ios in the business world - 6 topics you should know about

iOS security issues in the business world 6 security issues that you should know before advising your client Hacknet 2011

ADVISORY

Marc Smeets ICT Security & Control

IT Advisory, The Netherlands May 6, 2011

1 © 2011 KPMG The Netherlands, the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

Why this talk?

l  iPhones and iPads are everywhere

l  “No, we do not support iPads” is not an answer

l  Isn’t this covered already?

l  iOS4 is thought to be secure -> several issues -  Understand the risks => help your clients


Agenda

l  Background

l  6 topics of concern

l  Now what?


Background

l  iOS = the OS for iPhone, iPad, iPod Touch and AppleTV

l  iOS version statistics (*combined sources incl developers): -  iOS4 released April 2010, 95%+ of iOS devices run iOS4 -  Current release 4.3.2, 3 weeks ago -  About half of people migrate to a new version within a week -  About 40% will lag for months and months

l  Of fortune 100: -  80% testing/considering iPhone -  50% testing/considering iPad

Stock iOS

only talk!


Background (cont.)

l  iOS4 introduced: -  Better ActiveSync & Exchange support -  Multi tasking -  Remote wipe functionality -  Configuration profiles -  Data Protection -  Jailbreak detection

l  Stock iOS4 is safe enough says Apple


Security issues explained

l  Some you may know, some have hit the news

1.  iOS has a secure core

2.  It’s all encrypted

3.  Apple knows your location

4.  ActiveSync makes it all secure

5.  it stops at the iOS device

6.  Apple is your one-stop vendor


Issue #1: iOS hasn’t a secure core

Jailbreaking Vulnerabilities



l  Jailbreaking = removing the ‘jail’ Apple has put in -  File access to device on / as user root -  Running custom code on device -  Interacting with device in ‘INIT level 1’ -  dd user partition (for forensics)

l  Different types: -  Bootrom: Tethered and untethered -  Userland types

PDF exploit used by jailbreakme.com, MobileBackup directory overflow, Packet filter, etc.



l  Jailbreaking is allowed by DMCA since 2010

l  Around 15% - 40%(!) of users jailbreak

l  No real harm -  Un-jailbreak with a restore from iTunes -  Bricking highly unlikely



l  iOS is based on Mac OS X -  Modified to some extend -  Contains CoreGraphics, libxml, Safari/WebKIT, etc.

l  Overview of CVE -  NVD has “iphone_os” -> -  131 with “iphone”

l  57 CVEs listed on Apple’s website right now


Issue #2: It isn’t all super-duper encrypted

Encryption



l  Encryption? What level? 1.  Disk encryption 2.  Keychain encryption 3.  Data Protection



l  Encryption? What level? 1.  Disk encryption 2.  Keychain encryption 3.  Data Protection

1. Disk encryption -  Technically hard disk encryption -  It decrypts itself -  Main reason =

fast wiping via crypto-shredding



2. Keychain = db on device that stores the secrets (all secrets!) -  Input = device key || input = device key + passcode

l  Apple’s API is a pain to use!! -> SFHFKeychainUtils l  Device key can be used only on the device itself

Secret type Encryption Type

Default keychain API, SMTP, GoogleMail, iOS Backup pw, Safari

Passcode + device key

Exchange, Voicemail, VPN*, WiFi (incl WPA+LEAP), MobileMe

Device key



3. Data Protection application level encryption. API provided by Apple -  Input = passcode + device key

l  In order to use Data Protection: -  iPhone 3Gs or later model -  Up to the developer -  Passcode needs to be set

l  Two issues -  It’s not always effective -  Escrow Keybag in Keychain can decrypt all files on iPhone -> to

sync the iPhone without asking the user the Passcode


Issue #3: Apple knows your ‘twenty’

Location tracking



l  Why does my iPhone keep track where I’ve been? -  Apps want to know where you are roughly

l  GPS can take too long

-  Apple maintains db with Wi-Fi and cell towers -  DB info is crowd-sourced (sent anonymously to Apple) -  Subset of the DB is on the iOS device The DB does not contain solely locations of this device! Future use and services….



l  Bugs according to Apple: -  “Location Service = off” does not stop the recording -  Recording does not stop after X days -  DB is backed up by iTunes

l  Next major iOS release this is updated

l  Android and WinMo7 also track your GPS data


Issue #4: ActiveSync doesn’t make it all secure

ActiveSync


Issue #4: ActiveSync doesn’t make it all secure

l  ActiveSync is used for policy checking and transport security l  ActiveSync = XML messages over HTTP(S)

l  Fact: end users always prefer dancing pigs over security


DEMO BACKUP


Issue #5: it doesn’t stop at the iOS-device

App Store iTunes



l  A gazillion apps in App Store

l  Cloud apps: -  Evernote, Dropbox, etc. -  How do they store their credentials (on iOS device and Cloud)?

l  Do business users know the difference in security zones?

App purchase can be

disallowed with

policy setting



l  iTunes needed for software updates

l  Support on corporate laptop? l  iTunes + QuickTime



l  iTunes encryption -  The iPhone decrypts everything before sending to iTunes -  10000 rounds of PBKDF2 -  Passphrase based -  Not possible to enforce encryption, nor length of passphrase



l  Bypassing iTunes encryption

-  If you own the system l  ElcomSoft with 40000 c/s (GPU power)

-  If you own the iPhone: l  Zdziarski method

-  no cracking required -  Overwrite KeyChain item on iPhone that stores the encryption

passphrase


Issue #6: Apple isn’t your one-stop vendor


Issue #6: Apple isn’t your one-stop vendor

l  Apple cares about consumers firstly

l  Whitepapers are more commercial papers

l  Apple is transparent about allowing third party vendors to move in


Issue #6: Apple isn’t not your one-stop vendor


Now what?

l  It’s not safe from the core l  Encryption is not effective l  Apple does some collection of location data l  ActiveSync is not all secure l  I also need to support iTunes and Apps l  Apple isn’t the only vendor


Now what?

VS.


Now what?

l  People want to use this

l  Use the safe guards iOS has -  Passcode, encryption, ActiveSync settings, etc.

l  Procedures & educate your users -  Though shall use iTunes encryption -  Never – never – loose your iDevice -  immediate remote wipe & accept that it will also remove personal

data -  change passwords immediately after loss -  Usage of Apps


Now what?

l  Look at third party Device Mngt tools & update!

l  Two approaches: 1.  Build secure container on top 2.  Extend checking capabilities

l  For your most important exec/docs? -  Take away his candy? -  Use email encryption -  Know how to respond to leakage


Now what?

l  Look at third party Device Mngt tools & update!

l  Two approaches: 1.  Build secure container on top 2.  Extend checking capabilities

l  For your most important exec/docs? -  Take away his candy -  Use email encryption -  Know how to respond to leakage


Now what?

l  Just make sure your client isn’t acting like this:


Now what?

l  Or this:


Questions?


Thank you for listening! Marc Smeets KPMG IT Advisory

ICT Security & Control

The Netherlands

+31 651 366 680 [email protected]

ios in the business world - 6 topics you should know about

Technology

kpmg logo

swiss cooperative

ios security issues

ios devices

ios version statistics

stock ios4

jail apple

ios4 current release