Advertisement
Guest User

iPhone Backdoor Vector

a guest
Mar 13th, 2015
562
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.54 KB | None | 0 0
  1.  
  2.  
  3. I needed to write a college paper tonight. I've been holding onto this knowledge for quite sometime. Due to time constraints I had to use my previous research -versus- exploring already published findings. I am posting it on Pastebin so that I get credit if someone decides to use my work. Enjoy =)
  4.  
  5. ========================================================================================================================
  6. Well, I knew it. Should have hopped on this one right away. Shellshock and Heartbleed were the first to come to mind, but of course I didn't post in time and so I lost that opportunity! CVEs are cool, but I would much rather speak to something I have knowledge on versus doing vanilla research to post an answer for this discussion. I've wracked my brain and, though I hate to publicly disclose it here, because one of you folks, who are smarter than me, might actually do what I had intended to do at some point in the future, but have yet to do. Oh well, share the knowledge right?
  7.  
  8. Ok, so what am I talking about... I'm going to tell you about an undisclosed backdoor into the iPhone. I'm too lazy to submit a CVE. Honestly, I like to think that this would be worthy, but it is more of a vector than backdoor. Either way, please do the right thing and do not lay claim to this finding. If you figure out something cool and use my research, then great! Alas though, give credit where it's due. Karma is important in our field.
  9.  
  10. So what am I talking about? If I was right in front of you doing a demo on this I would ask that all those with iPhones in the audience, to raise their hand. I would ask them to look at their iPhones and see if they were connected to a wireless network. Everyone who had an iPhone would shake there heads left to right, but then I would ask them to go into settings and view the details of their wifi connection. Assuming they had wifi turned on, they would be a little shocked as their iFail had connected to a network somehow, yet the icon for showing the user that they are connected to a network has not appeared in the top right. What the heck? Well, it turns out that Apple, in all their wisdom did not account for the fact that a DHCP server might not broadcast a gateway when authorizing an IP address. What happens when you do this on a iPhone? You get an IP address but your phone never shows that you are connected to the network. This would allow an attacker to scan your phone for various services it might have running. This is especially troublesome on jailbroken iPhones where there might be services such as SSH running. Assuming you didn't bother to change that pesky "alpine" default for root, you're pwned.
  11.  
  12. Technical Details of the attack:
  13. - Use a wireless card in monitor mode, broadcasting as an access point using airbase-ng
  14. - Use ISC's DHCP server and include the following and nothing else in the config file:
  15. authoritative;
  16. default-lease-time 7200;
  17. max-lease-time 7200;
  18. min-lease-time 7200;
  19. ddns-update-style none;
  20. log-facility local7
  21. subnet 192.168.10.0 netmask 255.255.255.0 {
  22. range 192.168.10.100 192.168.10.200;
  23. }
  24. - The lack of the "option routers" argument is what prevents the DHCP server from telling the iPhone what it's gateway would be
  25. - It's the lack of that argument that makes this "work"
  26.  
  27. Interesting thoughts:
  28. iPhones always listen on TCP 62078. This is the "sync" port for OTA syncs.... Perhaps we could spoof the computer it syncs with.
  29. ========================================================================================================================
  30.  
  31. --stryngs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement