Re: An iOS oversight: exploiting device trust and backups

[Luis 'Pope' Gómez <pope () pope es>]

You make an interesting point here, David.

About this topic, I would recommend this brilliant paper by Mr. Zdziarski:
http://www.zdziarski.com/blog/wp-content/uploads/2014/08/Zdziarski-iOS-DI-2014.pdf

I proposed a software solution to apply various mitigations in jailbroken
devices; including: deleting the pairing records (so that your iOS device
will not continue trusting other comptuers) and disabling a number of
services (for instance: if I never backup my iOS device to iTunes, I can
disable that service so that nobody will be able to backup my device to ANY
iTunes).

We presented a poster about this in the latest DFRWS conference (
http://www.pope.es/files/DFRWS-2015-Pope.pdf). A paper on the topic has
been accepted for publication at
http://wpage.unina.it/ficco/SecureSysComm2015/home.html, and after the
conference we will be releasing the software.

Regards

Pope


2015-09-22 19:15 GMT+02:00 David Longenecker <
david () securityforrealpeople com>:

> Posted in more detail at:
>
> http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html
>
> iOS (including iOS 9) have a chink in their security model's armor.
>
> Enabling an iOS device to trust a new computer is a one-click operation -
> no password or PIN is required. As long as the iOS device is logged in and
> not screen locked, one click is enough to tell the iPhone or iPad that this
> computer can be trusted. Once trusted, the computer is permitted to copy
> files on and off, or make a full device backup.
>
> For perspective, iOS has a setting to require the password or PIN to
> purchase items in the App or iTunes Stores, but no such setting when
> trusting a computer to do a full device backup.
>
> Is this a big deal?
>
> Have you ever lent your phone to a friend so they could make a brief phone
> call?
>
> If I borrow your iPhone under the guise of making a phone call, in a couple
> of minutes I can USB tether to my computer, trust it, and make a full
> device backup which I can search at length later. Or in just a few seconds
> I can establish that device trust now, and later slip it off your desk to
> make a backup of the locked iPhone.
>
> In the grand scheme of things, the ability to make a covert backup of
> another's iPhone isn't at the top of my list of worries. It requires
> physical access to an unlocked device, meaning I'd have to unlock my phone
> and let someone borrow it - not something I'm likely to do for someone I
> don't know and trust.
>
> Still, it pays to understand how your trust can be abused. Keep this in
> mind the next time a friend asks "can I use your iPhone to make a call?"
>
> Regards,
> David Longenecker
>
> Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
> <https://www.twitter.com/dnlongen> | LinkedIn
> <https://www.linkedin.com/in/dnlongen/>
> PGP key: https://keybase.io/dnlongen
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/