iOS security issues in the business world 6 security issues that you should know before advising your client Hacknet 2011
ADVISORY
Marc Smeets ICT Security & Control
IT Advisory, The Netherlands May 6, 2011
1 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Why this talk?
l iPhones and iPads are everywhere
l “No, we do not support iPads” is not an answer
l Isn’t this covered already?
l iOS4 is thought to be secure -> several issues - Understand the risks => help your clients
2 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Agenda
l Background
l 6 topics of concern
l Now what?
3 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Background
l iOS = the OS for iPhone, iPad, iPod Touch and AppleTV
l iOS version statistics (*combined sources incl developers): - iOS4 released April 2010, 95%+ of iOS devices run iOS4 - Current release 4.3.2, 3 weeks ago - About half of people migrate to a new version within a week - About 40% will lag for months and months
l Of fortune 100: - 80% testing/considering iPhone - 50% testing/considering iPad
Stock iOS
only talk!
4 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Background (cont.)
l iOS4 introduced: - Better ActiveSync & Exchange support - Multi tasking - Remote wipe functionality - Configuration profiles - Data Protection - Jailbreak detection
l Stock iOS4 is safe enough says Apple
5 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Security issues explained
l Some you may know, some have hit the news
1. iOS has a secure core
2. It’s all encrypted
3. Apple knows your location
4. ActiveSync makes it all secure
5. it stops at the iOS device
6. Apple is your one-stop vendor
6 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #1: iOS hasn’t a secure core
Jailbreaking Vulnerabilities
7 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #1: iOS hasn’t a secure core
l Jailbreaking = removing the ‘jail’ Apple has put in - File access to device on / as user root - Running custom code on device - Interacting with device in ‘INIT level 1’ - dd user partition (for forensics)
l Different types: - Bootrom: Tethered and untethered - Userland types
PDF exploit used by jailbreakme.com, MobileBackup directory overflow, Packet filter, etc.
8 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #1: iOS hasn’t a secure core
l Jailbreaking is allowed by DMCA since 2010
l Around 15% - 40%(!) of users jailbreak
l No real harm - Un-jailbreak with a restore from iTunes - Bricking highly unlikely
9 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #1: iOS hasn’t a secure core
l iOS is based on Mac OS X - Modified to some extend - Contains CoreGraphics, libxml, Safari/WebKIT, etc.
l Overview of CVE - NVD has “iphone_os” -> - 131 with “iphone”
l 57 CVEs listed on Apple’s website right now
10 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #2: It isn’t all super-duper encrypted
Encryption
11 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #2: It isn’t all super-duper encrypted
l Encryption? What level? 1. Disk encryption 2. Keychain encryption 3. Data Protection
12 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #2: It isn’t all super-duper encrypted
l Encryption? What level? 1. Disk encryption 2. Keychain encryption 3. Data Protection
1. Disk encryption - Technically hard disk encryption - It decrypts itself - Main reason =
fast wiping via crypto-shredding
13 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #2: It isn’t all super-duper encrypted
2. Keychain = db on device that stores the secrets (all secrets!) - Input = device key || input = device key + passcode
l Apple’s API is a pain to use!! -> SFHFKeychainUtils l Device key can be used only on the device itself
Secret type Encryption Type
Default keychain API, SMTP, GoogleMail, iOS Backup pw, Safari
Passcode + device key
Exchange, Voicemail, VPN*, WiFi (incl WPA+LEAP), MobileMe
Device key
14 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #2: It isn’t all super-duper encrypted
3. Data Protection application level encryption. API provided by Apple - Input = passcode + device key
l In order to use Data Protection: - iPhone 3Gs or later model - Up to the developer - Passcode needs to be set
l Two issues - It’s not always effective - Escrow Keybag in Keychain can decrypt all files on iPhone -> to
sync the iPhone without asking the user the Passcode
15 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #3: Apple knows your ‘twenty’
Location tracking
16 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #3: Apple knows your ‘twenty’
l Why does my iPhone keep track where I’ve been? - Apps want to know where you are roughly
l GPS can take too long
- Apple maintains db with Wi-Fi and cell towers - DB info is crowd-sourced (sent anonymously to Apple) - Subset of the DB is on the iOS device The DB does not contain solely locations of this device! Future use and services….
17 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #3: Apple knows your ‘twenty’
l Bugs according to Apple: - “Location Service = off” does not stop the recording - Recording does not stop after X days - DB is backed up by iTunes
l Next major iOS release this is updated
l Android and WinMo7 also track your GPS data
18 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #4: ActiveSync doesn’t make it all secure
ActiveSync
19 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #4: ActiveSync doesn’t make it all secure
l ActiveSync is used for policy checking and transport security l ActiveSync = XML messages over HTTP(S)
l Fact: end users always prefer dancing pigs over security
20 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
DEMO BACKUP
21 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
DEMO BACKUP
22 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #5: it doesn’t stop at the iOS-device
App Store iTunes
23 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #5: it doesn’t stop at the iOS-device
l A gazillion apps in App Store
l Cloud apps: - Evernote, Dropbox, etc. - How do they store their credentials (on iOS device and Cloud)?
l Do business users know the difference in security zones?
App purchase can be
disallowed with
policy setting
24 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #5: it doesn’t stop at the iOS-device
l iTunes needed for software updates
l Support on corporate laptop? l iTunes + QuickTime
25 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #5: it doesn’t stop at the iOS-device
l iTunes encryption - The iPhone decrypts everything before sending to iTunes - 10000 rounds of PBKDF2 - Passphrase based - Not possible to enforce encryption, nor length of passphrase
26 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #5: it doesn’t stop at the iOS-device
l Bypassing iTunes encryption
- If you own the system l ElcomSoft with 40000 c/s (GPU power)
- If you own the iPhone: l Zdziarski method
- no cracking required - Overwrite KeyChain item on iPhone that stores the encryption
passphrase
27 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #6: Apple isn’t your one-stop vendor
28 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #6: Apple isn’t your one-stop vendor
l Apple cares about consumers firstly
l Whitepapers are more commercial papers
l Apple is transparent about allowing third party vendors to move in
29 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Issue #6: Apple isn’t not your one-stop vendor
30 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l It’s not safe from the core l Encryption is not effective l Apple does some collection of location data l ActiveSync is not all secure l I also need to support iTunes and Apps l Apple isn’t the only vendor
31 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
VS.
32 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l People want to use this
l Use the safe guards iOS has - Passcode, encryption, ActiveSync settings, etc.
l Procedures & educate your users - Though shall use iTunes encryption - Never – never – loose your iDevice - immediate remote wipe & accept that it will also remove personal
data - change passwords immediately after loss - Usage of Apps
33 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l Look at third party Device Mngt tools & update!
l Two approaches: 1. Build secure container on top 2. Extend checking capabilities
l For your most important exec/docs? - Take away his candy? - Use email encryption - Know how to respond to leakage
34 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l Look at third party Device Mngt tools & update!
l Two approaches: 1. Build secure container on top 2. Extend checking capabilities
l For your most important exec/docs? - Take away his candy - Use email encryption - Know how to respond to leakage
35 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l Just make sure your client isn’t acting like this:
36 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Now what?
l Or this:
37 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Questions?
38 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
Thank you for listening! Marc Smeets KPMG IT Advisory
ICT Security & Control
The Netherlands
+31 651 366 680 [email protected]