Three Steps to a Cracked iPhone - Page 2

 By Paul Rubens
Page 2 of 2   |  Back to Page 1
Print Article

But Gassira and Piccirillo pointed out that there is a way around this thanks to security flaws affecting the signature checking mechanism in the iPhone that were revealed back in January 2010 on Cryptopath:

"We observed that iPhones will trust mobileconfig files they receive over the air or through wire if they are signed by a trusted entity. However:

  • The keystore used to lookup trusted CAs includes the default Safari keystore.
  • A signature-only certificate is enough to sign mobileconfig files.

There are 224 trusted root Certificates in the iPhone keystore (v3.1). See: http://support.apple.com/kb/HT3580 for a complete list published by Apple. It is relatively easy to obtain a signature certificate from many of them without any sort of verification. A demo (test) signature certificate can be obtained from Verisign without need for anything other than a valid e-mail address (throwaway addresses work, too) for sixty days at no price and without providing any credit card details."

This means that a hacker can get a free test signature certificate in the name of the victim's carrier, or anyone else, and use it to sign the evil .mobilecofig file. Once this has been done, the file will be flagged as "Verified" in green, and no warning about its authenticity will be displayed by the phone. To all intents and purposes, the profile will appear genuine.

3. Sending the Victim a Spoofed SMS to Trick Them in to Downloading the Evil Profile

The likely success of this part of the attack depends on the social engineering skills of the hacker, but Gassira and Piccirillo suggested that a hacker send an SMS purportedly from the victim's carrier. Alternatively it could purport to come from someone at the victim's employer's IT support or mobile support desk. In any case, the SMS needs to say something to the effect that a configuration change is necessary, perhaps to correct a newly discovered security vulnerability, and to avoid any loss of connectivity the user should update their configuration by clicking on a link in the SMS. The link should look plausible to an unsophisticated user - something like www.t-mobile-configupdate.com. If the user clicks the link the iPhone's browser automatically downloads and installs the evil profile.

Once the evil .mobileconfig file is installed and operational, all the user's http traffic will go through the proxy which is controlled by the hacker. Gassira and Piccirillo demonstrated a proxy based on Apache with mod-proxy, Moxy Marlinspike's sslstrip < http://www.thoughtcrime.org/software/sslstrip/> and mod_security to watch the traffic passing through in cleartext. From there the hacker can monitor the victim's web traffic, sniff usernames and passwords, and even inspect traffic from other iPhone apps like Maps, FaceBook and AppStore.

It's unlikely that many users would discover that their iPhone had been hijacked in this way, and undoing the hijack is hard if the .mobileconfig file was locked when it was created by the hacker, preventing its removal. If this is the case then the only way to undo the hijack is to reset the phone to its factory condition.

The good news is that for devices running iOS 4 - the latest version of the iPhone operating system - if the device already has a profile installed then it is not possible to install a new profile without first uninstalling the existing one. If the existing profile is locked then this is obviously not possible. So a way to protect users against this type of hijacking is to ensure that all iPhones are upgraded to iOS 4, and then to configure them with a locked profile which cannot be replaced by an evil one.

This article was originally published on Jul 14, 2010
Get the Latest Scoop with Networking Update Newsletter