SlideShare une entreprise Scribd logo

iMessage Privacy at HITB KL 2013

Artem I. Baranov
Artem I. Baranov

Slides from pod2g and gg at #HITB2013KUL on iMessage privacy

TechnologieActualités & Politique
1  sur  88
Télécharger pour lire hors ligne
Quarkslab on iMessage Privacy HITB, Kuala Lumpur, oct. 2013 @pod2g (pod2g@quarkslab.com) gg (gg@quarkslab.com)
Presentations • Quarkslab is a research company specialized in cutting edge solutions to complex security problems. We provide innovative, efficient and practical solutions based on profound knowledge and years of experience in the field. • gg: security researcher, cryptography R.E. specialist. Joined Quarkslab in 2012 • @pod2g: security researcher, long background in Apple product security. Joined Quarkslab in 2013
Plan I. The current political and media context II. The iMessage protocol III. MITM attacks IV. Countermeasures V. Final thoughts
I. THE CONTEXT NSA, PRISM, Apple
NSA’s PRISM (US-984XN) • • • • • • American supervision program Mass surveillance data mining Based on alliances with american firms Can collect texts, emails, photos, etc. Foreigners are also potential targets Program was leaked by Edward Snowden
Is Apple included? • • • Washington Post have leaked PRISM presentation slides that are said to be coming from the NSA Looking at them, Apple joined in oct 2012 Slides talk of « data collection », which sounds like a transparent process
Apple publicly says: « Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government’s “Prism” program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
What about iMessages? « Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
Media facts :-) • Edward Snowden is said to have used iMessages to hide from the NSA :-) • DEA Thinks iMessage Encryption is Too Tough (DEA leaked document, CNET)
Real facts • PUSH client (SSL server authenticates clients) certificate is 1024 bit • • • iMessage encryption key is 1280 bit • No certificate pinning for both PUSH and iMessage servers (while Apple does it for SecureBoot and Developer certificates...) iMessage ECDSA signing key is 256 bit Keys are generated with the opensource Security framework
iMessage authentication • Heavily obfuscated. State-of-the-art white box cryptography • • Challenge-response kind • AppleID password thrown in plaintext (not hashed) over SSL Prevents from creating a 3rd party iMessage client on another platform
Blackboards are not dead! @saurik reversing imagent’s white-box cryptography
First weaknesses • Due to the lack of certificate pinning, adding a fake CA to the user keychain or obtaining a rogue (but verified) certificate for the domain leads to: • • • • the leakage of the AppleID password the accessibility to more sensitive Apple services the possibility of impersonating Apple PUSH and iMessage servers (we’ll see it later on) This can be done by the entity you think of, but also your company MDM administrator or hacker « friend » using a simple Mobile Configuration file
What is an AppleID? A really personal and sensitive information
Isn’t it dodgy? • The « Verified » state only depends on if the device has been plugged one time to a machine running iPhone Configuration Utility which silently adds a signing certificate to the device • MDM administrators can do this transparently to enrolled devices
II. THE PROTOCOL PUSH, iMessage
II.1. THE BIG PICTURE Protocols and servers involved
Two channels • iMessages are transmitted over the PUSH protocol (TLS, server port 5223) ‣ domain: rand(0,255)-courier.push.apple.com ‣ client certificate is authenticated • The rest of the protocol (authentication, administration, key and contact queries) runs over HTTPS to other servers ‣ domain: *.ess.apple.com
Apple PUSH servers ?-courier.push.apple.com TLS 5223 521 bit ECDH-RSA server certificate CN=courier.push.apple.com 1024 bit RSA device certificate CN=< Push GUID > Transport: - push notifications - game center - iMessage - FaceTime ... Apple ESS servers (*.ess.apple) HTTPS 443 iMessage: - authentication - administration - key repository Client: MobileSMS / Messages.app + daemons (apsd, imagent, ...) 2048 bit RSA server certificate CN=*.ess.apple.com
Domains involved HTTP Query for PUSH servers and configuration [17:54:36] 192.168.1.5: proxying the response of type 'A' for init-p01st.push.apple.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for apple.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-bookmarks.icloud.com PUSH socket [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-contacts.icloud.com establishement [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-caldav.icloud.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-ubiquity.icloud.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for 25-courier.push.apple.com [17:54:37] 192.168.1.5: proxying the response of type 'A' for gs-loc.apple.com [17:54:40] 192.168.1.5: proxying the response of type 'A' for p04-fmip.icloud.com [17:54:44] 192.168.1.5: proxying the response of type 'A' for p04-keyvalueservice.icloud.com [17:54:44] 192.168.1.5: proxying the iMessage of type 'A' for keyvalueservice.icloud.com response authentication [17:54:53] 192.168.1.5: proxying the response of type 'A' for mesu.apple.com iMessage contact query [17:55:13] 192.168.1.5: proxying the response of type 'A' for ocsp.apple.com [17:55:13] 192.168.1.5: proxying the response of type 'A' for service.ess.apple.com [17:55:15] 192.168.1.5: proxying the response of type 'A' for static.ess.apple.com [17:55:16] 192.168.1.5: proxying the response of type 'A' for service2.ess.apple.com [17:55:34] 192.168.1.5: proxying the response of type 'A' for service1.ess.apple.com
II.2. THE PUSH LAYER History, details, and man-in-the-middle
Introduction • • • Apple Push Notification Service (APNS) • • Available as an API Service created by Apple Inc. in 2009 Enhance the user experience with notifications like sounds, text alerts, etc. Better than PULL for battery life
How it works • • Based on push technology Maintain an open IP connection to forward notifications from the servers of third party applications to Apple devices
PUSH Client • • • • • Device communicates with the PUSH server Distant port : 5223 (TCP) Traffic encrypted with TLS Requires a Push-Token Requires a Push-Certificate
PUSH device certificate • • • • Generated on device APN activation Certificate request sent to albert.apple.com Signed by Apple Iphone Device CA Used to establish PUSH TLS communication
Mutual authentication
Push-Token • • • • 256-bit binary string Opaque, server-side generated Identifier to route notifications to devices Shared with providers
Token usage
MitM: PushProxy - 1 • • • • Catch PUSH communications Decode notifications in a readable form Provide APIs for handling and sending More info: https://github.com/meeee/pushproxy
MitM: PushProxy - 2 How to: • • Generate a Root CA and add it to the keychain • Extract device TLS private key (a.k.a. device certificate) • Edit hosts file to redirect DNS queries to PushProxy (or use a rogue DNS server) Create and sign all the required certificates with it (APNS server, HTTPS bag server)
Outgoing iMessage notification 0a         >> XX XX XX XX     >> 04 00 04 XX XX XX XX  >> 01 00 14 XX .. .. XX   >> 02 00 20 XX .. .. XX   >> 03 XX XX ... >> Message Type Next Length Identifier (4 bytes) Topic Hash (20 bytes) Push-Token (32 bytes) iMessage payload
II.3. IMESSAGE IDs Tokens, keys, URIs, directory
Definitions • AppleID: Apple identifier of a person (or a legal entity). Most people have a single AppleID that they use on multiple Apple devices and services • URI: recipient identifier, either a phone number or email address • Push-Token: token identifying an authenticated device • For OS X, a « device » is a user account set-up to receive iMessages
Organization - 1 • An Apple account (AppleID) can be linked to multiple URIs • • Email URIs have to be verified • • • The same URI can’t be attached to multiple AppleIDs A phone URI can only be added with an iPhone and the corresponding legit SIM card A URI can be linked to multiple devices (Push-Tokens) On each device the user can decide which URI to handle
Organization - 2 AppleID (pod2g@dummybox.com) URI #1 tel:+33698765432 URI #2 mail:pod2g@dummybox.com iPhone 5S Push-Token: x iMac, user pod2g Push-Token: y
URI & iMessage • Sender inputs the recipient’s URI to start the communication • All iMessages are encrypted and signed using asymmetric cryptography • • Thus, there has to be a key directory iMessage client retrieves recipient’s public keys by querying Apple’s ESS server
An example of contact query Here is what is sent: GET /WebObjects/QueryService.woa/wa/query?uri=tel:+33123456789 Host: service1.ess.apple.com Content-Type: application/x-apple-plist x-id-cert: [Provision Certificate] x-id-nonce: [Random Nonce with Timestamp] x-id-sig: [Query Signed with Provision Cert.]
Response Here is what we get, for each associated device: ( XML plist converted to JSON for clarity) { 'push-token': [PushToken] ‘client-data’: { 'show-peer-errors': True, 'public-message-identity-version': 1.0, 'public-message-identity-key': [Public Keys Buffer] } }
Response analysis • The public keys buffer contains: An ECDSA public key (256-bit): to verify messages issued by the remote device • • • • A RSA public key (1280-bit): to encrypt messages for the remote device Push-Token will help to route messages We can now send and encrypt messages to a given URI (and all devices associated with)!
II.4. THE IM PAYLOAD Description, goodies
An iMessage is a bplist • The iMessage payload as seen earlier in the PUSH Protocol section is a binary plist • Binary plist (a.k.a. bplist) is an Apple standard property list file • • A bplist stores serialized objects • Serializes an NSDictionary as the root object Objects can be of type NSString, NSNumber, NSDate, NSData, NSArray and NSDictionary
iMessage bplist - 1 D: True E: ‘pair’ P: <variable length binary data> (iMessage payload, deflate compressed) U: <128bit binary data> (iMessage UID) c: 100 i: <32bit integer> (messageId, same as in PUSH header)
iMessage bplist - 2 sP: mailto:pod2g@dummybox.com (emitter URI) t: <256bit binary data> (emitter Push-Token) tP: mailto:dhillon@dummybox.com (recipient URI) ua: [Mac OS X,10.8.5,12F37,MacBookPro10,2] (emitter os and hardware version) v: 1
iMessage payload, inflated byte 0x02 short ciphertext length data ciphertext byte signature length data signature version? RSA / AES-CTR data - ciphered with the RSA public key of the recipient ECDSA signature of <ciphertext> - computed with the ECDSA private key of the emitter Why did they decided to deflate ciphered data?
iMessage ciphertext RSA ciphertext (1280bit) AES session key (128bit) AES-CTR ciphertext iMessage inner-bplist, deflate compressed AES-CTR ciphertext (remaining bytes)
iMessage inner-bplist (inflated) p: array of URIs in the discussion group t: iMessage text (for iOS) v: version (1) x: iMessage html (attachments, and style - for OS X)
iMessage attachments • • Attachments are encrypted using AES • URL of the attachment and the required AES key to decipher it are included in the special tag <FILE> added to the HTML message body • They are uploaded to the iCloud storage, in a dedicated space <FILE name="<name>" width="<width>" height="<height>" datasize="<size>" mime-type="<mime type>" uti-type="<uti type>" mmcs-owner="<identifier>" mmcs-url="<URL>" mmcssignature-hex="<signature>" file-size="<size>" decryptionkey="<key>">
Spoofing URIs • • The existence of URIs in the discussion group are not fully verified: • • • The real recipient URI has to be in the list Other URIs are not checked Phone number URIs can be text The result is a spoofing kind of vulnerability
DEMO #1 Conference chat with a surprise guest :)
III. MITM ATTACKS iMessage interception and forgery
III.1. INTRODUCTION Requirements, network tricks, and software
Original Quarkslab document
Requirements - DNS • To achieve a man-in-the-middle attack, the DNS requests of the victims have at least to pass through a machine / network you control • The point is to rogue responses for domains service1.ess.apple.com and *.push.apple.com • Next slide shows possible network tricks to have a chance to forge DNS responses
Some network tricks • Use ARP poisoning to route all ethernet packets of the victim to your box • Have access to physical cables, to the gateway, or any network component in the route to the DNS server • Create a rogue (open) wifi network or 3G network with the same name and emit stronger • Announce Apple’s routes with BGP, and reroute the traffic to your own equipments (unlikely) • Hack the DNS servers using DNS cache poisoning and other DNS related vulnerabilities (unlikely)
Requirements - software • PushProxy with Quarkslab’s imessage-mitm.py handler to intercept iMessages • Quarkslab’s ess-mitm.py to intercept and modify Apple ESS responses • A DNS proxy software. We used dnschef in our tests: http://thesprawl.org/projects/dnschef/ • Python 2.7
Requirements - SSL • Rogue servers, either PUSH or ESS, have to serve valid SSL certificates from the point of view of the victim(s) • Either add these certificates or their root CA to the victim’s KeyChain • • Find a flow in Apple certificate verification (unlikely?) • Have a trusted root sign your rogue certs (NSA?) Have the user install a configuration profile (or be a MDM administrator in the company and push it)
Picture
III.2. ONE-SIDED MITM Prerequisites, theory, demo
Principle & limitations • Idea: proxify victim’s contact requests to Apple’s ESS server in order to exchange every public key found with a new one. « Evil’s » in the figure to come • The victim’s PUSH communication is also proxyfied and is utilized to eavesdrop iMessages in real time, and possibly modify them • The biggest limitation to this approach is that the victim’s private keys (PUSH device, iMessage RSA, iMessage ECDSA) are needed
Requirements • • • • Network / DNS control Verified PUSH and ESS certificates Victim’s PUSH Device private key Victim’s iMessage RSA & ECDSA private keys
iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Hey my love! Belinda Evil Evil presented his key to Dhillon instead of Belinda’s. He owns Dhillon’s ECDSA. He can read and forge Dhillon’s messages. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
iMessage reception MitM lol... :) :-) <3 Dhillon What? Evil What? Belinda Evil owns Dhillon’s RSA private key. He can read his messages. Evil presented his ECDSA key instead of Belinda’s. He can forge messages. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub)
DEMO #2 Intercepting iMessages OTA
III.3. TWO-SIDED MITM Prerequisites, theory
Principle & limitations • Idea: proxify all victims contact requests to Apple’s ESS server in order to exchange every public key found with a new one. « Evil’s » in the figure to come • Victims’ PUSH communications are also proxyfied and are utilized to eavesdrop iMessages in real time, and possibly modify them • The two-sided implementation is unpractical in terms of network control requirements and the PUSH device private keys of the victims are needed
Requirements • • • (Great network / DNS control) * N victims (Verified PUSH and ESS certificates) * N victims (Victim’s PUSH Device private key) * N victims
iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Evil Hey my love! Hey my love! Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Dhillon’s messages without any of his private keys. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
iMessage reception MitM lol... :) :-) <3 Dhillon <3 Evil <3 What? Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Belinda’s messages without any of her private keys. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub)
III.4. APPLE BYPASS Prerequisites, theory
Principle & limitations • Basically the same as previous one, except that real Apple’s servers are never used as a transport • Same limitations as the classical two-sided implementation: great network control is required, but absolutely no victims’ private keys are needed
Requirements • • • (Great network / DNS control) * N victims (Verified PUSH and ESS certificates) * N victims Any idea who have access to these requirements? • Multiple possible answers would work ;-)
iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Dhillon’s messages without any of his private keys. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
iMessage reception MitM lol... :) :-) <3 Dhillon What? Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Belinda’s messages without any of her private keys. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub)
III.5. BEING APPLE Any requirements?
Requirements? • Apple has full control over the ESS public key directory, no need to hijack anything • Swapping keys is transparent for the user, they are never shown anywhere in Messages.app / MobileSMS
IV. COUNTERMEASURES Let me alone!
Why is it technically possible? • Public keys are only cached in the client app memory, and have a life time of only 30 minutes approximately • A new iPhone added to an AppleID has to be able to receive iMessages quick • The lack of certificate pinning adds agencies with strong network capabilities and root CA control to the list of possible spies • The average user cannot see which public keys are being used by the client app
Simple solution #1 :-)
Presenting iMITMProtect - 1 • • • • OS X Version ready • Simple installer iOS Version on the way • Will come as a Cydia package Open-source http://www.github.com/quarkslab/iMITMProtect
Presenting iMITMProtect - 2 • • Hooks imagent service • If public keys (RSA / ECDSA) change for a particular token (which should be impossible), a notification is thrown, and the recorded keys are served instead to the client app • User can list the key database and export them Contact requests to Apple’s ESS servers are recorded to a per-user (OS X) database
MitM detection
Public key database
Features we are working on • Full database administration: import / add keys, remove specific keys • Compare rows with a public key directory (where sensible informations would be hashed) • P2P GPG encryption, with a cleaner PKI
V. CONCLUSION Final thoughts
Now, what do you think? « Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
What is a secure protocol? • • Using strong cryptographic principles • • Fully documented • With a transparent, and administrable PKI Implemented in a binary on which absolutely no obfuscation was applied Frequently analyzed by security researchers and crypto-analysts
Shall we continue to use iM? • MITM attacks on iMessage are unpractical to the average hacker, and the privacy of iMessage is good enough for the average user • If the informations being exchanged are sensitive to the point that you don’t want any government agencies to look into them, don’t • If you are working on Apple 0days, you may also want to avoid this communication channel :-) • Apple, make a more transparent PKI and document the protocol, and it could be considered the most practical and secure real-time messaging system available
Questions ? contact@quarkslab.com I @quarkslab.com

Recommandé

Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 

Recommandé

Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirLionelTopotam
 
Looking into trusted and encrypted keys
Looking into trusted and encrypted keysLooking into trusted and encrypted keys
Looking into trusted and encrypted keysSUSE Labs Taipei
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
Ready player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSReady player 2 Multiplayer Red Teaming Against macOS
Ready player 2 Multiplayer Red Teaming Against macOSCody Thomas
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Edureka!
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 

Contenu connexe

Tendances

Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hackingbegmohsin
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Rishabh Upadhyay
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMBGA Cyber Security
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...Seungjoo Kim
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Edureka!
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's DeveloperProduct School
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security KeysFIDO Alliance
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
 

Tendances (20)

Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report Vulnerability Assessment and Penetration Testing Report
Vulnerability Assessment and Penetration Testing Report
 
Next Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
IoT Device Hacking and New Direction of IoT Security Evaluation Using Common ...
 
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
Learn Ethical Hacking With Kali Linux | Ethical Hacking Tutorial | Kali Linux...
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer
 
WebAuthn and Security Keys
WebAuthn and Security KeysWebAuthn and Security Keys
WebAuthn and Security Keys
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019OSINT for Proactive Defense - RootConf 2019
OSINT for Proactive Defense - RootConf 2019
 

Similaire à iMessage Privacy at HITB KL 2013

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mailsAuthShield Labs
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptxRushikeshChikane2
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identityWAFAA AL SALMAN
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersRishabh Gupta
 
Usb based secure e mail
Usb based secure e mailUsb based secure e mail
Usb based secure e mailcsandit
 
USB BASED SECURE E-MAIL
USB BASED SECURE E-MAIL USB BASED SECURE E-MAIL
USB BASED SECURE E-MAIL cscpconf
 
Usb based secure e mail
Usb based secure e mailUsb based secure e mail
Usb based secure e mailcsandit
 
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Xura
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Advanced monitoring
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCloudIDSummit
 
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric VanderburgInformation Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric VanderburgEric Vanderburg
 
Cloud Apps Part II: Improving Insurance Agency Communications
Cloud Apps Part II: Improving Insurance Agency CommunicationsCloud Apps Part II: Improving Insurance Agency Communications
Cloud Apps Part II: Improving Insurance Agency CommunicationsStrategic Insurance Software
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT SecurityOliver Pfaff
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systemsBirju Tank
 
RISE OF THE MACHINES: IRM IN AN IOT WORLD
RISE OF THE MACHINES: IRM IN AN IOT WORLDRISE OF THE MACHINES: IRM IN AN IOT WORLD
RISE OF THE MACHINES: IRM IN AN IOT WORLDForgeRock
 

Similaire à iMessage Privacy at HITB KL 2013 (20)

iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Authshield integration with mails
Authshield integration with mailsAuthshield integration with mails
Authshield integration with mails
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Chapter 2 System Security.pptx
Chapter 2 System Security.pptxChapter 2 System Security.pptx
Chapter 2 System Security.pptx
 
Kerberos-PKI-Federated identity
Kerberos-PKI-Federated identityKerberos-PKI-Federated identity
Kerberos-PKI-Federated identity
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
Usb based secure e mail
Usb based secure e mailUsb based secure e mail
Usb based secure e mail
 
USB BASED SECURE E-MAIL
USB BASED SECURE E-MAIL USB BASED SECURE E-MAIL
USB BASED SECURE E-MAIL
 
Usb based secure e mail
Usb based secure e mailUsb based secure e mail
Usb based secure e mail
 
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015Passwords today passcodes tomorrow: Webinar December 2nd, 2015
Passwords today passcodes tomorrow: Webinar December 2nd, 2015
 
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
Юрий Чемёркин (Yury Chemerkin) Owasp russia 2016
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric VanderburgInformation Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
 
Cloud Apps Part II: Improving Insurance Agency Communications
Cloud Apps Part II: Improving Insurance Agency CommunicationsCloud Apps Part II: Improving Insurance Agency Communications
Cloud Apps Part II: Improving Insurance Agency Communications
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Trends in IIoT and OT Security
Trends in IIoT and OT SecurityTrends in IIoT and OT Security
Trends in IIoT and OT Security
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Android vs iOS encryption systems
Android vs iOS encryption systemsAndroid vs iOS encryption systems
Android vs iOS encryption systems
 
RISE OF THE MACHINES: IRM IN AN IOT WORLD
RISE OF THE MACHINES: IRM IN AN IOT WORLDRISE OF THE MACHINES: IRM IN AN IOT WORLD
RISE OF THE MACHINES: IRM IN AN IOT WORLD
 

Dernier

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Dernier (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

iMessage Privacy at HITB KL 2013

  • 1. Quarkslab on iMessage Privacy HITB, Kuala Lumpur, oct. 2013 @pod2g (pod2g@quarkslab.com) gg (gg@quarkslab.com)
  • 2. Presentations • Quarkslab is a research company specialized in cutting edge solutions to complex security problems. We provide innovative, efficient and practical solutions based on profound knowledge and years of experience in the field. • gg: security researcher, cryptography R.E. specialist. Joined Quarkslab in 2012 • @pod2g: security researcher, long background in Apple product security. Joined Quarkslab in 2013
  • 3. Plan I. The current political and media context II. The iMessage protocol III. MITM attacks IV. Countermeasures V. Final thoughts
  • 4. I. THE CONTEXT NSA, PRISM, Apple
  • 5. NSA’s PRISM (US-984XN) • • • • • • American supervision program Mass surveillance data mining Based on alliances with american firms Can collect texts, emails, photos, etc. Foreigners are also potential targets Program was leaked by Edward Snowden
  • 6. Is Apple included? • • • Washington Post have leaked PRISM presentation slides that are said to be coming from the NSA Looking at them, Apple joined in oct 2012 Slides talk of « data collection », which sounds like a transparent process
  • 7. Apple publicly says: « Two weeks ago, when technology companies were accused of indiscriminately sharing customer data with government agencies, Apple issued a clear response: We first heard of the government’s “Prism” program when news organizations asked us about it on June 6. We do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
  • 8. What about iMessages? « Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
  • 9. Media facts :-) • Edward Snowden is said to have used iMessages to hide from the NSA :-) • DEA Thinks iMessage Encryption is Too Tough (DEA leaked document, CNET)
  • 10. Real facts • PUSH client (SSL server authenticates clients) certificate is 1024 bit • • • iMessage encryption key is 1280 bit • No certificate pinning for both PUSH and iMessage servers (while Apple does it for SecureBoot and Developer certificates...) iMessage ECDSA signing key is 256 bit Keys are generated with the opensource Security framework
  • 11. iMessage authentication • Heavily obfuscated. State-of-the-art white box cryptography • • Challenge-response kind • AppleID password thrown in plaintext (not hashed) over SSL Prevents from creating a 3rd party iMessage client on another platform
  • 12. Blackboards are not dead! @saurik reversing imagent’s white-box cryptography
  • 13. First weaknesses • Due to the lack of certificate pinning, adding a fake CA to the user keychain or obtaining a rogue (but verified) certificate for the domain leads to: • • • • the leakage of the AppleID password the accessibility to more sensitive Apple services the possibility of impersonating Apple PUSH and iMessage servers (we’ll see it later on) This can be done by the entity you think of, but also your company MDM administrator or hacker « friend » using a simple Mobile Configuration file
  • 14. What is an AppleID? A really personal and sensitive information
  • 15. Isn’t it dodgy? • The « Verified » state only depends on if the device has been plugged one time to a machine running iPhone Configuration Utility which silently adds a signing certificate to the device • MDM administrators can do this transparently to enrolled devices
  • 17. II.1. THE BIG PICTURE Protocols and servers involved
  • 18. Two channels • iMessages are transmitted over the PUSH protocol (TLS, server port 5223) ‣ domain: rand(0,255)-courier.push.apple.com ‣ client certificate is authenticated • The rest of the protocol (authentication, administration, key and contact queries) runs over HTTPS to other servers ‣ domain: *.ess.apple.com
  • 19. Apple PUSH servers ?-courier.push.apple.com TLS 5223 521 bit ECDH-RSA server certificate CN=courier.push.apple.com 1024 bit RSA device certificate CN=< Push GUID > Transport: - push notifications - game center - iMessage - FaceTime ... Apple ESS servers (*.ess.apple) HTTPS 443 iMessage: - authentication - administration - key repository Client: MobileSMS / Messages.app + daemons (apsd, imagent, ...) 2048 bit RSA server certificate CN=*.ess.apple.com
  • 20. Domains involved HTTP Query for PUSH servers and configuration [17:54:36] 192.168.1.5: proxying the response of type 'A' for init-p01st.push.apple.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for apple.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-bookmarks.icloud.com PUSH socket [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-contacts.icloud.com establishement [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-caldav.icloud.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for p04-ubiquity.icloud.com [17:54:36] 192.168.1.5: proxying the response of type 'A' for 25-courier.push.apple.com [17:54:37] 192.168.1.5: proxying the response of type 'A' for gs-loc.apple.com [17:54:40] 192.168.1.5: proxying the response of type 'A' for p04-fmip.icloud.com [17:54:44] 192.168.1.5: proxying the response of type 'A' for p04-keyvalueservice.icloud.com [17:54:44] 192.168.1.5: proxying the iMessage of type 'A' for keyvalueservice.icloud.com response authentication [17:54:53] 192.168.1.5: proxying the response of type 'A' for mesu.apple.com iMessage contact query [17:55:13] 192.168.1.5: proxying the response of type 'A' for ocsp.apple.com [17:55:13] 192.168.1.5: proxying the response of type 'A' for service.ess.apple.com [17:55:15] 192.168.1.5: proxying the response of type 'A' for static.ess.apple.com [17:55:16] 192.168.1.5: proxying the response of type 'A' for service2.ess.apple.com [17:55:34] 192.168.1.5: proxying the response of type 'A' for service1.ess.apple.com
  • 21. II.2. THE PUSH LAYER History, details, and man-in-the-middle
  • 22. Introduction • • • Apple Push Notification Service (APNS) • • Available as an API Service created by Apple Inc. in 2009 Enhance the user experience with notifications like sounds, text alerts, etc. Better than PULL for battery life
  • 23. How it works • • Based on push technology Maintain an open IP connection to forward notifications from the servers of third party applications to Apple devices
  • 24. PUSH Client • • • • • Device communicates with the PUSH server Distant port : 5223 (TCP) Traffic encrypted with TLS Requires a Push-Token Requires a Push-Certificate
  • 25. PUSH device certificate • • • • Generated on device APN activation Certificate request sent to albert.apple.com Signed by Apple Iphone Device CA Used to establish PUSH TLS communication
  • 27. Push-Token • • • • 256-bit binary string Opaque, server-side generated Identifier to route notifications to devices Shared with providers
  • 29. MitM: PushProxy - 1 • • • • Catch PUSH communications Decode notifications in a readable form Provide APIs for handling and sending More info: https://github.com/meeee/pushproxy
  • 30. MitM: PushProxy - 2 How to: • • Generate a Root CA and add it to the keychain • Extract device TLS private key (a.k.a. device certificate) • Edit hosts file to redirect DNS queries to PushProxy (or use a rogue DNS server) Create and sign all the required certificates with it (APNS server, HTTPS bag server)
  • 31. Outgoing iMessage notification 0a         >> XX XX XX XX     >> 04 00 04 XX XX XX XX  >> 01 00 14 XX .. .. XX   >> 02 00 20 XX .. .. XX   >> 03 XX XX ... >> Message Type Next Length Identifier (4 bytes) Topic Hash (20 bytes) Push-Token (32 bytes) iMessage payload
  • 32. II.3. IMESSAGE IDs Tokens, keys, URIs, directory
  • 33. Definitions • AppleID: Apple identifier of a person (or a legal entity). Most people have a single AppleID that they use on multiple Apple devices and services • URI: recipient identifier, either a phone number or email address • Push-Token: token identifying an authenticated device • For OS X, a « device » is a user account set-up to receive iMessages
  • 34. Organization - 1 • An Apple account (AppleID) can be linked to multiple URIs • • Email URIs have to be verified • • • The same URI can’t be attached to multiple AppleIDs A phone URI can only be added with an iPhone and the corresponding legit SIM card A URI can be linked to multiple devices (Push-Tokens) On each device the user can decide which URI to handle
  • 35. Organization - 2 AppleID (pod2g@dummybox.com) URI #1 tel:+33698765432 URI #2 mail:pod2g@dummybox.com iPhone 5S Push-Token: x iMac, user pod2g Push-Token: y
  • 36. URI & iMessage • Sender inputs the recipient’s URI to start the communication • All iMessages are encrypted and signed using asymmetric cryptography • • Thus, there has to be a key directory iMessage client retrieves recipient’s public keys by querying Apple’s ESS server
  • 37. An example of contact query Here is what is sent: GET /WebObjects/QueryService.woa/wa/query?uri=tel:+33123456789 Host: service1.ess.apple.com Content-Type: application/x-apple-plist x-id-cert: [Provision Certificate] x-id-nonce: [Random Nonce with Timestamp] x-id-sig: [Query Signed with Provision Cert.]
  • 38. Response Here is what we get, for each associated device: ( XML plist converted to JSON for clarity) { 'push-token': [PushToken] ‘client-data’: { 'show-peer-errors': True, 'public-message-identity-version': 1.0, 'public-message-identity-key': [Public Keys Buffer] } }
  • 39. Response analysis • The public keys buffer contains: An ECDSA public key (256-bit): to verify messages issued by the remote device • • • • A RSA public key (1280-bit): to encrypt messages for the remote device Push-Token will help to route messages We can now send and encrypt messages to a given URI (and all devices associated with)!
  • 40. II.4. THE IM PAYLOAD Description, goodies
  • 41. An iMessage is a bplist • The iMessage payload as seen earlier in the PUSH Protocol section is a binary plist • Binary plist (a.k.a. bplist) is an Apple standard property list file • • A bplist stores serialized objects • Serializes an NSDictionary as the root object Objects can be of type NSString, NSNumber, NSDate, NSData, NSArray and NSDictionary
  • 42. iMessage bplist - 1 D: True E: ‘pair’ P: <variable length binary data> (iMessage payload, deflate compressed) U: <128bit binary data> (iMessage UID) c: 100 i: <32bit integer> (messageId, same as in PUSH header)
  • 43. iMessage bplist - 2 sP: mailto:pod2g@dummybox.com (emitter URI) t: <256bit binary data> (emitter Push-Token) tP: mailto:dhillon@dummybox.com (recipient URI) ua: [Mac OS X,10.8.5,12F37,MacBookPro10,2] (emitter os and hardware version) v: 1
  • 44. iMessage payload, inflated byte 0x02 short ciphertext length data ciphertext byte signature length data signature version? RSA / AES-CTR data - ciphered with the RSA public key of the recipient ECDSA signature of <ciphertext> - computed with the ECDSA private key of the emitter Why did they decided to deflate ciphered data?
  • 45. iMessage ciphertext RSA ciphertext (1280bit) AES session key (128bit) AES-CTR ciphertext iMessage inner-bplist, deflate compressed AES-CTR ciphertext (remaining bytes)
  • 46. iMessage inner-bplist (inflated) p: array of URIs in the discussion group t: iMessage text (for iOS) v: version (1) x: iMessage html (attachments, and style - for OS X)
  • 47. iMessage attachments • • Attachments are encrypted using AES • URL of the attachment and the required AES key to decipher it are included in the special tag <FILE> added to the HTML message body • They are uploaded to the iCloud storage, in a dedicated space <FILE name="<name>" width="<width>" height="<height>" datasize="<size>" mime-type="<mime type>" uti-type="<uti type>" mmcs-owner="<identifier>" mmcs-url="<URL>" mmcssignature-hex="<signature>" file-size="<size>" decryptionkey="<key>">
  • 48. Spoofing URIs • • The existence of URIs in the discussion group are not fully verified: • • • The real recipient URI has to be in the list Other URIs are not checked Phone number URIs can be text The result is a spoofing kind of vulnerability
  • 49. DEMO #1 Conference chat with a surprise guest :)
  • 50. III. MITM ATTACKS iMessage interception and forgery
  • 53. Requirements - DNS • To achieve a man-in-the-middle attack, the DNS requests of the victims have at least to pass through a machine / network you control • The point is to rogue responses for domains service1.ess.apple.com and *.push.apple.com • Next slide shows possible network tricks to have a chance to forge DNS responses
  • 54. Some network tricks • Use ARP poisoning to route all ethernet packets of the victim to your box • Have access to physical cables, to the gateway, or any network component in the route to the DNS server • Create a rogue (open) wifi network or 3G network with the same name and emit stronger • Announce Apple’s routes with BGP, and reroute the traffic to your own equipments (unlikely) • Hack the DNS servers using DNS cache poisoning and other DNS related vulnerabilities (unlikely)
  • 55. Requirements - software • PushProxy with Quarkslab’s imessage-mitm.py handler to intercept iMessages • Quarkslab’s ess-mitm.py to intercept and modify Apple ESS responses • A DNS proxy software. We used dnschef in our tests: http://thesprawl.org/projects/dnschef/ • Python 2.7
  • 56. Requirements - SSL • Rogue servers, either PUSH or ESS, have to serve valid SSL certificates from the point of view of the victim(s) • Either add these certificates or their root CA to the victim’s KeyChain • • Find a flow in Apple certificate verification (unlikely?) • Have a trusted root sign your rogue certs (NSA?) Have the user install a configuration profile (or be a MDM administrator in the company and push it)
  • 59. Principle & limitations • Idea: proxify victim’s contact requests to Apple’s ESS server in order to exchange every public key found with a new one. « Evil’s » in the figure to come • The victim’s PUSH communication is also proxyfied and is utilized to eavesdrop iMessages in real time, and possibly modify them • The biggest limitation to this approach is that the victim’s private keys (PUSH device, iMessage RSA, iMessage ECDSA) are needed
  • 60. Requirements • • • • Network / DNS control Verified PUSH and ESS certificates Victim’s PUSH Device private key Victim’s iMessage RSA & ECDSA private keys
  • 61. iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Hey my love! Belinda Evil Evil presented his key to Dhillon instead of Belinda’s. He owns Dhillon’s ECDSA. He can read and forge Dhillon’s messages. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
  • 62. iMessage reception MitM lol... :) :-) <3 Dhillon What? Evil What? Belinda Evil owns Dhillon’s RSA private key. He can read his messages. Evil presented his ECDSA key instead of Belinda’s. He can forge messages. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub)
  • 65. Principle & limitations • Idea: proxify all victims contact requests to Apple’s ESS server in order to exchange every public key found with a new one. « Evil’s » in the figure to come • Victims’ PUSH communications are also proxyfied and are utilized to eavesdrop iMessages in real time, and possibly modify them • The two-sided implementation is unpractical in terms of network control requirements and the PUSH device private keys of the victims are needed
  • 66. Requirements • • • (Great network / DNS control) * N victims (Verified PUSH and ESS certificates) * N victims (Victim’s PUSH Device private key) * N victims
  • 67. iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Evil Hey my love! Hey my love! Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Dhillon’s messages without any of his private keys. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
  • 68. iMessage reception MitM lol... :) :-) <3 Dhillon <3 Evil <3 What? Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Belinda’s messages without any of her private keys. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub)
  • 70. Principle & limitations • Basically the same as previous one, except that real Apple’s servers are never used as a transport • Same limitations as the classical two-sided implementation: great network control is required, but absolutely no victims’ private keys are needed
  • 71. Requirements • • • (Great network / DNS control) * N victims (Verified PUSH and ESS certificates) * N victims Any idea who have access to these requirements? • Multiple possible answers would work ;-)
  • 72. iMessage emission MitM fun... :) Hey my love! Hey! Dhillon ?! Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Dhillon’s messages without any of his private keys. Dhillon’s ECDSA (priv) Dhillon’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Belinda’s RSA (priv) Belinda’s RSA (pub)
  • 73. iMessage reception MitM lol... :) :-) <3 Dhillon What? Evil Belinda Evil presented his key to Dhillon instead of Belinda’s. Evil presented his key to Belinda instead of Dhillon’s. He can read and forge Belinda’s messages without any of her private keys. Belinda’s ECDSA (priv) Belinda’s ECDSA (pub) Evil’s RSA (priv) Evil’s RSA (pub) Evil’s ECDSA (priv) Evil’s ECDSA (pub) Dhillon’s RSA (priv) Dhillon’s RSA (pub)
  • 74. III.5. BEING APPLE Any requirements?
  • 75. Requirements? • Apple has full control over the ESS public key directory, no need to hijack anything • Swapping keys is transparent for the user, they are never shown anywhere in Messages.app / MobileSMS
  • 77. Why is it technically possible? • Public keys are only cached in the client app memory, and have a life time of only 30 minutes approximately • A new iPhone added to an AppleID has to be able to receive iMessages quick • The lack of certificate pinning adds agencies with strong network capabilities and root CA control to the list of possible spies • The average user cannot see which public keys are being used by the client app
  • 79. Presenting iMITMProtect - 1 • • • • OS X Version ready • Simple installer iOS Version on the way • Will come as a Cydia package Open-source http://www.github.com/quarkslab/iMITMProtect
  • 80. Presenting iMITMProtect - 2 • • Hooks imagent service • If public keys (RSA / ECDSA) change for a particular token (which should be impossible), a notification is thrown, and the recorded keys are served instead to the client app • User can list the key database and export them Contact requests to Apple’s ESS servers are recorded to a per-user (OS X) database
  • 83. Features we are working on • Full database administration: import / add keys, remove specific keys • Compare rows with a public key directory (where sensible informations would be hashed) • P2P GPG encryption, with a cleaner PKI
  • 85. Now, what do you think? « Apple has always placed a priority on protecting our customers’ personal data, and we don’t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it. For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them. Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form. » Source: https://www.apple.com/apples-commitment-to-customer-privacy/
  • 86. What is a secure protocol? • • Using strong cryptographic principles • • Fully documented • With a transparent, and administrable PKI Implemented in a binary on which absolutely no obfuscation was applied Frequently analyzed by security researchers and crypto-analysts
  • 87. Shall we continue to use iM? • MITM attacks on iMessage are unpractical to the average hacker, and the privacy of iMessage is good enough for the average user • If the informations being exchanged are sensitive to the point that you don’t want any government agencies to look into them, don’t • If you are working on Apple 0days, you may also want to avoid this communication channel :-) • Apple, make a more transparent PKI and document the protocol, and it could be considered the most practical and secure real-time messaging system available