iOS MITM Attack

•

2 gefällt mir•4,439 views

siegin

Boot validation

• CA – Apple Certificate Authority
• SIGN – Signature
sieg.in 3

Why we can’t create fake signature?

Because “Apple Root CA” fingerprint hardcoded into iOS and have to
be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

sieg.in 7

Certificate Authority Storage

Few from 186 are quite interesting :

– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA
– C=JP, O=Japanese Government, OU=ApplicationCA
– C=CN, O=China Internet Network Information Center, CN=China Internet
Network Information Center EV Certificates Root
…

sieg.in 9

Mobileconfig contains
WiFi settings (pass, SSID) for “Gate”

CA

Proxy Settings, if we want victim’s traffic even
it has left attack range. (Only for iOS6)

iCloud backup (enable it, if not)

sieg.in 14

Let’s take a look on default CA list...

sieg.in 17

COMODO trial certificate
• You only need valid admin@yourdomain.com
mail for confirmation
• Can be used for signing

sieg.in 18

SSL Defeated
But we want more

sieg.in 21

How to get files from device

sieg.in 22

Elcomsoft Phone Password Breaker

sieg.in 23

What’s in backup?

• SMS
• Private photo
• Emails
• Application data
• And more …

sieg.in 25

Apple Push Notification Service

sieg.in 27

Summary
User only have to tap ‘Install’ two times to make
us able to :
– Sniff all his SSL traffic (cookies,passwords, etc)
– Steal his backup (call log, sms log, photos and
application data)
– Send him funny push messages or just wipe device

sieg.in 30

sieg.in
al@sieg.in
@siegin

Alexey Troshichev

sieg.in 31

Weitere ähnliche Inhalte

Was ist angesagt?

Browser isolation (isc)2 may presentation v2

Wen-Pai Lu

CyberArk Cleveland Defend End Point Infection and Lateral Movement

Chad Bowerman

MID_Security_Connected_Jan_van_Vliet_EN

Vladyslav Radetsky

The integration between Red Hat OpenShift and CyberArk Conjur Enterprise enables development organizations to both strengthen and simplify secrets management security for application containers. The approach utilizes native capabilities, including authenticators, to improve an organization’s overall security posture and reduce risk. This is accomplished without disrupting operations or impairing development velocity. In this webinar, we’ll demo the new capabilities and explain the benefits of using CyberArk Conjur as a centralized solution for managing secrets in OpenShift container environments. Learn how to: Enable segregation of duties – to free developers from most security concerns, while giving security the tools they need to ensure the security requirements are met Simplify how developers secure container environments Enable security teams to enforce policy-based access controls with strong authentication Free developers and operations teams from the burdens of meeting audit requirements

Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...

DevOps.com

(Pptx) yury chemerkin hacker_halted_2013

STO STRATEGY

Android Security Development

hackstuff

Sierraware browser isolation

Sierraware

(Pdf) yury chemerkin intelligence_sec_2013

STO STRATEGY

View recorded webinar - http://get.skycure.com/accessibility-clickjacking-webinar Accessibility Clickjacking, a vulnerability discovered by Skycure’s Mobile Threat Defense Research Team, is a method hackers may use to gain complete control over an Android device, including acquiring elevated privileges and exposing the content of all apps on the device. It can compromise container solutions and is extremely difficult to detect.

Accessibility Clickjacking, Devastating Android Vulnerability

Skycure

Spyphones are surveillance tools surreptitiously planted on a users handheld device. While malicious mobile applications mainly phone fraud applications distributed through common application channels - target the typical consumer, spyphones are nation states tool of attacks. Why? Once installed, the software stealthy gathers information such as text messages (SMS), geo-location information, emails and even surround-recordings. How are these mobile cyber-espionage attacks carried out? In this engaging session, we present a novel proof-of-concept attack technique which bypass traditional mobile malware detection measures- and even circumvent common Mobile Device Management (MDM) features, such as encryption. http://www.blackhat.com/us-13/briefings.html#Brodie

BlackHat USA 2013 - Practical Attacks against Mobile Device Management Solutions

Lacoon Mobile Security

(Pdf) yury chemerkin hackfest.ca_2013

STO STRATEGY

Strong authentication for your organization in a cost effective cloud-based...

NetwayClub

Was ist angesagt? (12)

Browser isolation (isc)2 may presentation v2

CyberArk Cleveland Defend End Point Infection and Lateral Movement

MID_Security_Connected_Jan_van_Vliet_EN

Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...

(Pptx) yury chemerkin hacker_halted_2013

Android Security Development

Sierraware browser isolation

(Pdf) yury chemerkin intelligence_sec_2013

Accessibility Clickjacking, Devastating Android Vulnerability

BlackHat USA 2013 - Practical Attacks against Mobile Device Management Solutions

(Pdf) yury chemerkin hackfest.ca_2013

Strong authentication for your organization in a cost effective cloud-based...

Ähnlich wie iOS MITM Attack

iOS Security: The Never-Ending Story of Malicious Profiles

Yair Amit

Slides from my ServerlessConf Austin 2017. Serverless means handing off server management to the cloud platforms - along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe

Serverless Security: What's Left to Protect?

Guy Podjarny

Do you know encryption fact from fiction? With data breaches frequently making the headlines, businesses are losing more business and personally identifiable information than ever. Every industry and company is at risk – public and private. Encryption is one of the best ways to protect this information, but misperceptions related to cost, performance, and ease of use run rampant. View this webcast on-demand where we talk with Patrick Townsend, Founder & CEO of Townsend Security, to set the record straight on the top 5 encryption myths for IBM i users.

Top 5 Encryption Myths for IBM i Users

Precisely

SAP (In)Security: New and Best

Positive Hack Days

SOTP_Introduction

Johnson Wu

Digital Signage Systems - The Modern Hacker's Outreach

Zero Science Lab

Serverless means handing off server management to the cloud platforms – along with their security risks. With the “pros” ensuring our servers are patched, what’s left for application owners to protect? As it turns out, quite a lot. This talk discusses the aspects of security serverless doesn’t solve, the problems it could make worse, and the tools and practices you can use to keep yourself safe. Required audience experience Basic knowledge of how FaaS and Serverless works Objective of the talk As many companies explore the world of serverless, it’s important they understand the aspects of security this new world helps them with, and the ones they need to care more about. This talk will provide a framework to understand how to prioritise and approach security for Serverless apps.

Serverless Security: What's Left To Protect

Guy Podjarny

Introduction to Mobile Application Security - Techcity 2015 (Vilnius)

Luca Bongiorni

DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf

Wlamir Molinari

An increasing number of SAP Security Notes and talks on SAP Security proves that it becomes a really hot topic nowadays. However, SAP systems attacks are still believed to be available only for insiders. The reality is not so good. There are about 5000 systems including dispatchers, message servers, SapHostcontrols, Web-services on the internet. Top 10 vulnerabilities 2011-2012 are: 1. Authentication Bypass via Verb tampering 2. Authentication Bypass via the Invoker servlet 3. Buffer overflow in ABAP Kernel 4. Code execution via TH_GREP 5. MMC read SESSIONID 6. Remote portscan 7. Encryption in SAPGUI 8. BAPI XSS/SMBRELAY 9. XML Blowup DOS 10. GUI Scripting DOS The presentation provides a detailed description of these attacks, its potential business risks and the way to prevent them.

Top 10 most interesting vulnerabilities and attacks in SAP

ERPScan

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7

Rapid7

For more information on LEM, visit: http://www.solarwinds.com/log-event-manager.aspx Watch this webcast: http://www.solarwinds.com/resources/webcasts/three-strategies-for-data-privacy-compliance-securing-your-sensitive-data.html Join SolarWinds and Townsend Security for this overview on securing the sensitive data stored on your IBM iSeries using SolarWinds Log & Event Manager (LEM). Learn why logging is essential and how the Townsend Alliance LogAgent integrates with LEM to collect, analyze, and correlate event log data for security and compliance.

3 Strategies for Data Privacy Compliance: Securing Your Sensitive Data

SolarWinds

Security from sensor to sunset. “How to approach the security in the IoT ecos...

Data Driven Innovation

2015.04.24 Updated > Android Security Development - Part 1: App Development

Cheng-Yi Yu

Slides from talks at DunDDD and NDCLondon. News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way. There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented. That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues. You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.

Is your mobile app as secure as you think?

Matt Lacey

Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices: gadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without flaws, although that's another story we are already aware of. A surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact, provided on higher "application" (GATT protocol) layer of the data exchanged between the "master" (usually mobile phone) and peripheral device. The connection from "master" in such cases is initiated by scanning to a specific broadcast signal, which by design can be trivially spoofed. And guess what - the device GATT internals (so-called "services" and "characteristics") can also be easily cloned. Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes interesting - just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions - which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks. Ladies and gentlemen - I give you the BLE MITM proxy. A free open-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging. Run it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the code.

Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool

Slawomir Jasek

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Chris Gates

A lot of Internet of things devices use linux as its core. More so with the advent of DIY projects and Internet of things projects. A lot of Raspberry PI's, Beaglebone, Tessel boards are out there with default settings, and all connected to the internet, ready to be taken over. With the recent dyn DNS attack its of prime importance to know how we can keep these end point devices secure and out of the hands of botnet hoarders, attackers. In this presentation Rabimba Karanjai will show how to harden the security on these endpint devices taking a RaspBerry PI as an example. He will explain different techniques with code examples along with a toolkit made specifically for this demo which will make devices considerable harder to compromise. And even when they are, will allow to locate and detect the breach. After all, proetcting the device fially protects us all (prevents another DDOS)

SecurityPI - Hardening your IoT endpoints in Home.

LinuxCon ContainerCon CloudOpen China

Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them. Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®). Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.

Apache Milagro Presentation at ApacheCon Europe 2016

Brian Spector

Ähnlich wie iOS MITM Attack (20)

iOS Security: The Never-Ending Story of Malicious Profiles

Serverless Security: What's Left to Protect?

Top 5 Encryption Myths for IBM i Users

SAP (In)Security: New and Best

SOTP_Introduction

Digital Signage Systems - The Modern Hacker's Outreach

Serverless Security: What's Left To Protect

Introduction to Mobile Application Security - Techcity 2015 (Vilnius)

DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf

Top 10 most interesting vulnerabilities and attacks in SAP

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7

3 Strategies for Data Privacy Compliance: Securing Your Sensitive Data

Security from sensor to sunset. “How to approach the security in the IoT ecos...

2015.04.24 Updated > Android Security Development - Part 1: App Development

Is your mobile app as secure as you think?

Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy tool

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

SecurityPI - Hardening your IoT endpoints in Home.

Apache Milagro Presentation at ApacheCon Europe 2016

iOS MITM Attack

1. iOS MITM Attack Technology and effects sieg.in 1

2. sieg.in 2

3. Boot validation • CA – Apple Certificate Authority • SIGN – Signature sieg.in 3

4. Files Protection sieg.in 4

5. Classic provisioning sieg.in 5

6. Actual provisioning sieg.in 6

7. Why we can’t create fake signature? Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60 sieg.in 7

8. SSL sieg.in 8

9. Certificate Authority Storage Few from 186 are quite interesting : – C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA – C=JP, O=Japanese Government, OU=ApplicationCA – C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root … sieg.in 9

10. Certificate authentication sieg.in 10

11. I want my CA in your iOS sieg.in 11

12. Ways to install CA in iOS o Safari o Email attachment o MDM With configuration profile Can be installed with Safari sieg.in 12

13. Attack sieg.in 13

14. Mobileconfig contains WiFi settings (pass, SSID) for “Gate” CA Proxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6) iCloud backup (enable it, if not) sieg.in 14

15. Mobileconfig installation sieg.in 15

16. Looks bad =( sieg.in 16

17. Let’s take a look on default CA list... sieg.in 17

18. COMODO trial certificate • You only need valid admin@yourdomain.com mail for confirmation • Can be used for signing sieg.in 18

19. How to sign sieg.in 19

20. Looks much better sieg.in 20

21. SSL Defeated But we want more sieg.in 21

22. How to get files from device sieg.in 22

23. Elcomsoft Phone Password Breaker sieg.in 23

24. Once again sieg.in 24

25. What’s in backup? • SMS • Private photo • Emails • Application data • And more … sieg.in 25

26. Files done But we want more sieg.in 26

27. Apple Push Notification Service sieg.in 27

28. Fake! Fake! Fake! sieg.in 28

29. Wipe Tragedy (act 1/1) sieg.in 29

30. Summary User only have to tap ‘Install’ two times to make us able to : – Sniff all his SSL traffic (cookies,passwords, etc) – Steal his backup (call log, sms log, photos and application data) – Send him funny push messages or just wipe device sieg.in 30

31. sieg.in al@sieg.in @siegin Alexey Troshichev sieg.in 31

iOS MITM Attack

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (12)

Ähnlich wie iOS MITM Attack

Ähnlich wie iOS MITM Attack (20)

iOS MITM Attack