Full Disclosure mailing list archives
Re: An iOS oversight: exploiting device trust and backups
From: Luis 'Pope' Gómez <pope () pope es>
Date: Thu, 24 Sep 2015 09:15:45 +0200
You make an interesting point here, David. About this topic, I would recommend this brilliant paper by Mr. Zdziarski: http://www.zdziarski.com/blog/wp-content/uploads/2014/08/Zdziarski-iOS-DI-2014.pdf I proposed a software solution to apply various mitigations in jailbroken devices; including: deleting the pairing records (so that your iOS device will not continue trusting other comptuers) and disabling a number of services (for instance: if I never backup my iOS device to iTunes, I can disable that service so that nobody will be able to backup my device to ANY iTunes). We presented a poster about this in the latest DFRWS conference ( http://www.pope.es/files/DFRWS-2015-Pope.pdf). A paper on the topic has been accepted for publication at http://wpage.unina.it/ficco/SecureSysComm2015/home.html, and after the conference we will be releasing the software. Regards Pope 2015-09-22 19:15 GMT+02:00 David Longenecker < david () securityforrealpeople com>:
Posted in more detail at: http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html iOS (including iOS 9) have a chink in their security model's armor. Enabling an iOS device to trust a new computer is a one-click operation - no password or PIN is required. As long as the iOS device is logged in and not screen locked, one click is enough to tell the iPhone or iPad that this computer can be trusted. Once trusted, the computer is permitted to copy files on and off, or make a full device backup. For perspective, iOS has a setting to require the password or PIN to purchase items in the App or iTunes Stores, but no such setting when trusting a computer to do a full device backup. Is this a big deal? Have you ever lent your phone to a friend so they could make a brief phone call? If I borrow your iPhone under the guise of making a phone call, in a couple of minutes I can USB tether to my computer, trust it, and make a full device backup which I can search at length later. Or in just a few seconds I can establish that device trust now, and later slip it off your desk to make a backup of the locked iPhone. In the grand scheme of things, the ability to make a covert backup of another's iPhone isn't at the top of my list of worries. It requires physical access to an unlocked device, meaning I'd have to unlock my phone and let someone borrow it - not something I'm likely to do for someone I don't know and trust. Still, it pays to understand how your trust can be abused. Keep this in mind the next time a friend asks "can I use your iPhone to make a call?" Regards, David Longenecker Connect: Blog <http://securityforrealpeople.com/> | @dnlongen <https://www.twitter.com/dnlongen> | LinkedIn <https://www.linkedin.com/in/dnlongen/> PGP key: https://keybase.io/dnlongen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- An iOS oversight: exploiting device trust and backups David Longenecker (Sep 23)
- Re: An iOS oversight: exploiting device trust and backups Luis 'Pope' Gómez (Sep 25)