iPhone: Cracking the Dream

Moore is the man. I have lost count of the number of times I have uttered those words. I am a huge fan of Metasploit and the framework it provides is unrivaled. I recently wrote about the hacking platform that an iPhone provides, noting it would be a great tool for a bad guy. Moore is a man on a mission…

HDM has an updated ARM hack that promises to take over all iPhones, but for now takes over modified iPhones. Techie speak here, English here.

We can store our shellcode at offset 0x12C and patch the return value with 0x0006b400 + 0xA4 to return back to it. A quick test, by setting offset 0x12C to 0xffffffff (an invalid instruction), demonstrates that this works. We have successfully exploited the iPhone libtiff vulnerability using a return-to-libc back to memcpy().

Modified iPhones make this stack/heap overflow easier to accomplish, while “native” iPhones require some additional manipulation to consistently produce the exploit.

This attack exploits libtiff (TIFF Image Library in OS X) by writing to the stack a memory location that is writable and then execute that code (gross oversimplification). The manner in which this exploit is delivered opens the door for other exploits and shows how research to “modify” the iPhone for freedom from AT&T can be used to 0wn the iPhone!

Metasploit continues to be a great tool for “evaluating” security of just about anything:

While using a hex editor to write this exploit is possible, the Metasploit Framework provides a much easier method of testing different contents for the TIFF file. A working exploit for this flaw (successfully tested on 1.00 and 1.02 firmwares) can be found in the development version of the Metasploit Framework (available via Subversion).

Securing WiFi

Wireless is everywhere. McDonald’s and Starbuck’s come to mind as popular WiFi hot spots. Hacking wireless has become a major threat for businesses and consumers. Legislation was passed requiring wireless manufacturers to provide details on securing wireless services in response to the rampant abuse of insecure wireless access points.

In case you haven’t heard, WEP is not secure. In fact, WEP was NEVER designed to be used to secure WiFi networks, instead it was originally released to provide a privacy measure. Just how insecure is it? The FBI demonstratedhow to break into a WiFi network running WEP at a security conference two years ago, using tools downloaded off the Internet.

WPA must be better, right? Joshua Wrightwrote a program to help break WPA security, called coWPAtty. It is based on capturing packets and brute forcing the passphrase used. This can be very time consuming, so rainbow tables can be used in some instances to speed up the cracking process significantly.

The easiest way to get started evaluating the security of wireless networks is to grab a WHAX, Knoppix, or BackTrackLive CD and combine it with an Atheros-based WiFi card on your laptop. BackTrack would be my preference because it has other tools for use after WiFi access has been obtained.

In order to keep your WPA or WPA2 network secure, you should use long passphrases with random characters, upper/lower case letters, numbers, symbols, and spaces that are not based on dictionary words or common phrases. Some additional measures to consider:

1. MAC filtering can help restrict access, but it can be overcome if the attack is savvy enough so don’t use it alone.
2. Most WiFi routers allow you to disable DHCP or limit the number of addresses handed out by the router; limiting the number of available DHCP addresses can help.
3. Some WiFi routers also allow static DHCP assignments, so your laptop always gets the same IP Address.
4. Some WiFi routers provide options for static routing, routing non-DHCP IP Addresses to a non-existent IP Address can slow down the bad guys also. This can stop would-be Internet free-loaders.

Got any other helpful tips?

Cyber Warfare

News reports of foreign countries hacking other foreign country’s web sites and networks has been reported as far back as 2000. It seems the frequency of these attacks has been increasing over time and I am inclined to agree with an article in the Brisbane Times suggesting China willing participates or looks the other way when these attacks are happening. I say this because China reportedly has a tremendous Internet filtering infrastructure in place, they make the covert filtering mechanisms active in the US look like the efforts of a feeble script kiddie. They know who you are, where you surf, and what you’re surfing. They don’t allow certain protocols to enter/exit the country and often times traveling users’ VPN and SSH sessions fail to operate from China.

At any rate, the Briabane Times article is here. It also makes reference to the Estonia attack and points out the damage sustained in one of these cyber attacks is more efficiently obtained and is more discreet at the onset than amassing a network of spies or deploying a battalion of tanks. The article goes on to say:

“States are starting to figure out how cyberwarfare can help them achieve their goals, espionage, economic embargo, or coercion — to cause pain to your enemies so they change their behavior,” Moran said.

Cyber warfare is now a common pursuit among most states, said Bruce Schneier, who has written books on the subject. “Everybody does it,” he said.

Moreover, government networks are plagued with “lousy security” arrangements, he said. And as government information networks become more complex, the networks become increasingly vulnerable.

“Complexity is the worst enemy of security,” Schneier said.

iPhone: Hacker Friendly

When Apple unveiled the new iPhone, hackers, crackers, marketing types, and media outlets alike salivated; oh techno-enthusiasts aka customers too!

It is no surprise that the iPhone has been center of numerous attempts to crack, hack, subvert, reverse engineer, and otherwise decipher the software, hardware, architecture, and interfaces. After all the iPhone represents the greatest advancement in phone technology since… hmm, I’ll have to get back to you on that one. 

Steve Jobs is quoted in a Fortune magazine articleas saying that the iPhone will change the phone industry and I think he’s right but I don’t think it has changed in the way he is intending. The hype and appeal over the iPhone is amazing. Security “experts” have been saying for years that mobile devices aka cell phones are the next hacking platform and these new mobile viruses (virii — eek!) could disrupt or disable entire cellular networks.  The iPhone introduces a new twist to the mobile malware argument because the underlying operating system in this case is universally available and accessible. The cute, sophisticated, secure operating system found on those impressive 24″ iMacs, dual-core Intel PowerBook Pros, and amazing MAC servers is at the heart of the iPhone.

The bugs, flaws, exploits, and vulnerabilities of MAC OS X have always been minimized or defeated because MAC OS X doesn’t run everything as the Administrator like Microsoft Windows, according to Apple website on MAC OS X Security Architecture:

Many people find that Windows-based PCs are unusable unless they use the admin account, which exposes their PCs to attack. The Mac OS X default configuration, in contrast, guards against shady characters who could so easily take control of your system. 

eWeek reported the iPhone apparently runs every program and process with root or Administrator privileges, based on information posted on the Metasploit Official Blog (Metasploit Project).The iPhones apparently mimic the simplicity Microsoft Windows versions enjoyed for years: run everything as Administrator or Super-user.  Who says Bill Gates’ investment in Apple isn’t paying off!

Now the iPhone can make even more headlines!

Windows for Warships, Hacking Air Defenses, CyberWAR?

I know this is dated, but I found it too funny given other recent articles like the article suggesting Israel hacked Syrian Air Defenses. I watched Wired Science’s report on the Estonia attacks this week, as well.

Command and Control systems are definitely lacking in user-friendliness, but my concern here is the unlikeliness of a more secure, robust version of Windows available for Warships. I get nervous at the thought of combat systems on destroyers and submarines running Windows and suffering from the same fate as my desktop when something goes awry.

The notion of hacking Command & Control systems gets a lot more plausible when one considers the Operating System on the other side of the radar array or sensor grid. The news story on the radar hack gets a little more plausible, when you consider an aircraft spewing electronic garbage at a radar array or sensor grid running Windows. It even makes for a great cartoon, given that Syrian air defenses are suggested to have been supplied by Russia and Russia is alleged to be awash with software piracy. It amounts to an electronic equivalent of a DOS attack or fuzzing at the least, on these nodes.

In fact, it is down right scary to think that an information attack can be more destructive than a conventional attack with no notice, little cost, and possible anonymity. Consider the Internet attacks on Estonia that practically cut off the country from the outside world: warfare in the 21st Century has evolved to include the Internet. It makes perfect sense, it can be taken right out of SunTzu’s Art of War or Clausewitz’s Principles of War.

There are similarities in the radar hacking and the attacks on Estonia. Estoniawas blanketed by a remote controlled army of PC’s set to cripple servers and services over the Internet by overwhelming Estonia’s servers and communications links. The Israeli aircraft are reported to have potentially used erroneous RF signals and commands to overwhelm the Syrian Air Defenses from the outside of their perimeter. In effect, these attacks are making use of Internet-based attack techniques from the late 1990′s and early 2000. Warships running Windows software, would make these warships vulnerable to similar threats my home PC is vulnerable to. I pray that the Windows Firewall is enabled by default!!!

Alas, these DoS-style attacks are nothing new. I’m inclined to agree with Kevin Poulsen’s blog on the Estonia attacks, these attacks are nothing like what other nations have done in the past. The Isreali aircraft story is more interesting because of the notion of specialized hardware attempting to subvert the defenses by use of hacking techniques purposely deployed on the aircraft. I imagine, if the story is true, Russia, China, or North Korea are all hardening their systems as we speak.

As for the Warships and Windows, counter-intelligence agencies can just start creating 0-Day Windows exploits and hacking warships instead of having spies conduct clandestine operations to steal technology. It could even be the makings of a new installment in the Wang/No Starch Press Steal This book series, with: Steal This Warship.