lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKAWO_UGP4i0XyrRmRNP3Gw=+8iZKhhRVN37eaD0rskz==m5zw@mail.gmail.com>
Date: Tue, 22 Sep 2015 12:15:30 -0500
From: David Longenecker <david@...urityforrealpeople.com>
To: fulldisclosure@...lists.org
Subject: [FD] An iOS oversight: exploiting device trust and backups

Posted in more detail at:
http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html

iOS (including iOS 9) have a chink in their security model's armor.

Enabling an iOS device to trust a new computer is a one-click operation -
no password or PIN is required. As long as the iOS device is logged in and
not screen locked, one click is enough to tell the iPhone or iPad that this
computer can be trusted. Once trusted, the computer is permitted to copy
files on and off, or make a full device backup.

For perspective, iOS has a setting to require the password or PIN to
purchase items in the App or iTunes Stores, but no such setting when
trusting a computer to do a full device backup.

Is this a big deal?

Have you ever lent your phone to a friend so they could make a brief phone
call?

If I borrow your iPhone under the guise of making a phone call, in a couple
of minutes I can USB tether to my computer, trust it, and make a full
device backup which I can search at length later. Or in just a few seconds
I can establish that device trust now, and later slip it off your desk to
make a backup of the locked iPhone.

In the grand scheme of things, the ability to make a covert backup of
another's iPhone isn't at the top of my list of worries. It requires
physical access to an unlocked device, meaning I'd have to unlock my phone
and let someone borrow it - not something I'm likely to do for someone I
don't know and trust.

Still, it pays to understand how your trust can be abused. Keep this in
mind the next time a friend asks "can I use your iPhone to make a call?"

Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists