Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available

There is this misconception that iPhones are protected by the iPhone passcode. This may be true for non-jailbroken iPhones, but not for jailbroken ones.

It is possible to have root access to the iPhone file system using tools from libimobiledevice.org, even when the locked jailbroken iPhone is protected by the PIN.

This seems to be related to the way lockdownd works after an iPhone is jailbroken; a perception around since the iPhone 3GS days (discussed in this slashdot.org article from May 2010. “iPhone’s PIN-Based Security Transparent to Ubuntu” http://apple.slashdot.org/story/10/05/27/1826207/iphones-pin-based-security-transparent-to-ubuntu).

All an attacker needs is 3 seconds with your phone and to connect it to a usb cable.
It could take even less time, depending on the speed of the computer as well as whether the attack is staged.

This would seem like an awesome attack vector but it’s only viable if you have physical contact with the iPhone or with some social engineer to get the victim to connect the iPhone to an embedded device (e.g. mobile charger?).

Having root access to the iPhone file system means that the attacker is able to view and extract confidential data from your iPhone like emails, SMS, photos – basically everything on your iPhone, including cookies.

We are faced with an issue: how do we get our spy tools and binaries to run on the iPhone system during startup?

Typically, to register an executable so that it can run at startup, you will have to run the command
“launchctl load /System/Library/LaunchDaemons/com.apple.system.plist”

However, since we do not have command line access to the system, we would not be able to use this method. We need to find an alternative solution to get our binaries to run at iPhone startup in the background.

Proof of Concept Spy Tools

There are a couple of proof of concept tools that I’ve made with the help of examples that I found online which could be used as a baseline to be modified for espionage use.

The source code and binaries of the tools can be found at https://github.com/milo2012/iPhone-Espionage

Tool Name

Purpose

kbhook2 Captures key strokes from the iPhone keyboard and save to a text file.
location1 Captures GPS coordinates in the background.
sms1 Captures incoming SMS and forwards it another mobile number.
takePicture Activates the iPhone front camera in the background and takes a photo and save it in /tmp folder.
screenCapture Takes a screenshot of the current iPhone screen so that we can monitor that the user is doing.
mic1 Activates the iPhone microphone and record a 30 second clip.
whatsapp1 Intercepts WhatsApp incoming and outgoing messages and forwards it to an email address.
demoScreenCapture1 Demo program which shows that the screenCapture tool can be automated to take each and every screen of a particular iPhone application. When coupled with kbhook2, it is possible get screenshots of the emails in enterprise email iPhone application which provides data encryption and security which the user is browsing thru his/her emails.

Shrinking the Platform

It would attract too much attention if we were to connect the target’s iPhone to a computer and run the script. However, we could avoid suspicion by shrinking the entire attack environment to the size of your palm.

There are a couple of small hardware devices which support Linux, or in particular, Debian. Among these are the Raspberry Pi, Beagleboard, Nokia N900 and the Openmoko Freerunner. Alternatively, you can conceal it in the form of a USB charger or mobile charging stations.

Brian Markus and Joseph did a demo on this in Defcon Las Vegas 2011. A writeup can be found here http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/

Want to learn more?? The InfoSec Institute Advanced Computer Forensics Training trains you on critical forensic skills that are difficult to master outside of a lab enviornment. Already know how to acquire forensically sound images? Perform file carving? Take your existing forensic knowledge further and sharpen your skills with this Advanced Computer Forensics Boot Camp from InfoSec Institute. Upon the completion of our Advanced Computer Forensics Boot Camp, students will know how to:
  • Perform Volume Shadow Copy (VSC) analysis
  • Advanced level file and data structure analysis for XP, Windows 7 and Server 2008/2012 systems
  • Timeline Analysis & Windows Application Analysis
  • iPhone Forensics


A mobile charging station found in Bangkok, Thailand

Summary of Steps

Below is a summary of what you need to do

  1. Install Debian/Ubuntu on the embedded device.
  2. Install the prequisities using the script setupPrerequisities.sh from https://github.com/milo2012/iPhone-Espionage/tree/master/evil_gf_attack
  3. Download and copy scanUSB.sh from https://github.com/milo2012/iPhone-Espionage/tree/master/evil_gf_attack onto /tmp1/ on your embedded device
  4. Modify scanUSB.sh
  5. Run the command “update-rc.d -f /tmp1/scanUSB.sh start 99 2 3 4 5″
  6. Now, reboot the device and plug in your iPhone via the iPhone usb cable.
  7. Wait for the magic to happen.
  8. Look at /tmp1/DB for the data collected

Installing the Prerequisites

 You will need to install the below requisities on a Debian/Ubuntu system.  Alternatively, you can download the script from
https://github.com/milo2012/iPhone-Espionage/raw/master/evil_gf_attack/setupPrerequisites.sh
and save yourself some trouble.

  • apt-get install libusb-dev usbmuxd libimobiledevice-dev libplist-dev libgnutls-dev build-essential libgnutls-dev libxml2-dev libreadline5-dev libgcrypt-dev libglib2.0-dev libplist-dev libusbmuxd-dev usbmuxd make automake autoconf libtool gcc python-dev git libfuse-dev libimobiledevice-utils ibgtk2.0-dev libnautilus-extension-dev intltool libzip-dev -y
  • mkdir /tmp1 && cd /tmp1 && git clone https://github.com/mcolyer/libiphone.git
  • /tmp1/libiphone/autogen.sh && /tmp1/libiphone/configure && /tmp1/libiphone/make && /tmp1/libiphone/make install
  • git clone https://github.com/mcolyer/ifuse.git
  • /tmp1/ifuse/autogen.sh && /tmp1/ifuse/configure -prefix=/ && /tmp1/ifuse/make && /tmp1/ifuse/make install
  • wget http://www.libimobiledevice.org/downloads/ideviceinstaller-1.0.0.tar.bz2
  • bunzip2 -d ideviceinstaller-1.0.0.tar.bz2 && tar xvf ideviceinstaller-1.0.0.tar && /tmp1/ideviceinstaller-1.0.0/configure && /tmp1/ideviceinstaller-1.0.0/make && /tmp1/ideviceinstaller-1.0.0/make install
  • wget http://www.libimobiledevice.org/downloads/nautilus-ideviceinfo-0.1.0.tar.bz2
  • bunzip2 -d nautilus-ideviceinfo-0.1.0.tar.bz2 && tar xvf nautilus-ideviceinfo-0.1.0.tar && /tmp1/nautilus-ideviceinfo-0.1.0/configure && /tmp1/nautilus-ideviceinfo-0.1.0/make && /tmp1/nautilus-ideviceinfo-0.1.0/make install

Modifying the Script

The main tool working the magic is iFuse. iFuse takes care of mounting the the root iPhone filesystem in Linux. The command that does the trick is “ifuse $mountPath –root”.

I have written a script which, when run, monitors usb connections looking for an Apple device. When an Apple device is connected, it will mount the root iPhone filesystem and then copy out predetermined databases like Google Maps, cached information, iPhone call history, SMS data, Cell Tower location database, and so on. The script also extracts device-related information and the list of installed applications on the Iphone in a matter of seconds.

You can also uncomment some lines in the script to copy some spy tools to the iPhone and also execute them either at startup or at specific timing of the day.


The script can be found at https://github.com/milo2012/iPhone-Espionage/blob/master/evil_gf_attack/scanUSB.sh

If you are looking at hooking directly to the functions of iPhone applications like what I did with WhatsApp, you will be looking at something called an iPhone tweak and you would need to copy the binary to /tmp1/TransferDynLibraries so that it will be copied over to /Library/MobileSubstrate/DynamicLibraries when the scanUSB.sh scripts detect an iPhone being connected.

If you are looking at running something in the background of the iPhone at all times or during specific timing, you will be looking at something called an iPhone tool. You will need to copy the binary to /tmp1/TransferStartup so that it will be copied over to /usr/bin on the iPhone when the script is running..

iPhone Daemons

Daemons are system processes that run in the background of the system.  These system processes are started when the iPhone boots up.   If we want to run our spytool at startup or at certain intervals of the day, we would need to identify the plist of an abundent daemon to overwrite.

There are a list of abundent daemons that have already been registered on the iPhone by Apple which seems fairly safe to delete or replace in our case to run our own malicious binaries.

The list of safe to delete/replicate daemons include but are not limited to 

  • com.apple.iqagent.plist
  • com.apple.mobile.profile_janitor.plist
  • com.apple.chud.chum.plist
  • com.apple.CrashHouseKeeping.plist
  • com.apple.aslmanager.plist
  • com.apple.syslogd.plist
  • com.apple.ReportCrash.(*).plist
  • com.apple.DumpPanic.plist
  • com.apple.powerlog.plist
  • com.apple.stackshot.server.plist
  • com.apple.chud.pilotfish.plist

By hiding and replacing the existing plist files makes it slightly more undetectable.  Normal users do not check the contents of the LaunchDaemons.

Modifying the Launch Daemons

The plist file for LaunchDaemon have 3 types of launch options

  1. Run at Load
  2. Run at Load and Launch Only Once
  3. Start At Certain Interval

In order to stay beneath the radar, I would choose the 3rd option as 1 and 2 would slow down the iPhone significantly during startup.

Below are the contents of an original com.apple.CrashHousekeeping.plist.  


Below are the contents of a modified com.apple.CrashHousekeeping.plist which calls our malicious binary /usr/bin/sql2.  I have specified it to the daemon to run daily at 4.01am. 


Developing an iPhone Tweak

In the below example, I’ll show how easy it is to develop an iPhone tweak which intercepts the incoming and outgoing messages in WhatsApp.

Most iPhone applications have enabled debug mode in the application so that users can report bugs to the software company.


You will need to connect your iPhone to your Mac and start Xcode and then launch Organizer.  The debug messages are very invaluable to us as it tells us which class and method to hook.  This has made our development work even easier.

THEOS is a very useful tool made by Dustin L. Howett and it makes jailbroken iPhone development so much easier as compare to using Xcode.  The installation guide for THEOS can be found here http://iphonedevwiki.net/index.php/Theos/Getting_Started

You will need the below

  1. Mac with Snow Leopard or Lion with Xcode
  2. Jailbroken iPhone
  3. THEOS
  4. Crackulous from Cydia
  5. WhatsApp
  6. Class-Dump (
    http://www.codethecode.com/projects/class-dump/)

What you need to do ?

  1. Install THEOS
  2. Run Crackulous on iPhone and select Whatsapp
  3. SCP the cracked version of Whatsapp from your iPhone to your Mac.  It should be stored in /private/var/root/Documents/Cracked/ folder on your iPhone
  4. Unzip the decrypted ipa file
  5. Navigate to Payload > WhatsApp.app
  6. Open Info.plist.
  7. Take note of the “Bundle Identifier”
  8. mkdir /Headers
  9. Run “Class-Dump -H WhatsApp ” -o Headers/
  10. Under XMPPConnection.h you should see a method called “processIncomingMessages:(id)arg1″
  11. After installation of THEOS, you will navigate /opt/theos/bin
  12. Run “sudo ./nic.pl”
  13. Select Option 5 for Tweak
  14. Key in a project name
  15. cd <ProjectName>
  16. Edit Tweak.xm and fill in the below details
  17. What the code does is to hook the method “processIncomingMessages:(id)arg1″ method in XMPPConnection class.   The %log command logs information about the call , methods, names and arguments to the system log.  The %orig command  makes a call to the original function with the original arguments.
  18. Edit <projectname.plist> and overwrite the data and replace it with the below information.
  19. Run “make”
  20. Go to obj folder and copy <projectname.dylib> to /Library/MobileSubstrate/DynamicLibraries on your iPhone.
  21. Alternatively you can run “export THEOS_DEVICE_IP=XX.XX.XX.XX” and run “make package && make install” to install the dylib to your iPhone via SSH.

Conclusion

Are you allowing jailbroken iPhone devices in your organization? How are you managing these mobile devices? Are you able to ensure the integrity of these devices and insure that they have not been compromised ?

The author of this article can be contacted at keith.lee2012[at]gmail.com, via twitter @keith55 or via his blog at http://milo2012.wordpress.com