Three Steps to a Cracked iPhone

Mobile devices can present a serious threat to your network security because it can be surprisingly easy to hijack their data connections. With the ability to browse through a user's mobile data traffic a hacker may easily find confidential information such as usernames and passwords that they can then use to attack your corporate network successfully.

Hijacking an iPhone, for example, is a relatively simple process, according to Roberto Gassira and Roberto Piccirillo, researchers at Mobile Security Lab. The two were talking at the Hack In The Box Security Conference 2010 in Amsterdam earlier this month. All that's needed is the victim's phone number, the iPhone Configuration Utility available free from Apple for OS X or Windows, and a proxy server running the open source Apache server software, with a couple of extra open source modules.

The hijack is carried out by getting the user to unwittingly reconfigure their device to send its mobile data through an "evil proxy," controlled by the hacker. Normal http traffic can then be monitored easily - https traffic too, using an https stripping attack. (If the https stripping is unsuccessful, the https traffic will pass through the proxy and get to its destination without the user being aware that it has been hijacked, Gassira says.)

Most mobile devices, with the notable exception of Apple's iPhones and Android devices, use standard Open Mobile Alliance (OMA) client provisioning, so a phone can receive a configuration change over the air by SMS. IPhones work in a different way: they use configuration profiles which can include Wi-Fi, VPN, email, data APN and other settings. IPhone configuration profiles have a .mobileconfig extension and can be generated using the iPhone Configuration Utility.

Hijacking the data connection of a given iPhone then takes a few simple steps, Gassira and Piccirillo demonstrated:

1. Identify the victim's mobile carrier from their phone number
2. Create an apparently verified .mobileconfig configuration profile which looks like it comes from their carrier or employer, which diverts http (and https) traffic through the evil proxy
3. Send the victim an SMS to trick them into downloading the new configuration profile .

1. Identifying the Victim's Carrier.

It's necessary to know the victim's carrier, because certain carrier specific parameters are needed in the attack. If the victim is based in the US then the carrier is likely to be AT&T, but if the device has been unlocked or originates in another country then this will not necessarily be the case.

It turns out that it is easy to identify a carrier from a user's cell phone number using one of the many International Mobile Subscriber Identity (IMSI) lookup services on the Internet at a very low cost. The 14 or 15 digit IMSI includes the Mobile Country Code (MCC) in the first three digits, followed the Mobile Network Code (MNC) which identifies the carrier in the next two or three digits.

2. Creating a Convincing .Mobileconfig File

Creating a suitable .mobileconfig file with the necessary proxy information is straightforward using Apple's iPhone Configuration Utility, and it is possible to lock the profile so that it can't be removed by the user if they change their mind after installing it. But unless the file is signed and verified as coming from someone trustworthy (such as the victim's carrier) the victim will be warned by the phone that the authenticity of the configuration file that they are about to install is unverified. The phone will also display a red "Not Verified" flag as an additional warning, and at this point the user might well cancel the installation.