Several weeks ago I submitted a talk to Shmoocon titled “The New World of Smartphone Security – What Your iPhone Disclosed About You”. This is my first submission and I hope my talk is selected. I wasn’t planning on blogging about the content of my talk but current events compelled me to post this.
Most iPhone security articles discuss forensics, encryption, lost iPhones, enterprise management, etc. My talk takes a different approach. My talk discusses attacks against the phone over IP cellular networks. More on that later.
Within the last two weeks, iPhone security has started to receive a bit of attention in the press lately after two notable, but related, incidents took place. First, a kid from the Netherlands attempted to get iPhone users to pay €5 for instructions on how to fix vulnerabilities within their phones. Then, a 21 year old Australian man claimed that he wrote the first “iPhone virus”. Which I doubt is a virus as much as it is a script.
The main issue that both these articles and everyone else is missing is that these incidents point to a much bigger problem. The exploited vulnerability described in each of the above incidents stems from the fact that most jailbroken iPhones run sshd and most iPhones share the same default root password of “alpine”. What is missing from the discussion is how these guys were able to even access port 22 (sshd) on people’s iPhones and propagate their attack.
Since I am an iPhone user in the US, I am an AT&T customer. As such, all of my research has been on AT&T’s network. I debated submitting my talk because I was concerned that someone may use the information disclosed in my presentation to create a worm that would cause harm to AT&T’s network. I believe in responsible disclosure, especially when what you are disclosing may have an effect on critical infrastructure. But now the barn door is open. On October 16, 2009 I found that AT&T had fixed this issue on their network, so I felt comfortable submitting my talk to Shmoocon.
The problem is that AT&T’s cellular IP network, as well as T-Mobile it seems, is flat. That is to say that when two iPhones (or any device on the network) are on AT&T’s NAT’d 3G IP network they can “see” one another. When your iPhone is not connected via wifi, it is assigned a NAT’d IP on AT&T’s network. AT&T’s network (pre October 16) allowed users to send traffic from IP to IP (phone to phone). Imagine being connected to a massive network where you can reach out and ping, port scan, connect, etc. to any one else. Specifically, I found that I could SSH from my iPhone to anyone’s jailbroken iPhone. Or PDA, or laptop, etc. There some limitations to this, which will be disclosed in my talk.
When most of us think about our iPhone’s connection to the Internet, we think this:
In reality, it is more like this:
For AT&T customers, your IP address something in the 10.0.0.0/8 range. The screen shot below is an SSH session into my iPhone. Note the pdp_ip0 interface:
The pdp_ip0 interface is used by the iPhone to route traffic to AT&T’s IP network. When you are on wifi, the default route changes to the default route of your wireless network. However I found that by setting the default route back to the PDP interface, I was able to stay connected via SSH and send traffic to other devices on AT&T’s network. I then used nmap (from my iPhone) to scan IP space in the 10.69.11.0/24 range and found that I could see other devices! iPhones, Blackberries, Windows PDAs, laptops, etc. In total I scanned over 10,000 devices over several months, with some interesting findings.
Stratum Security recommends that home users change the “root” and “mobile” users’ passwords (both are ‘alpine’) and disable SSH when not in use (reduces memory utilization too). Enterprise IT departments should use Apple’s enterprise management tools and create policy that addresses the use of jailbroken phones. iPhones are multi-homed. If an attacker made it onto an iPhone via the pdp interface, he would have access to en0. Installing tcpdump is made easy with apt-get. In short, jailbroken iPhones have no place in an environment that cares about security.
My Shmoocon talk will show some interesting metrics on what I discovered and some pretty cool attacks that I conducted on a colleague’s jailbroken iPhone (with his permission). The talk also brings to light some spooky and interesting things you can do with location-based games. Those applications that ask permission to use your location may be opening you up to all kinds of trouble.
Update: It looks like Optus gives their customers a routable IP address that is open to the Internet. Whereas AT&T gives its customers a NAT’d IP address.