SlideShare a Scribd company logo

Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol

Martin Vigo
Martin Vigo

Apple introduced a new set of features in iOS 8 and Yosemite under the name "Continuity". These features allow iPhones to work with other iDevices such as Macs and iPads in new ways. Handoff, Instant hotspot and Airdrop are some of the new services offered by Continuity. Among these new services is one named "Call Relay". Essentially, it allows one to make and receive phone calls via iDevices and route them through the iPhone. This is not your typical VOIP service but a P2P connection based on a proprietary protocol. Apple's security white-paper is short and vague on this particular topic. Only four paragraphs are dedicated to explain how Call Relay works and the only security relevant information is as follows: "The audio will be seamlessly transmitted from your iPhone using a secure peer-to-peer connection between the two devices." I reverse engineered the protocol to understand how it works. The goal was to see if Apple's design was secure and find vulnerabilities focusing on ways to eavesdrop phone calls. In this presentation, I will start by explaining all the details of this protocol and the process of reverse engineering it. Once the protocol is understood by the audience, I will discuss the thread surface and the different attack vectors possible. I will focus on what worked and demonstrate with demos. We will see how it is possible to abuse the protocol to spy on victims by leaving their mic open. We can also troll victims by dropping or preventing them from picking up phone calls. Last, I will explain how an attacker can abuse multi-party calls to impersonate other callers. Once we understand the vulnerabilities, we will discuss how it can be weaponized to build an amateur (insert 3 letters here)-spy program. This presentation covers CVE-2016-4635, CVE-2016-4721, CVE-2016-4722 and CVE-2016-7577

Technology
1 of 41
Download to read offline
DO-IT-YOURSELF SPY PROGRAM: ABUSING APPLE’S CALL RELAY PROTOCOL Martin Vigo @martin_vigo martinvigo.com
2Security Analyst Summit 2017 Martin Vigo Senior Product Security Engineer salesforce.com @martin_vigo martinvigo.com
3Security Analyst Summit 2017
SECURITY BY OBSCURITY 4Security Analyst Summit 2017
UNDERSTANDING HOW CALL RELAY WORKS
OUTGOING CALL 6Security Analyst Summit 2017
7Security Analyst Summit 2017
POSSIBLE TARGETS 8Security Analyst Summit 2017 • Standard protocol • Intercept GSM traffic • Fake cell phone tower • Very illegal! • Intercept APNS traffic • Persistent connection • Encrypted channel • Cert pinning • Break TLS • UDP is not encrypted • UDP is connectionless • Multiple attack vectors on LAN • DNS spoofing • ARP Spoofing • etc. • Proprietary protocol?
ATTACK SURFACE 9Security Analyst Summit 2017
REVERSING THE PROTOCOL
FIRST PACKET SENT DURING DIFFERENT CALLS 11Security Analyst Summit 2017 • Beginning of the payload, static Header • Dynamic, uncommon length (12 bytes) Identifier of some sort? Device, user, call… • Static, separates 2 dynamic fields, common field length (4 bytes) Separator? • Dynamic, 16 bits, towards the end of the payload Checksum? Timestamp • Static, all zeros, end of the payload Null-terminating payload field
3 DIFFERENT HEADERS 12Security Analyst Summit 2017
13Security Analyst Summit 2017 • Mac -> Iphone / iPhone -> Mac • We identify that only 1 byte changes • Mac -> iPhone sends 0 • iPhone -> Mac sends 1 • Field 5 is static in the same call but changes between calls FIRST TWO PACKETS FOR FIVE DIFFERENT CALLS
DISCOVERY PHASE 14Security Analyst Summit 2017
15Security Analyst Summit 2017 • Field 1: Swaps again 0 ->1 • Field 5: Swaps 38 -> 10 • Field 7: Same value as in the first packet • Field 9: Only sent from Mac to iPhone. Bytes have a property… NEXT 2 PACKETS OF 5 DIFFERENT CALLS
IDENTIFICATION PHASE 16Security Analyst Summit 2017
17Security Analyst Summit 2017 • The usual: Header, static fields, separators, etc. • 1st and 2nd packet (Mac -> iPhone | iPhone -> Mac) • Field 1: 4 random bytes | Field 2: 4 null-bytes • 3rd packet (Mac -> iPhone) • Field 1: Same 4 bytes sent in 1st packet | Field 2: The 4 bytes sent in Field 1 by iPhone + 1 • Field 3: Changes from 0 to 1 ALL PACKETS WITH HEADER 20040004
CALL NEGOTIATION PHASE 18Security Analyst Summit 2017
19Security Analyst Summit 2017 • 2 different values that increment by 1 (decimal) consistently • Each machine has his own counter for sync • 2 bytes counter. Resets every ~20 minutes on same call. Important if used for crypto! • Static value. Different per machine. Changes every call • Encoded / encrypted audio payload • Confirmed by flipping bytes and listen to audio quality degradation ALL PACKETS WITH HEADER e000
SOUND TRANSMISSION PHASE 20Security Analyst Summit 2017
21Security Analyst Summit 2017 A lot of stuff not covered because of lack of time :( Reach out to me if you want more details!
22Security Analyst Summit 2017 • Used scapy to implement the protocol • Successfully impersonated iPhone and Mac • Not 100% working yet. • Still missing details of the protocol • Timing is key which makes testing difficult PROTOCOL IMPLEMENTATION Check out my repo https://www.github.com/martinvigo
BREAK IT! 23Security Analyst Summit 2017 #FAILS • Eavesdrop ongoing calls • Decode/Decompress/Decrypt voice payloads • Replay attacks • Redirect voice payload to attacker’s device • Make calls on behalf of victim • Inject voice payloads #WINS • DoS calls • Spy on victims by leaving mic open • Impersonate caller on multiparty calls
24Security Analyst Summit 2017 • What would happen if I send a “Call negotiation phase” packet during a call? • Need to be able to forge a valid one • We want a silver bullet that works every-time without having to guess/bruteforce any bytes • No MiTM • Use scapy to fuzz the protocol and nullify as many bytes as possible DoS CALLS Magic DoS call packet payload 20040004000000000000000000b002000000000000000000000000000000000000000000000000000000000000
25Security Analyst Summit 2017 • I could not eavesdrop calls • I could not inject voice data • I could not replay voice data • I could not redirect voice data • Use of encryption SPY ON VICTIMS Nosey Smurf NSA tool to enable microphones on mobile devices
26Security Analyst Summit 2017 “In the future, cryptography won’t be broken, it will be bypassed” Adi Shamir at RSA Conference
27Security Analyst Summit 2017 • Voice payload packets simply stop • No apparent differences in last voice payload packets • I must be missing something… HANGING UP
SOMETIMES YOU NEED THE BIGGER PICTURE 28Security Analyst Summit 2017
INCLUDING APNS TRAFFIC 29Security Analyst Summit 2017
30Security Analyst Summit 2017 THE “HANGUP MESSAGE” IS DELIVERED AS A PUSH NOTIFICATION
EXPLOITATION 31Security Analyst Summit 2017 • Don’t let the “hang up” message be delivered! • 1. ARP spoofing for MiTM • 2. Call the victim • 3. Block outgoing traffic from victim to 17.0.0.0/8 (APNS)
DEMO 32Security Analyst Summit 2017
IMPERSONATE CALLERS 33Security Analyst Summit 2017 • We can prevent hanging up • We can prevent switching calls • Combine both! • 1. Call the victim while on another call • 2. Victims puts legit caller on hold • 3. Let victim hang up on you. • 4. Block switch and hangup message • UI only shows legit caller while still talking to attacker
DEMO 34Security Analyst Summit 2017
DO-IT-YOURSELF SPY PROGRAM
WEAPONIZE AND DISTRIBUTE MASSIVELY 36Security Analyst Summit 2017 • We can interrupt calls • We can impersonate callers • We can gather calls metadata • We can leave microphones open • Targets • Routers and IoT devices • Identify apple devices • Check ARP table • 3 first bytes of a MAC address indicate vendor • Block traffic to APNS during call
WARDIALING 37Security Analyst Summit 2017 • Collect BSSID from routers • Use wigle.net to get physical locations • War dialing by area code • Detect calls by fingerprinting network traffic • Correlate phone numbers with routers detecting incoming calls
CLOSING REMARKS
TIMELINE 39Security Analyst Summit 2017
FURTHER RESEARCH • Reverse Facetime app and daemons • Cryptanalysis on the protocol • Call relay support on other OS • Infer voice patterns from encrypted traffic • http://www.cs.unc.edu/~fabian/papers/tissec2010.pdf • https://www.cs.jhu.edu/~cwright/voip-vbr.pdf
Martin Vigo @martin_vigo martinvigo.com Q & A

Recommended

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber secure
mascot4u
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and Careto
Mike Chapple
 
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone nowDEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
Felipe Prado
 
Vpn presnt
Vpn presntVpn presnt
Vpn presnt
Frikha Nour
 
Cryptography
CryptographyCryptography
Cryptography
Sri Manakula Vinayagar Engineering College
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
Cyren, Inc
 

Recommended

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_muellerNtxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller
North Texas Chapter of the ISSA
 
Covid 19 staying cyber secure
Covid 19 staying cyber secureCovid 19 staying cyber secure
Covid 19 staying cyber secure
mascot4u
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and Careto
Mike Chapple
 
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone nowDEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
DEF CON 27 - CAMPBELL / MURRAY - gsm we can hear everyone now
Felipe Prado
 
Vpn presnt
Vpn presntVpn presnt
Vpn presnt
Frikha Nour
 
Cryptography
CryptographyCryptography
Cryptography
Sri Manakula Vinayagar Engineering College
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
Webinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend reportWebinar: Insights from CYREN's Q3 trend report
Webinar: Insights from CYREN's Q3 trend report
Cyren, Inc
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
 
Attack presentation
Attack presentationAttack presentation
Attack presentation
Frikha Nour
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
Sajjad "JJ" Arshad
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
Priyanka Aash
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
Transaction Timer Feature
Transaction Timer FeatureTransaction Timer Feature
Transaction Timer Feature
NXP MIFARE Team
 
Genian NAC Datasheet
Genian NAC Datasheet Genian NAC Datasheet
Genian NAC Datasheet
GENIANS, INC.
 
KTLS White-paper - Cyber - Keystroke Encryption technology
KTLS White-paper - Cyber - Keystroke Encryption technologyKTLS White-paper - Cyber - Keystroke Encryption technology
KTLS White-paper - Cyber - Keystroke Encryption technology
Troy Cromwell
 
What we learned from MISA Ontario 2020 Infosec
What we learned from MISA Ontario 2020 InfosecWhat we learned from MISA Ontario 2020 Infosec
What we learned from MISA Ontario 2020 Infosec
GENIANS, INC.
 
Blockaudit Presentation
Blockaudit PresentationBlockaudit Presentation
Blockaudit Presentation
Antoine Chabert
 
Digital citizenship Poe
Digital citizenship Poe Digital citizenship Poe
Digital citizenship Poe
Casey Morgan
 
Genian NAC Overview
Genian NAC Overview Genian NAC Overview
Genian NAC Overview
GENIANS, INC.
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Codiax
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
DESMOND YUEN
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
Priyanka Aash
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICS
Priyanka Aash
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
TheCreativedev Blog
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
Secure Dynamic Messaging Feature
Secure Dynamic Messaging FeatureSecure Dynamic Messaging Feature
Secure Dynamic Messaging Feature
NXP MIFARE Team
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
Flavio Eduardo de Andrade Goncalves
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
 

More Related Content

What's hot

Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Codiax
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICS
Priyanka Aash
 

What's hot (20)

Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Attack presentation
Attack presentationAttack presentation
Attack presentation
 
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting RansomwareUNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
 
Transaction Timer Feature
Transaction Timer FeatureTransaction Timer Feature
Transaction Timer Feature
 
Genian NAC Datasheet
Genian NAC Datasheet Genian NAC Datasheet
Genian NAC Datasheet
 
KTLS White-paper - Cyber - Keystroke Encryption technology
KTLS White-paper - Cyber - Keystroke Encryption technologyKTLS White-paper - Cyber - Keystroke Encryption technology
KTLS White-paper - Cyber - Keystroke Encryption technology
 
What we learned from MISA Ontario 2020 Infosec
What we learned from MISA Ontario 2020 InfosecWhat we learned from MISA Ontario 2020 Infosec
What we learned from MISA Ontario 2020 Infosec
 
Blockaudit Presentation
Blockaudit PresentationBlockaudit Presentation
Blockaudit Presentation
 
Digital citizenship Poe
Digital citizenship Poe Digital citizenship Poe
Digital citizenship Poe
 
Genian NAC Overview
Genian NAC Overview Genian NAC Overview
Genian NAC Overview
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected WorldJakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
 
Wi fi-security-the-details-matter
Wi fi-security-the-details-matterWi fi-security-the-details-matter
Wi fi-security-the-details-matter
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Snooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICSSnooping on Cellular Gateways and Their Critical Role in ICS
Snooping on Cellular Gateways and Their Critical Role in ICS
 
Network Security Through FIREWALL
Network Security Through FIREWALLNetwork Security Through FIREWALL
Network Security Through FIREWALL
 
Shamoon
ShamoonShamoon
Shamoon
 
Secure Dynamic Messaging Feature
Secure Dynamic Messaging FeatureSecure Dynamic Messaging Feature
Secure Dynamic Messaging Feature
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 

Similar to Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol

Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?
TelcoBridges Inc.
 
Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?
Alan Percy
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
Priyanka Aash
 
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 

Similar to Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol (20)

Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
From IoT to Human Interactions: Voice and Messages to the rescue - Stève Sfar...
From IoT to Human Interactions: Voice and Messages to the rescue - Stève Sfar...From IoT to Human Interactions: Voice and Messages to the rescue - Stève Sfar...
From IoT to Human Interactions: Voice and Messages to the rescue - Stève Sfar...
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?
 
Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?Firewalls, SIP Servers and SBC - What's the Differences?
Firewalls, SIP Servers and SBC - What's the Differences?
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Ppsp icassp17v10
Ppsp icassp17v10Ppsp icassp17v10
Ppsp icassp17v10
 
Cryptology - The practice and study of hiding information
Cryptology - The practice and study of hiding informationCryptology - The practice and study of hiding information
Cryptology - The practice and study of hiding information
 
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
MongoDB .local Toronto 2019: Keep your Business Safe and Scaling Holistically...
 
M08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryptionM08 protecting your message data in IBM MQ with encryption
M08 protecting your message data in IBM MQ with encryption
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
Antispam aneb plnoleté řešení
Antispam aneb plnoleté řešeníAntispam aneb plnoleté řešení
Antispam aneb plnoleté řešení
 

More from Martin Vigo

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Martin Vigo
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
Martin Vigo
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
Martin Vigo
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
Martin Vigo
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
Martin Vigo
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
Martin Vigo
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Martin Vigo
 

More from Martin Vigo (13)

Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needsPhonerator, an advanced *valid* phone number generator for your OSINT/SE needs
Phonerator, an advanced *valid* phone number generator for your OSINT/SE needs
 
From email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approachFrom email address to phone number, a new OSINT approach
From email address to phone number, a new OSINT approach
 
Ransombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch smsRansombile: yet another reason to ditch sms
Ransombile: yet another reason to ditch sms
 
Compromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systemsCompromising online accounts by cracking voicemail systems
Compromising online accounts by cracking voicemail systems
 
Mobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLiMobile apps security. Beyond XSS, CSRF and SQLi
Mobile apps security. Beyond XSS, CSRF and SQLi
 
Building secure mobile apps
Building secure mobile appsBuilding secure mobile apps
Building secure mobile apps
 
Secure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDKSecure Salesforce: Hardened Apps with the Mobile SDK
Secure Salesforce: Hardened Apps with the Mobile SDK
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!Even the LastPass Will be Stolen Deal with It!
Even the LastPass Will be Stolen Deal with It!
 
Creating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdkCreating secure apps using the salesforce mobile sdk
Creating secure apps using the salesforce mobile sdk
 
Security Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against ThemSecurity Vulnerabilities: How to Defend Against Them
Security Vulnerabilities: How to Defend Against Them
 
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay ProtocolDo-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Do-it-Yourself Spy Program: Abusing Apple’s Call Relay Protocol

  • 1. DO-IT-YOURSELF SPY PROGRAM: ABUSING APPLE’S CALL RELAY PROTOCOL Martin Vigo @martin_vigo martinvigo.com
  • 2. 2Security Analyst Summit 2017 Martin Vigo Senior Product Security Engineer salesforce.com @martin_vigo martinvigo.com
  • 4. SECURITY BY OBSCURITY 4Security Analyst Summit 2017
  • 8. POSSIBLE TARGETS 8Security Analyst Summit 2017 • Standard protocol • Intercept GSM traffic • Fake cell phone tower • Very illegal! • Intercept APNS traffic • Persistent connection • Encrypted channel • Cert pinning • Break TLS • UDP is not encrypted • UDP is connectionless • Multiple attack vectors on LAN • DNS spoofing • ARP Spoofing • etc. • Proprietary protocol?
  • 11. FIRST PACKET SENT DURING DIFFERENT CALLS 11Security Analyst Summit 2017 • Beginning of the payload, static Header • Dynamic, uncommon length (12 bytes) Identifier of some sort? Device, user, call… • Static, separates 2 dynamic fields, common field length (4 bytes) Separator? • Dynamic, 16 bits, towards the end of the payload Checksum? Timestamp • Static, all zeros, end of the payload Null-terminating payload field
  • 12. 3 DIFFERENT HEADERS 12Security Analyst Summit 2017
  • 13. 13Security Analyst Summit 2017 • Mac -> Iphone / iPhone -> Mac • We identify that only 1 byte changes • Mac -> iPhone sends 0 • iPhone -> Mac sends 1 • Field 5 is static in the same call but changes between calls FIRST TWO PACKETS FOR FIVE DIFFERENT CALLS
  • 15. 15Security Analyst Summit 2017 • Field 1: Swaps again 0 ->1 • Field 5: Swaps 38 -> 10 • Field 7: Same value as in the first packet • Field 9: Only sent from Mac to iPhone. Bytes have a property… NEXT 2 PACKETS OF 5 DIFFERENT CALLS
  • 17. 17Security Analyst Summit 2017 • The usual: Header, static fields, separators, etc. • 1st and 2nd packet (Mac -> iPhone | iPhone -> Mac) • Field 1: 4 random bytes | Field 2: 4 null-bytes • 3rd packet (Mac -> iPhone) • Field 1: Same 4 bytes sent in 1st packet | Field 2: The 4 bytes sent in Field 1 by iPhone + 1 • Field 3: Changes from 0 to 1 ALL PACKETS WITH HEADER 20040004
  • 18. CALL NEGOTIATION PHASE 18Security Analyst Summit 2017
  • 19. 19Security Analyst Summit 2017 • 2 different values that increment by 1 (decimal) consistently • Each machine has his own counter for sync • 2 bytes counter. Resets every ~20 minutes on same call. Important if used for crypto! • Static value. Different per machine. Changes every call • Encoded / encrypted audio payload • Confirmed by flipping bytes and listen to audio quality degradation ALL PACKETS WITH HEADER e000
  • 20. SOUND TRANSMISSION PHASE 20Security Analyst Summit 2017
  • 21. 21Security Analyst Summit 2017 A lot of stuff not covered because of lack of time :( Reach out to me if you want more details!
  • 22. 22Security Analyst Summit 2017 • Used scapy to implement the protocol • Successfully impersonated iPhone and Mac • Not 100% working yet. • Still missing details of the protocol • Timing is key which makes testing difficult PROTOCOL IMPLEMENTATION Check out my repo https://www.github.com/martinvigo
  • 23. BREAK IT! 23Security Analyst Summit 2017 #FAILS • Eavesdrop ongoing calls • Decode/Decompress/Decrypt voice payloads • Replay attacks • Redirect voice payload to attacker’s device • Make calls on behalf of victim • Inject voice payloads #WINS • DoS calls • Spy on victims by leaving mic open • Impersonate caller on multiparty calls
  • 24. 24Security Analyst Summit 2017 • What would happen if I send a “Call negotiation phase” packet during a call? • Need to be able to forge a valid one • We want a silver bullet that works every-time without having to guess/bruteforce any bytes • No MiTM • Use scapy to fuzz the protocol and nullify as many bytes as possible DoS CALLS Magic DoS call packet payload 20040004000000000000000000b002000000000000000000000000000000000000000000000000000000000000
  • 25. 25Security Analyst Summit 2017 • I could not eavesdrop calls • I could not inject voice data • I could not replay voice data • I could not redirect voice data • Use of encryption SPY ON VICTIMS Nosey Smurf NSA tool to enable microphones on mobile devices
  • 26. 26Security Analyst Summit 2017 “In the future, cryptography won’t be broken, it will be bypassed” Adi Shamir at RSA Conference
  • 27. 27Security Analyst Summit 2017 • Voice payload packets simply stop • No apparent differences in last voice payload packets • I must be missing something… HANGING UP
  • 28. SOMETIMES YOU NEED THE BIGGER PICTURE 28Security Analyst Summit 2017
  • 29. INCLUDING APNS TRAFFIC 29Security Analyst Summit 2017
  • 30. 30Security Analyst Summit 2017 THE “HANGUP MESSAGE” IS DELIVERED AS A PUSH NOTIFICATION
  • 31. EXPLOITATION 31Security Analyst Summit 2017 • Don’t let the “hang up” message be delivered! • 1. ARP spoofing for MiTM • 2. Call the victim • 3. Block outgoing traffic from victim to 17.0.0.0/8 (APNS)
  • 33. IMPERSONATE CALLERS 33Security Analyst Summit 2017 • We can prevent hanging up • We can prevent switching calls • Combine both! • 1. Call the victim while on another call • 2. Victims puts legit caller on hold • 3. Let victim hang up on you. • 4. Block switch and hangup message • UI only shows legit caller while still talking to attacker
  • 36. WEAPONIZE AND DISTRIBUTE MASSIVELY 36Security Analyst Summit 2017 • We can interrupt calls • We can impersonate callers • We can gather calls metadata • We can leave microphones open • Targets • Routers and IoT devices • Identify apple devices • Check ARP table • 3 first bytes of a MAC address indicate vendor • Block traffic to APNS during call
  • 37. WARDIALING 37Security Analyst Summit 2017 • Collect BSSID from routers • Use wigle.net to get physical locations • War dialing by area code • Detect calls by fingerprinting network traffic • Correlate phone numbers with routers detecting incoming calls
  • 40. FURTHER RESEARCH • Reverse Facetime app and daemons • Cryptanalysis on the protocol • Call relay support on other OS • Infer voice patterns from encrypted traffic • http://www.cs.unc.edu/~fabian/papers/tissec2010.pdf • https://www.cs.jhu.edu/~cwright/voip-vbr.pdf