Hacking iOS Gamecenter and Passbook

Hacking iOS Game Center and Passbook with Proxies Louisville Metro Infosec Conference:

October 3, 2013

• Karl Fosaaen

Senior Security Consultant

At NetSPI

Twitter: @kfosaaen

Who am I?

Presentation Overview

• Intercepting iOS Traffic

• Why and How

• Tools

• Certificates

• Identifying Pinning

• Attack Examples

• GameCenter Scores

• GameCenter Hashes

• Passbook files

• Conclusions

Intercepting traffic: Why

• iOS traffic can be interesting

‒ Most apps use web service calls

‒ Most apps are web browsers

• Traffic tampering

‒ Can you name your own price?

‒ Submit a higher score?

• Server responses can be interesting

‒ Modify what the server says to trick your app

‒ Intercepting files (ie: Passbook Passes)

Intercepting traffic: How

• Use an intercepting proxy

‒ Set it up to capture your traffic

‒ Store and forward allows for tampering

• SSL Interception

‒ Requires a trusted certificate

‒ Some apps don’t trust iOS

• This is a good thing, just a pain for interception

• Traffic sniffing

‒ Some apps send requests in the clear

‒ Packet sniffing can be useful

Intercepting traffic: Tools

• Burp

• iOS simulator

• Other Proxies

Intercepting Traffic: Certs

• Exporting the Burp Root CA





• Save the root cert as PortSwiggerCA.crt

• Send the cert to yourself via email and add it to your iOS device

• Instructions from Portswigger: http://portswigger.net/burp/help/proxy_options_installingCAcert.html#iphone



• Certificate installed on iPhone

Intercepting Traffic: Burp

• Burp Set Up


• iOS Proxy Set Up


• Intercepted iOS traffic

• HTTPS request to Google from iPhone


• A quick warning…

‒ Watch your credentials

• Exchange ActiveSync sends encoded passwords

• Your login creds for other apps and sites will get stored in your proxy

‒ Mostly watch the data getting stored in your proxy

• You never know when you will need to send your Burp session to someone else


• Identifying pinned apps

• Able to intercept normal browser SSL traffic

• Can’t get app specific data

• Pinning might be in use

• The app may also be looking for specific cert parameters

• This is not pinning

• It’s cert checking

Attack Examples

• GameCenter High Scores

• GameCenter Email Hashes

• Passbook files

‒Boarding Passes

‒Coupons

‒Gift Cards

Attack Examples: GameCenter

• Attacking High Scores

‒GameCenter scores update with

HTTPS POST requests

‒No input validation on “score-value” parameter

• Max score of 9,223,372,036,844,775,807



• Attack Process

‒Set up intercepting proxy

‒Play a game

• Beat the first level

or

• Trigger a score update

‒ Intercept the score update

• Look for “submitScores” page

‒ Replace score value with

9,223,372,036,844,775,807




‒ Bad News

• This was fixed in iOS 7

• There’s a token now

=


Capturing GameCenter Email Hashes


• Capturing Email Hashes

• SHA1 email hashes can be leaked by requesting player information

• This can be done for current friends and accounts of “friends of friends”

• What can we do with these?

• Why would anyone want those?



• Step One: Add a bunch of friends

• Current recommendations, leaderboards, friends of your friends



• Step Two: Get a list of all of their friends

• So “friends of friends”

• Use Burp for this



• Results!



• Step Three: Friend request all of them



• RETURN to Step One multiple times

• Step Four: Query the email hashes for all of your friends and all of their friends too

• This will be done with intruder in Burp

• Much like step three – Send the request on the next slide to intruder



• Next Steps

‒ So you have some hashes, so what…

• You have their handle, first and last names too

‒ What’s your email address?

• Common email user names

• First.last

• FirstinitialLast

• Handle/username

• NameBirthYear (or other “significant” number)

‒ Who’s your email provider?

• Gmail, yahoo, hotmail, AOL


• Cracking Email Hashes

‒ PowerShell Script to Guess Email user names

• [email protected]






‒Append the top 500 email domains to the end and SHA1 the whole thing


• Cracking Email Hashes

‒ PowerShell Script to SHA1 hash the guessed emails • This was basic, but worked well

‒ Use the email guesses as a dictionary for Hashcat • The rule set can be customized to make cracking

easier


• Final Numbers:

‒222 friends added* (as of 9/9/13) *Records collection stopped after 45 friends

‒1,635 records gathered

• 1,534 after Unicode removal

‒300 email hashes cracked (19.5%)

Records Example:

591542B50A99EAA8E41136305075F9FF708F1992 bubblefishgumpop Deb Morgan

Attack Examples: Passbook

Passbook


• Multiple Apps are now available with Passbook

• Mostly used to store loyalty cards, coupons, and boarding passes

‒ Gift cards are now getting adopted

• Can actually be pretty convenient to use


• Common Application Issues:

• Failure to securely deliver .pkpass files

• No HTTPs or certificate pinning

• Failure to validate pass information on backend systems

• Do you really have $1,000 on that gift card?


• Passes are sent as .pkpass files

‒ .pkpass is just a renamed .zip file

‒Required contents:

• manifest.json

• pass.json

• Signature

• A signature file for integrity

• Prevents file replacement and a re-zip


• Creating your own

‒ Join the Apple Developer Program ($99)

‒ Modify the pass.json to match your needs

• The teamIdentifier and passTypeIdentifier fields need to be modified to match your Apple cert

• Modify the pass details that you want to

‒ Use the signpass application (from Apple) to generate the new .pkpass file

‒ Can be done in Windows • Apple Developer cert is still needed


• Deployment

‒ Can be done via email or web server


• Attack overview

‒ Set up your intercepting proxy

‒ Request a Passbook pass from the app

• Look for the “Add to Passbook” button

‒ Intercept the request for the pass

• Usually to a third party site

‒ Request and save the pass in your browser

‒ Modify your pass

‒ Resign and use your new and improved pass


• Avoiding issues with cert pinned apps • Open the app without the proxy enabled

• Get up to the page where you request the pass

• Switch over to your preferences

• Turn on the Proxy

• Request the pass


Example Time!


• Delta Boarding Passes

‒ One of many Passbook apps, but it’s the one that I use the most

‒ Main Delta App does not do certificate pinning



‒ Request for Passbook pass



‒ Extracted pkpass file

‒ Extracted Sky Priority pkpass file



‒ Modify the pass.json file

‒ And include the footer images in the directory



‒ Run the Signpass utility and email yourself the pass


• Original/Modified Delta Boarding Pass

Conclusions

•Fixes

• Certificate pinning

• Better input validation

• Limiting data leakage from apps

• Questions?

Hacking iOS Game Center and Passbook

• Karl Fosaaen

‒ Security Consultant at NetSPI

‒ Twitter: @kfosaaen

Documents

Hacking iOS Gamecenter and Passbook