Académique Documents
Professionnel Documents
Culture Documents
There is this misconception that iPhones are protected by the iPhone passcode. This is true for non jailbroken iPhones but no so for jailbroken ones. It is possible to have root access to the iPhone file system using tools from libimobiledevice.org even when the locked jailbroken iPhone is protected by the PIN. This seems to be related to the way lockdownd works after an iPhone is jailbroken. This seems to be around since the iPhone 3GS days based on this slashdot.org article that was published in May 2010. iPhones PINBased Security Transparent to Ubuntu http://apple.slashdot.org/story/10/05/27/1826207/iphones-pin-basedsecurity-transparent-to-ubuntu. All the attacker need is to have 3 seconds with your phone and then connect the iPhone to the usb cable. It could take lesser than 3 seconds depending on the speed of the computer as well as whether the attack is staged. This would seem like an awesome attack vector but is only viable to carry out if you have physical contact with the iPhone or with perform some social engineer to get the victim to connect the iPhone to an embedded device (e.g. mobile charger) ? Having root access to the iPhone file system means that the attacker is able to view and extract confidential data from your iPhone like emails, SMS, photos, basically everything on your iPhone including cookies. We are faced with an issue. How do we get our spy tools and binaries to run on the iPhone system during startup ? Typically, to register an executable so that it can run at startup, you will have to run the command launchctl load /System/Library/LaunchDaemons/com.apple.system.plist However, since we do not have command line access to the system, we would not be able to use this method. We need to find an alternative solution to get our binaries to run at iPhone startup in the background.
Tool Name
kbhook2 location1 sms1 takePicture screenCapture mic1 whatsapp1 demoScreenCapture1
Purpose
Captures key strokes from the iPhone keyboard and save to a text file. Captures GPS coordinates in the background. Captures incoming SMS and forwards it another mobile number. Activates the iPhone front camera in the background and takes a photo and save it in /tmp folder. Takes a screenshot of the current iPhone screen so that we can monitor that the user is doing. Activates the iPhone microphone and record a 30 second clip. Intercepts WhatsApp incoming and outgoing messages and forwards it to an email address. Demo program which shows that the screenCapture tool can be automated to take each and every screen of a particular iPhone application. When coupled with kbhook2, it is possible get screenshots of the emails in enterprise email iPhone application which provides data encryption and security which the user is browsing thru his/her emails.
Summary of Steps
Below is a summary of what you need to do 1. 2. 3. 4. 5. 6. 7. Install Debian/Ubuntu on the embedded device. Install the prequisities using the script setupPrerequisities.sh from https://github.com/milo2012/iPhoneEspionage/tree/master/evil_gf_attack Download and copy scanUSB.sh from https://github.com/milo2012/iPhone-Espionage/tree/master/ evil_gf_attack onto /tmp1/ on your embedded device Modify scanUSB.sh Run the command update-rc.d -f /tmp1/scanUSB.sh start 99 2 3 4 5 Now, reboot the device and plug in your iPhone via the iPhone usb cable. Wait for the magic to happen.
The script can be found at https://github.com/milo2012/iPhone-Espionage/blob/master/evil_gf_attack/ scanUSB.sh If you are looking at hooking directly to the functions of iPhone applications like what I did with WhatsApp, you will be looking at something called an iPhone tweak and you would need to copy the binary to /tmp1/ TransferDynLibraries so that it will be copied over to /Library/MobileSubstrate/DynamicLibraries when the scanUSB.sh scripts detect an iPhone being connected. If you are looking at running something in the background of the iPhone at all times or during specific timing, you will be looking at something called an iPhone tool. You will need to copy the binary to /tmp1/ TransferStartup so that it will be copied over to /usr/bin on the iPhone when the script is running..
iPhone Daemons
Daemons are system processes that run in the background of the system. These system processes are started when the iPhone boots up. If we want to run our spytool at startup or at certain intervals of the day, we would need to identify the plist of an abundent daemon to overwrite. There are a list of abundent daemons that have already been registered on the iPhone by Apple which seems fairly safe to delete or replace in our case to run our own malicious binaries. The list of safe to delete/replicate daemons included but not limited to are com.apple.iqagent.plist com.apple.mobile.profile_janitor.plist com.apple.chud.chum.plist com.apple.DumpPanic.plist com.apple.ReportCrash.(*).plist com.apple.CrashHouseKeeping.plist com.apple.aslmanager.plist com.apple.syslogd.plist com.apple.powerlog.plist com.apple.stackshot.server.plist com.apple.chud.pilotfish.plist By hiding and replacing the existing plist files makes it slightly more undetectable. Normal users do not check the contents of the LaunchDaemons.
In order to be hide below the radars, I would choose the 3rd option as option 1 and 2 would slow down the iPhone significantly during startup. Below are the contents of an original com.apple.CrashHousekeeping.plist.
Below are the contents of a modified com.apple.CrashHousekeeping.plist which calls our malicious binary /usr/ bin/sql2. I have specified it to the daemon to run daily at 4.01am.
You will need to connect your iPhone to your Mac and start Xcode and then launch Organizer. The debug messages are very invaluable to us as it tells us which class and method to hook. This has made our development work even easier. THEOS is a very useful tool made by Dustin L. Howett and it makes jailbroken iPhone development so much easier as compare to using Xcode. The installation guide for THEOS can be found here http:// iphonedevwiki.net/index.php/Theos/Getting_Started
You will need the below 1. 2. 3. 4. 5. 6. Mac with Snow Leopard or Lion with Xcode Jailbroken iPhone THEOS Crackulous from Cydia WhatsApp Class-Dump (http://www.codethecode.com/projects/class-dump/)
16.
17.
What the code does is to hook the method processIncomingMessages:(id)arg1 method in XMPPConnection class. The %log command logs information about the call , methods, names and arguments to the system log. The %orig command makes a call to the original function with the original arguments. Edit <projectname.plist> and overwrite the data and replace it with the below information.
18.
Run make Go to obj folder and copy <projectname.dylib> to /Library/MobileSubstrate/DynamicLibraries on your iPhone. Alternatively you can run export THEOS_DEVICE_IP=XX.XX.XX.XX and run make package && make install to install the dylib to your iPhone via SSH.
Conclusion
Are you allowing jailbroken iPhone devices in your organization? How are you managing these mobile devices and are you able to ensure the integrity of these devices and that they have not been compromised ? The author of this article can be contacted at keith.lee2012[at]gmail.com, via twitter @keith55 or via his blog at http://milo2012.wordpress.com