lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKAWO_UGP4i0XyrRmRNP3Gw=+8iZKhhRVN37eaD0rskz==m5zw@mail.gmail.com> Date: Tue, 22 Sep 2015 12:15:30 -0500 From: David Longenecker <david@...urityforrealpeople.com> To: fulldisclosure@...lists.org Subject: [FD] An iOS oversight: exploiting device trust and backups Posted in more detail at: http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html iOS (including iOS 9) have a chink in their security model's armor. Enabling an iOS device to trust a new computer is a one-click operation - no password or PIN is required. As long as the iOS device is logged in and not screen locked, one click is enough to tell the iPhone or iPad that this computer can be trusted. Once trusted, the computer is permitted to copy files on and off, or make a full device backup. For perspective, iOS has a setting to require the password or PIN to purchase items in the App or iTunes Stores, but no such setting when trusting a computer to do a full device backup. Is this a big deal? Have you ever lent your phone to a friend so they could make a brief phone call? If I borrow your iPhone under the guise of making a phone call, in a couple of minutes I can USB tether to my computer, trust it, and make a full device backup which I can search at length later. Or in just a few seconds I can establish that device trust now, and later slip it off your desk to make a backup of the locked iPhone. In the grand scheme of things, the ability to make a covert backup of another's iPhone isn't at the top of my list of worries. It requires physical access to an unlocked device, meaning I'd have to unlock my phone and let someone borrow it - not something I'm likely to do for someone I don't know and trust. Still, it pays to understand how your trust can be abused. Keep this in mind the next time a friend asks "can I use your iPhone to make a call?" Regards, David Longenecker Connect: Blog <http://securityforrealpeople.com/> | @dnlongen <https://www.twitter.com/dnlongen> | LinkedIn <https://www.linkedin.com/in/dnlongen/> PGP key: https://keybase.io/dnlongen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists