is clearly not science fiction because as you may know the jailbreak technique is based on a flaw that affect safari. This flaw can also be used against you of course. Hence I don’t think that broadcasting firmware version is a good things. I dot see any situation where it can be useful.

Mail

Here the security is pretty strong. By default the communication for IMAP,POP and SMTP use encryption (SSL) by default.

Bluetooth

Last but clearly not least: The bluetooth stack. An often under look communication way, but many people leave it actually on.

First remark about it: It is hard to switch it on/off because it is buried on the general setting, so most people will likely let it on.

Edit (11 march): As pointed out by Paul in the comment the bluetooth switch from discoverable to hidden when you close the menu. Therefore my second remark was unjustifed.

Second remark, There is two way to have bluetooth on: either on and hidden or on and discoverable (other device can see you). In the iphone you have no choice, when it is on you are always discoverable. Here clearly simplicity was not a good idea.

For bluetooth analysis I used btcrawler. A bluetooth scanner for windows mobile made by c0rnholio’s. Sadly due to a german law, this soft is no longer available or updated (fortunately I still have a copy of it).

First of all, the two iphone does not see each other. That was expected.

Secondly when the iphone is discoverable, it is possible to scan it: Here is a screenshot of BTcrawler scan result when the bluetooth is turned on:

Screenshot 35

 

We clearly see that the first one is called “iLight” (1.1.2) and the other is called “Iphone de elie” (1.1.3). This is the exact name that you use to name your iphone.

More subtle both bluetooth address start with 001. I am not sure that there is a mac prefix for bluetooth device but It might be worth to checkout.

I went to a step further and scanned what service was available, by bluetooth.

Screenshot 47

There were many bluetooth services (that is expected), but I don’t know what the IrMCSyncService is for. Maybe Sync over bluetooth ? But as far as I know that is not possible ….

Having the bluetooth enable give too much information. Because it is constantly broadcasting information, it can be used to track you by the bluetooth mac. Moreover bluetooth attack exists, so that is definitely something to consider.

Sync port

This time, I hadn’t done all the tests my self (due to a lack of time) but it appears that sensitive information transferred between Itune and the iphone are encrypted using SSL. You can also see the sync from the inside by dumping packet on the local interface during the sync (remember the famous 62078).

Food for thought

This analysis is far from complete. Here are some point that I hadn’t check.

  • It might be possible that the iPhone “phone home” while getting online.
  • When accessing Itune store, some information such as unique id might be sent.
  • While accessing apple page, some additional data might be sent
  • Itune when downloading firm wire or synching the iphone might send data.
  • Why the bluetooth is always set to discoverable and have a sync service ?

As far as goes this analysis, I can say that Apple have cover pretty well the TCP/WIFI part of the iphone. For the bluetooth part and the user agent string I am more dubitative, I am not sure if it is intentional or if they run out of time before the release.

This quick study also gives clues that the wireless sync will come sooner or later: The 62078 port available on the wifi interface and the bluetooth service seems pretty intentionnal.