iPhone: Stealing Personal Information and Corporate Secrets

1
iPhone Stealing Personal Information and
Corporate Secrets

• Jonathan Zdziarski
• Research Scientist
• McAfee, Inc.

2
Good vs. Bad
Uncertainty is the only certainty there is, and
knowing how to live with insecurity is the only
security. - John Allen Paulos
3
Should You Worry?
81 of mobile device manufacturers worried about
mobile payments 69 not convinced of the safety
of applications 88 think the end-user
shouldnt involved in security
4
Evolution of the iPhone Hacker

• Began life as a lover of the technology, the
  seekers of knowledge. Helped hype initial iPhone
  sales.
• October 2007, 30 of all iPhones jailbroken and
  running a third party software installer.
• Post-SDK, many dev groups degenerated into piracy
  clans, pro-malware groups, or hoarders of
  vulnerability intel and other secrets.
• This hacker shifted to forensic research

5
The Good Guys

• Used iPhone forensics to help prosecute cases
  including
• Sexual assault (rape, child rape, molestation)
• Narcotics (drug dealing)
• Murder
• Identity theft
• Financial / tax fraud
• Terrorism

6
iPhone Forensics

• iPhone Forensics manual in law enforcements
  hands used in over 250 agencies worldwide.
• iPhone Forensics Recovering Evidence, Personal
  Data, and Corporate Assets by OReilly Media
  available to public at large.
• What have we learned about the iPhone as a result
  of forensics?
• How do you need to protect your applications
  confidential data from being stolen by a hacker?

7
The Bad Guys

• Use iPhone forensics to
• Spy on coworkers, spouses, or friends
• Commit identity theft
• Steal business contacts (free leads!)
• Steal confidential corporate email, photos, and
  ultimately trade secrets
• Hurt Apple
• Anybody got the recipe for Coke?

8
Information Exposure

• What kind of information is available on the
  iPhone?
• In what ways is this information exposed?
• How can you (re)write your application to protect
  confidential data?

9
General Idea of iPhone Forensics

• The iPhone is a computer just like a desktop
• Read-only factory system partition, separate
  user data partition
• Minimizes writes (solid-state), large content
  preloaded when activated.
• Unix operating system with raw devices
• 2. iPhone Boots a RAM disk to execute a firmware
  restore
• 3. Hackers can easily build a custom RAM disk to
  install a payload, like booting from CD-ROM.

10
Vulnerability 1 Passcode Fail

• Enterprises rely on passcode policy
• Dont.
• No File Vault encryption
• Passcode stored in the keychain
• Just move the keychain somewhere
• Time to Exploit 60 seconds

11
Vulnerability 2 Unencrypted Backups

• With passcode gone, a malicious actor can sync
  and back up all live data.
• No encryption used to tie the backup to the
  users desktop machine.
• Data is merely base64 encoded
• Use dump_fs.pl to decode back into live file
  system
• Used to perform triage forensics
• Time to Exploit 2-3 minutes
• (demonstration)

12
Vulnerability 3 Raw Disk Exposed

• Provides access to deleted email, images,
  voicemail, and application data.
• Provides access to entire live file system
• Data can survive for months and beyond
• Impervious to a restore without first secure
  erasing
• Are you sure that embarrassing photo is gone?
• Time to Exploit 2-3 hours

13
Vulnerability 4 Keychain Exposed

• Keychain is like DRM
• The key and the lock are on the iPhone
• Based on UID
• No password entered by the user
• Time to Exploit
• Seconds, with the right knowledge

14
Forensic Data Recovered

• Keyboard cache for autocorrect. Everything you
  type, in order.
• Screenshots preserved from last state of
  applications.
• Live and deleted photos, searches, call history,
  email, voicemail, contacts, and application data.
• Map tiles and routes, last GPS fix, easily
  reassembled.
• much more!
• (demonstration)

15
Protecting Your Data Deleted Files

• Developers
• Write over all data one pass prior to deleting
• Individual files fwrite() is your friend
• Database records
• Enterprises
• Dont transmit confidential email or voicemail
• Restrict devices from internal accounts
• Instruct employees to secure wipe frequently

16
Protecting Your Data Passcode Keychain

• Developers
• Make your applications security autonomous
• Dont rely on the passcode for application
  security
• Encrypt your applications files within the app
• Compile in your favorite encryption library
• Dont store keys in the keychain, prompt the
  user for it
• Enterprises
• Dont rely on the passcode for physical security
• Use two-factor authentication (OTP or C-R)
• Kill VPN sessions after short periods

17
Protecting Your Data Caching

• Developers
• Dont work with private data unless necessary
• Dont display account numbers, credit card
  numbers, or other confidential data unless needed
• Dont prompt the user to enter this data in
  insecure text fields
• Enterprises
• Minimize caching of data
• Prompt employees to Reset Keyboard Dictionary
  often

18
Protecting Your Data Employee Liability

• Developers
• If the employee shouldnt see it, dont send it
• Employee can access any data on the device with
  the right know-how, so dont send it to the
  application unless they should be allowed to view
  it.
• Add shredder mechanism to allow employee to
  destroy data when finished with it.
• Enterprises
• Secure erase when issuing new iPhone
• Ensures refurbs and eBay purchases are clean
• Useful when convicting employee for a crime

19
Protecting Your Data Clean on Exit/Suspend

• Developers
• Manually wipe any temporary files on exit or
  suspend
• - (void) applicationWillTerminate(UIApplication
  )
• - (void) applicationWillResignActive(UIApplication
  )
• Enterprises
• Require auto-lock after 1 minute by policy
• Lock causes resign active, causes wipe above

20
Protecting Your Data Ensure Safe Environment

• Developers
• Perform safety seal check for Kernel signing
• If device is jailbroken, a self-signed binary
  will run
• Check when app launches, refuse to run
• Perform secure wipe of local data if seal is
  broken
• Prevents most spyware from running
• Enterprises
• Tell employee I will fire you if you jailbreak
• Physical threats vary depending on jurisdiction
• Check your agreements. May require permission
  from Apple.

21
Recommended Reading
Thank You!