Three Steps to a Cracked iPhone
Speakers at Hack in the Box Security Conference 2010 demonstrated how to compromise an iPhone using Apple-provided tools and a little social engineering.
Hijacking an iPhone, for example, is a relatively simple process, according to Roberto Gassira and Roberto Piccirillo, researchers at Mobile Security Lab. The two were talking at the Hack In The Box Security Conference 2010 in Amsterdam earlier this month. All that's needed is the victim's phone number, the iPhone Configuration Utility available free from Apple for OS X or Windows, and a proxy server running the open source Apache server software, with a couple of extra open source modules.
The hijack is carried out by getting the user to unwittingly reconfigure their device to send its mobile data through an "evil proxy," controlled by the hacker. Normal http traffic can then be monitored easily - https traffic too, using an https stripping attack. (If the https stripping is unsuccessful, the https traffic will pass through the proxy and get to its destination without the user being aware that it has been hijacked, Gassira says.)
Hijacking the data connection of a given iPhone then takes a few simple steps, Gassira and Piccirillo demonstrated:
- Identify the victim's mobile carrier from their phone number
- Create an apparently verified .mobileconfig configuration profile which looks like it comes from their carrier or employer, which diverts http (and https) traffic through the evil proxy
- Send the victim an SMS to trick them into downloading the new configuration profile .
1. Identifying the Victim's Carrier.
It's necessary to know the victim's carrier, because certain carrier specific parameters are needed in the attack. If the victim is based in the US then the carrier is likely to be AT&T, but if the device has been unlocked or originates in another country then this will not necessarily be the case.
It turns out that it is easy to identify a carrier from a user's cell phone number using one of the many International Mobile Subscriber Identity (IMSI) lookup services on the Internet at a very low cost. The 14 or 15 digit IMSI includes the Mobile Country Code (MCC) in the first three digits, followed the Mobile Network Code (MNC) which identifies the carrier in the next two or three digits.
2. Creating a Convincing .Mobileconfig File
Creating a suitable .mobileconfig file with the necessary proxy information is straightforward using Apple's iPhone Configuration Utility, and it is possible to lock the profile so that it can't be removed by the user if they change their mind after installing it. But unless the file is signed and verified as coming from someone trustworthy (such as the victim's carrier) the victim will be warned by the phone that the authenticity of the configuration file that they are about to install is unverified. The phone will also display a red "Not Verified" flag as an additional warning, and at this point the user might well cancel the installation.