| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 24 Sep 2015 09:15:45 +0200 From: Luis 'Pope' Gómez <pope@...e.es> To: David Longenecker <david@...urityforrealpeople.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] An iOS oversight: exploiting device trust and backups You make an interesting point here, David. About this topic, I would recommend this brilliant paper by Mr. Zdziarski: http://www.zdziarski.com/blog/wp-content/uploads/2014/08/Zdziarski-iOS-DI-2014.pdf I proposed a software solution to apply various mitigations in jailbroken devices; including: deleting the pairing records (so that your iOS device will not continue trusting other comptuers) and disabling a number of services (for instance: if I never backup my iOS device to iTunes, I can disable that service so that nobody will be able to backup my device to ANY iTunes). We presented a poster about this in the latest DFRWS conference ( http://www.pope.es/files/DFRWS-2015-Pope.pdf). A paper on the topic has been accepted for publication at http://wpage.unina.it/ficco/SecureSysComm2015/home.html, and after the conference we will be releasing the software. Regards Pope 2015-09-22 19:15 GMT+02:00 David Longenecker < david@...urityforrealpeople.com>: > Posted in more detail at: > > http://www.securityforrealpeople.com/2015/09/exploiting-ios-backups-for-fun-and.html > > iOS (including iOS 9) have a chink in their security model's armor. > > Enabling an iOS device to trust a new computer is a one-click operation - > no password or PIN is required. As long as the iOS device is logged in and > not screen locked, one click is enough to tell the iPhone or iPad that this > computer can be trusted. Once trusted, the computer is permitted to copy > files on and off, or make a full device backup. > > For perspective, iOS has a setting to require the password or PIN to > purchase items in the App or iTunes Stores, but no such setting when > trusting a computer to do a full device backup. > > Is this a big deal? > > Have you ever lent your phone to a friend so they could make a brief phone > call? > > If I borrow your iPhone under the guise of making a phone call, in a couple > of minutes I can USB tether to my computer, trust it, and make a full > device backup which I can search at length later. Or in just a few seconds > I can establish that device trust now, and later slip it off your desk to > make a backup of the locked iPhone. > > In the grand scheme of things, the ability to make a covert backup of > another's iPhone isn't at the top of my list of worries. It requires > physical access to an unlocked device, meaning I'd have to unlock my phone > and let someone borrow it - not something I'm likely to do for someone I > don't know and trust. > > Still, it pays to understand how your trust can be abused. Keep this in > mind the next time a friend asks "can I use your iPhone to make a call?" > > Regards, > David Longenecker > > Connect: Blog <http://securityforrealpeople.com/> | @dnlongen > <https://www.twitter.com/dnlongen> | LinkedIn > <https://www.linkedin.com/in/dnlongen/> > PGP key: https://keybase.io/dnlongen > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists