The worst nightmare for iPhone users is to force someone to control their devices, including the ability to record and monitor all activities, even without the same room. In this blog post, we propose a new vulnerability named "Trustjacking" that allows an attacker to do this.
This vulnerability uses an iOS feature called iTunes Wi-Fi Sync, which allows users to manage their iOS device without physically connecting to a computer. Once the iOS device owner is connected to the same network, the attacker can continue to control the device. In addition, we will pass through relevant vulnerabilities and show Apple's changes to mitigate these vulnerabilities, and why this is not enough to prevent such attacks.
Repeat related past vulnerabilities/attacks
In the past, we have seen several publications discussing the use of unauthorized USB connections to obtain personal information from mobile devices.
Prior to iOS 7, connecting an iOS device to a new computer did not require the device owner's authorization. Juice jacking. Use this behavior to steal confidential information from the device and install malicious software on the victim device. Apple solves this problem by adding a pop-up window that requires the user to authorize the new computer before allowing any synchronization.
Another publication discusses Videojacking, which uses the functionality of the Apple Connector as an HDMI connection and receives a screen recording of the iOS device when connected to a malicious charger.
Both of these attacks allow the attacker to obtain confidential information, but its main limitation is that it is only possible if the device is physically connected to a rogue device - a separate device can prevent the attack.
Trustjacking allows an attacker to gain more consistent and permanent access to the device and maintain the same functionality before the device disconnects from the rogue device. To understand how it works, we first need to explain the synchronization of iTunes Wi-Fi.
What is the iTunes Wi-Fi sync?
iTunes Wi-Fi Sync is a very useful feature that allows you to sync your iOS device with iTunes without physically connecting your iOS device to your computer.
To enable this feature, you must first sync your iOS device with iTunes by using a cable to connect to your computer and then turn on the sync option via Wi-Fi and iOS devices.
HOW DOES TRUST-JACKING WORK?
When connecting iOS devices to a new computer, users will ask them if they trust the connected computer. Choosing trust in the computer allows him to communicate with iOS devices via the standard iTunes API.
This allows the computer to access photos on the device, perform backups, install applications, etc. without requiring additional confirmation by the user and without any obvious instructions. It also allows you to activate the iTunes Wi-Fi Sync feature so that you can continue to disconnect from your device even if your computer and iOS device are connected to the same network. Interestingly, the inclusion of "iTunes Wi-Fi Sync" does not require the victim's permission and can only be performed by the computer.
By repeatedly asking for screenshots and displaying or remotely recording, you can easily receive the device's real-time screen.
It should be noted that in addition to allowing the initial single point of failure of a malicious computer, there is no other mechanism to prevent the continuation of the visit. In addition, nothing can notify the user by allowing the computer to allow access to their devices even after disconnecting the USB cable.
FOR EXAMPLE
Imagine the following scenario: The victim connects his mobile phone to the airport's free charger; When the phone is connected to the charger, a pop-up message appears on the device asking him to approve the connected device. The approval of this request seems reasonable: the victim wants to charge his device, the service seems to be legal, and it seems that no suspicious events occurred after the approval.
From the user's point of view, all he has to do is connect his device to a malicious charger/computer (it can also be his own computer, as described below) and choose to trust him.
When reading text, the user is assured that the device is only connected when it is physically connected to the computer, so it is assumed that disconnecting will block access to his personal data. Even if the device is only connected for a short period of time, an attacker can take the necessary steps to ensure that all operations performed on the device are visible after it is closed.
The attacker needs to take two steps:
- Allow the device to connect to iTunes
- Enable iTunes Wi-Fi sync
To be able to see the screen of the victim's device, the attacker needs to install an iOS version of the developer's picture that fits the victim's device; then it can take multiple screenshots and view the device's screen in real time. The installation of developer images can be done over Wi-Fi without the need to restore physical access to the device. Although restarting can remove developer images from the device, hackers can still access it and easily reinstall it.
In addition to remotely viewing the victim's device screen, Trustjacking also allows an attacker to do much more.
One of the functions that an attacker can use is a remote backup of iTunes. By creating a backup copy of the contents of the device, an attacker can gain access to a lot of personal information, such as:
A photo
SMS / iMessage chat history
Application data
To get this information, we had to disassemble the backup copy of iTunes.
A backup consists of several metadata files and the archives themselves. Each file is stored in the path SHA1 ("% domain% -% relativePath%") and in the directory with the name given for the first two hexadecimal digits of the hash.
For example, the picture with the track "Media / DCIM / 100APPLE / IMG_0059.JPG" will be saved in the path "b1 / b12bae0603700bdf7719c3a65b22ca2f12715d37", because "b12bae ..." is the hash of SHA1 "CameraRollDomain-Media / DCIM / 100APPLE / IMG_0059 .JPG".
All backup files are listed in the "Manifest.db" file, which is SQLite3 DB, and can be easily viewed by requesting it.
A simple query, such as:
`SELECT * FROM Files WHERE relativePath like '% Media / DCIM%' ORDER BY relativePath;` will display all the backups, including their hashes.
Reading SMS / iMessage requires parsing another SQLite3 DB, which can be found in the file "3d / 3d0d7e5fb2ce288813306e4d4636395e047a3d28" (equivalent to SHA1 "HomeDomain-Library / SMS / sms.db").
Two interesting tables are "chat", which lists all the chats and a "message" containing all the messages for these chats, with "chat_message_join" to join them. there are more. An attacker can also use this device to access malicious applications and even replace existing applications with modified wrapper versions that look similar to the original application, but can monitor users while using the application, even using private APIs. Always monitor other activities. In the following video demonstration, we will demonstrate how they identify the application on the device and replace the application with a repackaged version. Note the number of seconds the application was deleted and reinstalled.
The attack we describe requires that the device and the attacking computer are connected to the same network. Usually this means getting close to the victim's device and connecting to the same Wi-Fi, but this is not the only option.
By combining this attack with a malicious profile attack, we can connect the device to a VPN server and establish a continuous connection between the victim's device and the attacker's computer, and use this attack at any time, and it is not subject to the proximity of the device. Limit or connect to the same network.
iOS 11 - Follow the information we disclose to Apple
Following our responsible disclosure process, Apple chose to add a mechanism to ensure that only the true owner of the iOS device can choose to trust the connected new computer. This is accomplished by requiring the user to enter his/her password when choosing to authorize and trust the computer.
It can be clearly seen from the screenshot that the user is still informed that this authorization is only useful when the device is connected to the computer, causing him to believe that disconnecting his device ensures that no one can access his private data.
Although we greatly appreciate Apple's mitigation measures, we would like to emphasize that it does not solve the Trustjacking issue in a comprehensive manner. Once the user chooses to trust the compromised computer, the remaining loopholes continue to work as described above.What happens if the attacker infects the victim's computer instead of using a malicious charger?
The limitation of the malicious collector attack process is that the victim and the iOS device may have a shorter time in the same proximity/network as the malicious computer. If the user's own computer becomes a malicious act, it will be more destructive. This powerful Trustjacking use case can occur when the device owner's own PC or Mac is attacked by malware. In this case, the attacker can exploit the fact that the victim has a trust relationship between his iOS device and his computer, as well as the fact that his computer is usually implemented close to a mobile phone (such as a home, office, etc.) to not only gain insight into the infected computer. On the operation, but also in-depth understanding of the victim's mobile phone activities.
Remediation
Unfortunately, there is no way to list all trusted computers and selectively withdraw access. The best way to ensure that your iOS device does not trust your computer is to clear the list of trusted computers by going to Settings> General> Reset> Reset Location and Privacy, then you need to re-authorize all previously connected computers you need to have your iOS The device is connected to each device.
To protect device backups and prevent attackers from using Trustjacking to obtain additional private information, enable encrypted backups in iTunes and select a strong password.
Installing a mobile threat protection solution, such as SEP Mobile or Norton Mobile Security, will help protect your device from the other effects of such attacks. SEP Mobile will identify and protect end users from malicious personal data, install applications or attempt to disrupt devices through this technology, and utilize integration with the SEP product line to enable customers to fully understand mobile and desktop operating systems.
For application developers - Avoid including sensitive data in iTunes backups as this will reduce the risk of attackers using Trustjacking to gain access to this application by accessing backups of the application.
Acknowledgements
We would like to thank Apple's security team, thank them for their cooperation, and continue to commit to the security of Apple's user base.