Last week, a lady from the sales department dropped in to see me for some help with her iPhone. She was worried because she had “suddenly” lost all of her contacts, music and emails. She had turned to a neighbor of hers, an “expert” who had told her she had “a Trojan on her iPhone”.

Whaow. A Trojan on an iPhone: that was definitely very interesting, as I know of none yet. I know a worm (Eeki) and a couple of spyware (Trapsms, MobileSpy) or other questionable software, but no real Trojan.

But, I’m sure you’ve guessed I am being slightly sarcastic and, of course, there was no Trojan at all on her iPhone (which is, altogether, good news anyway). Indeed, it turned out that she had had problems syncing with two different computers and had accidentally erased all her data. Now, I do sympathize because, personally, I have so many difficulties understanding how to use iTunes myself…

Reciprocally, I recall a while ago I scanned my dad’s USB key, although he told me it was certainly virus free because he was “very cautious”. That time, I was right to be suspicious, I had hardly started scanning it that the AV software started blinking in excitement, having found three different samples…

My point here is that end users obviously have difficulties identifying whether they are infected or not: the lady told me her iPhone was infected though it was not, and my dad told me he wasn’t although he was…

If you are in the same case, I would like to help you out with a very simple statement:

if you notice any damage (hard/ soft/) on your phone (or computer), it is unlikely to be infected

(but of course, there might be a hardware or a software failure – which is different).

On the other hand, if you start noticing problems on your bank account, then, be alarmed

(check with your kids or spouse first ;)).

Of course, this is not a 100% guarantee; a few mobile malware do actually cause malfunction, but it’s a general idea to keep in mind: nowadays, malware authors try to make money (or silently grab private data they re-use later), not to misconfigure your phone. Why would they? This would only cause you to notice it’s infected and possibly perform a hardware reset, thereby depriving the malware authors or cybercriminals from a source of revenue.

The graph below shows the number of mobile malware families per threat category. Note there hasn’t been any new annoyware (i.e malware whose main goal is to annoy/cause malfunction) created since 2008. New mobile malware try to make money, or target your privacy, much like desktop computer malware.

– the Crypto Girl

Unless you’re on a trek in the Himalayas, by now you’ve probably heard one way or another that the infamous “Jailbreakme” website is back to free iPhones (including iPhones 4 running iOS 4.0.1) and iPads : it’s just everywhere on the web, even with videos and tutorials.

However, fewer resources address the technical aspect of jailbreaking. You might have found out that the online jailbreaking tool is resorting to a drive-by-script exploiting a 0-day vulnerability. We’ll try and provide a few other technical findings below.

First, let’s connect to the site with a proper user-agent (i.e. iPhone’s Safari). It gives us a nice Javascript, whose interesting part is:

function get_page(){return model==null?null:("/_/"+model+"_"+firmware+".pdf"}

That is to say, the user is automatically redirected to a malicious pdf based on the model of the device and the firmware version.

As directory listing is enabled, we were able to list all the files in the corresponding repository:

The file “iPhone3,1_4.0.pdf”, for instance, features an encoded PDF Type1C font (Compressed Font Format) stream that looked suspicious enough for us to decode it (thanks to the excellent pdf-parser tool from Didier Stevens). In the now clear-text stream, we could identify at least one manifest (offset 0xbcd – see below) and an iOS executable (offset 0×1109, we will get back to it later on).

Note the large values for IOSurfaceBytesPerRow, IOSurfacePixelFormat, IOSurfaceHeight and IOSurfaceWidth in the manifest above.

The corresponding system API framework is basically not documented, but we can easily guess there is an allocation issue in an IOSurface object. As IOSurface objects run in kernel space, the process can bypass usual security restrictions.

It is highly likely this 0-day exploit can be used for other means than jailbreaking an iPhone/ iPod/ iPad. Consequently, Will Strafach wrote an iPhone application that detects suspicious PDFs and warns end-users when they are at risk.

As for the binary in the decoded PDF stream, essentially, it pilots the jailbreaking.
The executable starts by checking it can access /bin/bash or not via a BrowserController object (see figure below): if bash is accessible, it concludes the device is already jailbroken and recommends not to jailbreak it again. Otherwise, it considers the device is not jailbroken:

If the device is not jailbroken, the executable then downloads hxxp://jailbreakme.modmyi.com/wad.bin into a buffer of type NSMutableData, named wad (itself member of a class the author called “Dude”).
Before going any further, the executable checks that the downloaded version of the file wad.bin starts with the four bytes 0×42424242 (’BBBB’), then followed by its length.

The wad.bin file is exactly 3909273-byte long, i.e 0×3BA699. This length is stored in bytes 4, 5, 6 and 7:

$ hexdump -C wad.bin | head
00000000  42 42 42 42 99 a6 3b 00  15 b5 01 00 78 9c ec 7d  |BBBB..;.....x..}|
00000010  0d 9c 54 c5 95 ef bd dd  3d 43 33 34 70 81 46 87  |..T.....=C34p.F.|

This pattern may be used in the frame of counter-measures (eg: Snort signatures, etc…), to prevent jailbreaking from one’s network, for some reasons.
Additionally, it is worth noting a cookie keeps information regarding the jailbreaking attempts (date and time of access to jailbreakme.com, PDF file downloaded etc).

At this point, parts of the buffered wad.bin are dumped in inflated format on the device in /tmp/install.dylib. The dynamic library is then opened, and the do_install symbol is called. This is likely where the actual jailbreaking occurs.

Afterwards, the remaining XZ compressed data contained in wad.bin is then uncompressed, which can be reproduced manually (credits to Gecko_UK):

$ dd if=./wad.bin skip=111905 of=./wad.xz bs=1 count=3797368
$ 7zr x wad.xz
$ mv wad wad.tar
$ tar xvf wad.tar
...2009-04-27 16:34 Applications/
...2009-04-27 16:34 Applications/Cydia.app/
...2010-07-30 10:55 Applications/Cydia.app/commercial.png
...2010-08-01 20:52 Applications/Cydia.app/Modes/
...2009-08-09 11:55 Applications/Cydia.app/Modes/REMOVE.png
...2009-08-09 11:55 Applications/Cydia.app/Modes/INSTALL.png
...2010-08-01 20:52 Applications/Cydia.app/Modes/NEW_INSTALL.png -> INSTALL.png
...

And the jailbroken environment (Cydia applications, etc…) is installed on the device.

– the Crypto Girl (Axelle Apvrille) and the Vulnerability Guy (David Maciejak)

Unless you have been cut from the net this last week, you probably know
by now iPhones are facing their first set of malware (first ? well, actually, not quite as we have already detected spyware for iPhones):
it’s just all over the web. Those malware target jailbroken iPhones whose the default root password (’alpine’) hasn’t been changed.

Consequently, most people remind/advise iPhone owners to customize root’s password or not to jailbreak their iPhone. This is correct, but it is nonetheless worth adding that:

• all passwords should be customized: for instance, change the password of the mobile account too (i.e. the default user account).
• never use a default password whether it is ‘alpine’ or anything else. iPhones with old firmwares (older than 1.1) use default password ‘dottie’. True, they are not vulnerable to the worms we encountered, but the modification would be so basic…
• do not use simple passwords. This is true for PCs, it is true for iPhones too. It would be easy to modify the worms to brute force passwords. Incidentally, that’s how Sophos found iPhoneOS/Eeki.B changes the password to ‘ohshit’. By the way, thanks to Scott McIntyre (xs4all) for sharing his sample with us.

With this in mind, I reached over for our lab’s iPhone and placed myself in the situation of a typical iPhone owner trying to secure his device. I turned the iPhone on, disabled wifi, connected the iPhone to a lab’s PC via USB and set up a SSH tunnel (I like iUSB Tunnel, because it’s simple).

At this stage, either the iPhone hasn’t been compromised and login succeeds with default password (alpine): please jump to “Changing passwords” below, or it has been compromised and root’s password consequently changed: then, logging in with the default password will fail.

In that case, I would probably recommend you completely re-install the iPhone, because one never knows what the intruder did to the phone. Remember he/she had root access to the device, he/she could do anything.

For now, let’s suppose you decide just to change the passwords, inspect the iPhone and re-install later.

To customize a password, the current one is required. If you know the password (’alpine’ by default, ‘ohshit’ if compromised), then no problem, change the password (jump to ‘changing passwords’). If you don’t know what the old password is, the easiest solution consists in editing /etc/master.passwd with a text editor that runs as root. For instance, install iFile (eu.heinelt.ifile), browse to the /etc directory and open master.passwd for edition.

Temporarily reset root’s password to ‘alpine’ (default):

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

Sidenote. I find it quite dangerous such text editors run with root privileges!

Then, login as root using password alpine and change it. See below.

Changing passwords

As a side note, I realized that picking up a nice (and secure) password was quite difficult on mobile phones, because even if the iPhone’s virtual keyboard is handy, you usually don’t feel like entering a long and complicated password (e.g. special characters are not immediately accessible on the virtual keyboard). iPhone developers, we’d certainly love to have a thumbprint authentication application, or an application where the password is a few secret gestures on the touchscreen, perhaps like a handwritten signature (but a secret one). Those gestures could translate into a long and complicated key we would not generally need to enter.

Once I changed passwords, it occurred to me that, anyway, any login attempts should be logged. I searched /var/log and /var/logs but couldn’t find any log concerning SSH. So, I opened the SSH daemon configuration file (/etc/ssh/sshd_config) and uncommented those lines:

#SyslogFacility AUTH
#LogLevel INFO

Restarted the SSH daemon, and re-logged in: still no logs ! Yes, actually, the iPhone ships with no syslog daemon ! So, I downloaded and installed a syslog daemon (com.) and configured /etc/syslog.conf:

*.*;auth.info /var/log/syslog

After restarting syslog and ssh, this time I finally get my logs in /var/log/syslog:

Nov 24 14:29:15 iPhone-de-axelle sshd[6270]: Failed password for mobile from 127.0.0.1 port 56304 ssh2
Nov 24 14:29:18 iPhone-de-axelle sshd[6270]: Accepted password for mobile from 127.0.0.1 port 56304 ssh2

Actually, logs are rather useful before one gets compromised, to see the failed login attempts, because once an intruder has successfully logged in as root, he/she can stop the syslog daemon or erase /var/log/syslog…

Finally, I ought to point out allowing root login via SSH is usually considered as insecure. Disable it in /etc/ssh/sshd_config (check out other security options) :

PermitRootLogin no

– The Crypto Girl (with her iPhone)

There are days where I wonder if people really care about privacy (except for these people). Most people don’t see any problem in telling the entire world what they’re doing (Twitter), who they know or see (Facebook) or where they are: the kind of stuff teenagers hate to tell their parents.

Mobile phones are just the perfect platform for spying because they are portable (iPhones are such beauties one hates to leave them behind!) and seen as private devices (would you share your nice iPhone, huh?). Depending on functionalities, mobile spyware record and forward incoming and outgoing SMS, MMS, voice calls, geographic location etc.

Recently, I finally laid my hands on an iPhone spyware sample. Actually, it has probably been out for a while, but I was surprised to discover nobody seemed to detect it yet. The spyware installs on any jailbroken iPhone. In Cydia (an iPhone front-end to help installing third-party applications), you first add the URL of the spyware’s repository and then install the two spyware packages:

SmsTrapUI: a user interface package to assist the spy into installing the spyware. Once the spyware is configured, the spy can erase this package:

Std: the spyware daemon. It installs in /usr/sbin and does not display any new icon on the iPhone’s springboard. This daemon collects information on SMS (phone number, text, timestamp and incoming/outgoing indicator) and sends it to a SQL database of the spyware’s website.

Okay, so the spyware installs and works. As an antivirus analyst, my next task then consisted in getting original samples onto my work host (the host where I work out detections for malware). I could have connected onto the iPhone via SSH iPhone Tunnel Suite, but then I would have had to parse all directories the packages had installed files into, and retrieve them. I settled for a simpler solution: Cydia uses Debian-style repositories, so I directly downloaded the samples from there. Debian-style repositories typically include two files:

Release and Packages (or Packages.bz2). So, I first downloaded Release:
$ wget http://xxxxx/x/Release
$ cat Release
Origin: ST
Label: ST
Suite: stable
Version: 1.0
Codename: st
Architectures: iphoneos-arm
Components: main
Description: ST Main repository
248bf63c4e179ef82d4fe4ba86a42c03 547 main/binary-iphoneos-arm/Packages
3b6d6f28d5346f9d911a067fccb64f5f 335 main/binary-iphoneos-arm/Packages.bz2

The Release file mentions both Packages and Packages.bz2 exist, so I then downloaded Packages:
$ wget http://xxxxx/x/Packages
$ cat Packages
MD5Sum: 762bf733c5a9b03b787c23ffc64d63a7
Maintainer: ST Team
Description: ST Daemon.
Package: com.st.std
Section: Utilities
Author: ST Team
Filename: ./std-1.1-1_iphoneos-arm.deb
Version: 1.1-1
Architecture: iphoneos-arm
Size: 11634
Name: STD

MD5Sum: bed10acddc436a5dfdb77a35dc6e74ad
Maintainer: ST Team
Description: SmsTrap User Interface
Package: com.st.SmsTrapUI
Section: Utilities
Author: ST Team
Filename: ./SmsTrapUI-1.1-1_iphoneos-arm.deb
Depends: com.st.std, quickload
Version: 1.1-1
Architecture: iphoneos-arm
Size: 26184
Name: SmsTrap

The Packages file provides the name of the 2 packages:
$ wget http://xxxxx/x/SmsTrapUI-1.1-1_iphoneos-arm.deb
$ wget http://xxxxx/x/std-1.1-1_iphoneos-arm.deb

I can now unpack the .deb packages, and detect the relevant parts of the spyware.

Last week, I had hardly reached my desk when a colleague rushed by my side and told me, all excited, Apple had announced the release of a new iPhone 3GS. They also unveiled interesting new functionality in MobileMe, which started out a long chat in our lab.

To summarize our discussion, tomorrow, MobileMe is releasing three novelties:

• locating your iPhone, for example, when it is lost
• displaying a message or a sound onto your iPhone
• remotely wiping your iPhone so a thief won’t find read any sensitive data

All of these are quite appealling at first, but they raise a few questions:

Security: which security measures are taken to make sure one cannot remotely wipe or send messages/sounds to another iPhone? I hope this is secure, otherwise attackers are going to have a lot of fun…

Price: all of these features require sending commands to the iPhone. How is the mobile device receiving commands? Are they sent over the 3G network? Is the phone receiving an SMS? And who’s paying for this? Is it included in your MobileMe subscription?

Eficiency: those features are probably helpful if you lose your iPhone, but I doubt they will help when your iPhone is stolen. From MobileMe’s screenshot, it looks like locating an iPhone only works if you have previously installed MobileMe and enabled the “Find my iPhone” option. The thief can probably disable this option, uninstall MobileMe or even reset your iPhone if he/she intends to keep it…

Privacy: I am uncertain of how legal tracking your iPhone is. In France, geolocalization is regulated by law and the CNIL has hard work enforcing it. To my understanding, the CNIL finds locating a stolen device acceptable as long as the feature cannot be turned into a spying / tracking device. And indeed, this is difficult to guarantee: you never know when your iPhone is going to be stolen, do you? So, you have to enable the localization all the time, and consequently, your iPhone (thus you?) can be tracked all the time too… unless Apple has thought of some special trick so your iPhone will only release localization data to you, its rightful owner.

We’re going to be busy after tomorrow…