Tag Archives: iphone

New iPhone 5S Fingerprint reader, a step in the right direction!

Apple has just announced two new models of iPhones, one of them is the iPhone 5S which comes with a fingerprint reader. Like others I believe this is no silver bullet, but it is a step in the right direction in terms of helping the masses to secure their iPhones.

There are two main areas of potential security failures:
– Fingerprints can be copied and once compromised you can’t “change” for new ones;
– The Fingerprint reader security implementation will be very important, any defects or flawed could be exploited to gain unauthorised access.

Apple may not be the first company to provide an embedded fingerprint reader into their phones, but like it did for tablets and smartphones, it will be the company that will popularise its usage and set the direction for others to follow. This is likely to be emulated and we will soon see fingerprint reader probably everywhere.
Why?
Because it is actually a very convenient way to unlock/authenticate, it is very user-friendly if done right and somewhat secure/unique (as long as they are not compromised). It means users will love it, and prefer that way of authenticating over having to remember a very long password or a different one for each system they need to authenticate too. It makes sense for some kind of password safe to be release at some point, either by Apple or a 3rd party, that would leverage the use of a fingerprint reader to authenticate users to all their systems. In the background you would still be using long, random and unique passwords but as a user, all you would be asked for is to select which website/system you want to sign on and to authenticate with your fingerprint so it accesses that secret password for you and uses it to log you in.

All this is great, and I would love to use such a system. But as fingerprint readers become more and more popular and especially more and more available, so will be the points of failure…
If every device has a fingerprint “read-er”, every device could also act as a fingerprint “captur-er”!
And your precious fingerprints could be compromised through malware or social engineering by leveraging features like guest access, micro-payments, fun apps that pretend to predict your future by reading the shape of your fingerprints, etc.

More importantly, due to the very nature of smartphones today that are using “touch technology”, users’ fingerprints will be left all over the device’s touch screen. It means if someone steal your smartphone, they also steal the very information they need to gain access, your fingerprints. The challenge then becomes about “lifting” those fingerprints from the touch screen to re-use them.

Also, the more popular fingerprint readers become and the more embedded their usage will be in how the masses authenticate to different systems. It means, it will be increasingly attractive for attackers to target such means of authentication. There is already a hacking challenge that will do just that: Hackers iPhone5s bounty.

What Apple has just done is providing an answer to a problem people are increasingly aware off, protecting your password whilst making it simpler to authenticate in the process. This is bound to catch on.

To conclude, in the short term, this will be a huge security set-up for most people, “normal” people who do not handle state/corporate secrets. In the medium to long term, this may actually backfire, because fingerprint alone is no security silver bullet. However, combining fingerprint authentication with more traditional mechanisms such as passcodes or passwords might actually provide extra security through embedded dual factor authentication.

Nonetheless, well done Apple for aiming in the right direction!

A new iOS 6.1 hack

As seen on the Hacker news, there is currently a way to bypass the iPhone lock screen (iPad with SIM too?) running iOS 6.1.x

I had to change the steps listed in “The Hacker news” slightly for it to work:
-Go to emergency call, push down the power button and tap cancel.
-Dial 112 and tap green and inmediately red.
-Go to lock screen, by pressing the power button
-Go to passcode screen, by pressing the home button
-Keep pushing down the power button …1…2…3…seconds and before showing the slider “turn off”…tap the emergency call button and …voilá!
-Then without releasing the power button press the home button and let go…

From there you gain full access to the phone application and can change/add/delete contact, as well as use the phone to make phone calls but you cannot stop a call you started with that technic.


YouTube Direkt

Another iPhone hack, this time with a paperclip!

There is a new vulnerability with iOS5 powered device with a SIM card. I have tried it and it works.
You need to know the number of your victim and by combining a missed called, removing the SIM card, putting it back in and swiping the missed call alert it is possible to bypass the lock screen and access the phone.

Look at the video from the weirdly named group called iPhoneIslam, you need to get the timing right!

YouTube Direkt

New iOS Security attack, this time it looks bad!

Another attack on the iOS security has been published today and there are two recurring themes to the attacks I described in previous posts, namely: weaknesses with the Keychain and iOS encryption implementation.

But this time they have been used differently and seem to provide an attacker access to any passwords stored on an iOS device, even if it is passcode protected.
One main difference in this attack, is that the attacker would only requires the iOS devices and nothing else (as opposed to the relevant synced PC with previous attacks).

It also seems to prove Zdiarski’s concerns over the iOS encryption controls to be true.
The attack used some jailbreaking techniques to access the iOS device boot/ram, bypassing the passcode and using the OS to run a script to access the local keychain and all the passwords it may contain (email, VPN, web apps, etc)
It seems that the encrypted data is not linked to the user passcode, which means that if someone can bypass the passcode, even if the data is in theory still encrypted, the attacker uses the iOS device itself to decrypt the data for him!

When I said it was “bad, but not that bad”. Now, it may be THAT bad! ;)

All the details, video and whitepaper, are available here:
Fraunhofer Institute

Follow-up on Apple iOS Full Disk Encryption

Regarding my previous post I wanted to mitigate some of the risks I was describing.
In a nutshell, it is bad, but not that bad! :)

Escrow keybag
There is indeed a forensic issue with the escrow keybag feature, but because it requires the attacker to have both the targeted mobile device and the computer used to sync it with, That attacker would first need to break the computer’s security to access its filesystem.

Because that computer is used to sync the mobile device, most of the information it contains is likely to be on the computer as well.
For example, email accounts are likely to have been setup both on the computer and the mobile device, office files are likely to have been created on the computer, etc.

Therefore gaining access to the computer’s filesystem is likely to already give you access to most of the mobile device’s data.
Having said that, there is no garantee it will always be the case and some information such as call history, text messages, internet history, etc would only be available on the mobile device (and its hopefully encrypted backup).

The point is that although the Escrow Keybag can indeed be used to bypass a mobile device protection and is therefore a security risk, it should be put into context with the security risks related to successfully gaining access to it in the first place.
In other words, it is bad, but not that bad!

Full Disk Encryption
The statement that I reproduced about the level of security offered by the iOS full disk encryption control should also be put into a wider context.
Jonathan Zdiarski claims it was inadequate because it automatically decrypts data once requested for it, the way I undertand it is that its level of security is therefore dependant of the strengh of the passcode used and of the device’s OS security (sandbox, access control, etc).

But this is also true for any full disk encryption control, on any plateform.
If you gain knowledge or access to the passcode you can then access the data.
And if you get a malware running on your full disk encrypted device, it would not be prevented to access any data associated with your credentials.

I therefore do not believe this is an Apple specific security risk.
In other words, it is bad, but not that bad!

Apple and their elusive Full Disk Encryption solution

I have been researching how Apple has been implementing their full disk encryption control over the weekend and what I found puzzled me:

Although technically Apple provides a hardware full disk encryption solution, from a traditional security sense of the term, there is no full disk encryption available on the iPhone/Ipad currently! It sounds like a paradox? let me explain…

The closest analogy I can think of, would be if someone was selling you a house and claiming that the full house was protected with alarms in each room. The only problem, is that the alarm would only work when nobody was in the house… meaning the only protection your house effectively had was a simple front door key.

The following information can be found in the following article:
iPhone full disk encryption seems to have been implemented with one purpose in mind: fast/instantaneous remote wipe as it just erase the 256-bits encryption key.
Jonathan Zdiarski found that “the iPhone OS automatically decrypts data when a request for data is made, effectively making the encryption worthless for protecting data”
This is where the new iOs4.x “data protection” security feature comes into play, it allows for an app to derive a key from the user’s passcode/password and encrypt the app’s data. But so far it is only done by the built-in email app. APIs are available but each apps needs to use them if they want their data encrypted.
From the article referenced at the beginning of this post, I found the following two characteristics of that API the most interesting::
- Positive: There is a protection against brute force attack as an attacker can only guess about 20 passwords per second due to how keys are generated (which compares well to other software such as encrypted PGP files where 900 passwords can be guessed per second.)
- Negative: There is however a security weakness called the “Escrow Keybag, which is a collection of keys necessary to decrypt every file on the device without requiring the user’s password. This was done to allow computers to sync with the iPhone without asking the user for the password”. A company called ELCOMSOFT may be using this weakness in their iphone password recovery solution
The last point is of forensic significance. If both the iOS device and the computer used to sync it with are either seized or stolen then it is possible to find the plist/lockdown files on the computer and bypass the passcode used on the iOS device and dump all its data for analysis, unencrypted.
This is true for the latest iphones (3GS and 4G) with the latest firmware. For older model/versions there are other easier techniques to obtain the data.
Windows 7 is not better though:
Their might be some lights for Android based phone with the Motorola enterprise offering: http://www.networkworld.com/news/2010/100710-droid-pro-enterprise.html
The link below needs to be read with a warning as I don’t really agree with the author’s message that sounds as if all those phones are very secure and enterprise ready. They can be, but companies need to be aware of the limitations of the security controls that have been implemented. He still provides a good overview of each type of mobile phone capabilities (page 3) hence why I am providing the link:
Finally, those guys have a nice white paper on iphone forensics which was updated recently in November 2010:
VIAFORENSICS

Android vs iOS Security

A sensitive topic but below is my initial view on the security offered by those two platforms.

My view is that Android, being a more open platform, offers more capabilities (flash, access to the root system, extension slots, etc). However, because of this it offers a less secured experience out of the box.

Apple, by not allowing certain technologies such as flash (flash security issues are endless) and by limiting access to its root system also limits its security exposure compare to android devices.

A very important security feature is then offered by the app store screening process. Although not perfect by any means, it still gets rid of obvious bad or flawed apps and protects iOS users further.

None of the devices are bulletproof and both suffered some security issues:
iOS: Worm on jail broken iPhone  and phone lock bypass (fixed in iOS v4.2)
Android: Core libraries are open and apps can have deeper and more dangerous access to the device, self signed certificate thus no control over which apps get installed on the device, no full disk encryption, a higher number of worms

The iOS devices are more secured but less flexible than Android devices for normal users*.

Therefore recommending a platform will heavily depend on the usage and type of data a user may handle. There isn’t a clear winner for me.

* normal android users: Not someone who is going to recompile and patch the android kernel on a daily basis…

Note: Of course this is not a robust way to gather stats, but just google for android/iOS vulnerabilities and you can quickly get a feel for what I just said. Also, a great paper written in 2009 and giving a good overview of the Android Security model can be found HERE



Apple new Patent could mean Big Brother on your phone

The following article from Macworld describes a new patent from Apple to detect jail-broken iphone/ipad. It also gives an interesting security twist on that patent, where it is in theory possible to take hidden photos and voice recording of a potential thief, analyse the accelerometer data to define if the thief is walking, driving or even flying, get GPS location, etc.
http://www.macworld.com/article/153612/2010/08/apple_mobiledevice_patent.html

I also came across that app for the iphone, which does not go quite as far but highlight the fact people have already thought about this:
SpyTools for iphone