Category Archives: Security

Poetry, Security

Encrypted iPhone easily accessed using Ubuntu 10.04

1 Comment

There is a story flying around, thanks to Engadget, that claims “Bernd Marienfeldt and fellow security guru Jim Herbeck” have “discovered” a security issue in the iPhone.

Do they really have to use “guru” as their title? It immediately gives me doubt about the sophistication of the story, but I digress…

They say the issue is that if you connect an iPhone, using the phone’s USB cable, to a computer running Ubuntu 10.04 the phone is mounted and accessible.

The phone can be locked, the phone can be encrypted, but the Linux system will still mount the phone and provide open access to its filesystem.

First, some would say this is clearly a security hole because Apple has “tested and confirmed” that it is one. They bank their argument on the word “confirmed”. Apple also has stated it has no fix and does not plan on having one. This latter statement is what I would like to call your attention to today.

Note that the ability to mount an iPhone in Linux and natively access its files has been a public project under development since 2007. The alpha code was released as iFuse in early 2009 and tested by many people. Towards the end of 2009 iFuse became libimobiledevice and it was so successful several major distributions have included it in their packages:

It is from this context that I find it a bit odd that “security gurus” have tried to claim “discovery” of this functionality and brand it a flaw. While the passcode has never prevented me from mounting the iPhone in Linux the libmobiledevice project says this has not been their experience.

27.05.2010: Some security sites report that even passcode enabled devices get auto-mounted. We could not reproduce this yet. However it might point at some bug during boot in the iPhone OS. Accessing a passcode enabled device the first time does not work in our tests as one would expect. Devices taking more time booting might be affected though, on any OS.

Maybe there is an intermittent issue here, but I am able to reproduce it on all my Linux systems. In fact this is the only way it has worked for me over many months.

I considered the iPhone insecure for this as well as many other reasons. That is why I believe the real issue here boils down to whether you consider the iPhone a secure device or not. Do you?

If you are in the camp that thinks the iPhone can be a secure device, then once again you are in for a surprise. It is not, and this is definitely not the first time this has been discussed openly. Anyone with a computer and a Linux CD has been able to access everything on your phone for over a year. Moreover, there has been a rash of attacks that target people who are actively using the iPhone. Thieves know that if they get the phone away from the owner when it is not locked they have easy access to the data; owners should know this too.

If you are in the camp that does not think the iPhone can be a secure device…you are right. In fact, you might even work for Apple and be one of the people who said “we have no fix and no plan to make a fix” to any number of the control points for data confidentiality.

In other words the absence of a plan to make a fix says to me that Apple does not see this as a serious flaw, let a lone a flaw at all. They perhaps just confirmed that Linux is able to read the filesystem properly in the same way that a thief who grabs the phone can use apps and access data.

Here is what anyone who plugs an iPhone into a Linux computer can see:

1) Plug the iPhone into the computer using the Apple USB cable that comes with the phone. You will see it appear as a mounted filesystem (Apple File System or AFS) on the desktop.

2) Then you will be prompted with two dialog boxes, one for music and one for photos:

3) You can choose to browse the filesystem from those dialog boxes, instead of opening applications to manage music and photos. Or you can cancel the dialog and just open the filesystem to browse from the desktop. Either way, full access to unencrypted data without needing to know the PIN. Surprised?

I downloaded and installed Ubuntu 10.04 the day it was released and the iPhone has always appeared this way to me. It did not seem to me that my data was any more exposed than I had already thought.

Perhaps I am giving the Apple team too much leeway when I say there is no new issue here and no fix needed, but I also do not think anyone should have seriously considered the iPhone to be a secure or safe device. It is highly unsafe at any speed. News?

Even in a physical security review I immediately found it designed to be incredibly fragile and prone to disaster. At least once a week I see a twitter from someone about an iPhone failure. Not news.

Perhaps for the same reason Apple put the infamous and unreliable sensitive water sensors in the iPhone that void your warranty when triggered, no one should operate one under the assumption that this device is designed to protect data without significant outside controls and enhancements.

Giant foam cases, screen covers, vacuum sealed bags…the list goes on and on for things to buy to protect the phone. None of it seems to be from Apple. Likewise we have known for years that proper encryption and authentication for the filesystem is something you will not be getting when you purchase an iPhone. I do not feel knowing this about Apple products can really be called enlightenment.

The syllable gu means shadows
The syllable ru, he who disperses them,
Because of the power to disperse darkness
the guru is thus named.

Advayataraka Upanishad 14-18, verse 5

Security

Super Surveillance Technology

Leave a comment

A problem with technology that collects ambient data is that it is basically spying on everything all the time. This creates two distinct issues.

1) The first very obvious problem is with privacy. I say this is obvious even though Google just claimed they made a “mistake” collecting all kinds of wireless data around the world with mobile sniffers.

Regulation through policies and procedures is usually proposed as the solution to this first problem. The fact that Google is being threatened with legal action by privacy officials in numerous countries is an example of how this control point can work. Technology also can help with authentication, authorization and live audit trails of who accessed what data and when.

2) The second problem is that too much data will overwhelm analysts, and analysts are expensive. Collecting too much data is not only bad for PR and legal conformance, it also makes a surveillance system impossible to keep up with and make useful. Who has the time or resources to keep up with massive amounts of information and find anomalies quickly? Automation technology is typically proposed as the solution to this problem, but it can also be expensive.

Que the military. They can justify the cost of solving the second problem. The military operates in environments where they collect massive amounts of data unfamiliar to most analysts (training becomes more specialized so costs are far higher) and time to respond is more of the essence. It also helps them that the first problem quickly erodes when dealing with data in a hostile environment.

Take this example provided by BBC News

One technology that BAE Systems trialled, known as a “hyperspectral camera”, is able to analyse colour – to distinguish a camouflaged vehicle from the vegetation it is concealed within.

Gary Bishop from BAE’s Advanced Technology Centre in Bristol told BBC News: “You see things with your eyes in three wavelenths, the hyperspectral camera gives you information in 10.”

The system measures each wavelength of light being reflected by an object – it can see the specific type of green that is produced by chlorophyll in plants, and distinguish that from the green of paint or dye.

Everything in the article centers around systems that create data mining efficiencies.

The military needs to quickly detect unusual patterns within otherwise normal data. This, as mentioned above, is good not only for automation but it also has the secondary effect of helping to protect privacy in civilian surveillance systems.

Automation means humans can be removed from the role of sifting through private and protected information to find a suspicious data point. The surveillance system could be setup to keep everything under wraps and only expose information required to review and confirm. Access only to suspicious event data is far less controversial than access to all data. The more limited access also can be logged and audited later. That means in the end you get access to more data but less privacy risk…assuming you trust and verify the system is operating properly.

This still begs the question of whether it is ethical to collect data in the first place, as in the case with Google. What were they thinking?

“If the company is fighting this so hard, it suggests there is more to this than meets the eye,” said Mr. Davies, of Privacy International. “The real question is: What was Google collecting from unwitting individuals and why? So far, nobody really knows.”

Perhaps at this point they should try to mount a “we were trying to find terrorists” defense…certainly sounds better than “programming error” that ran around the world and for an extended time gathering a massive amount of data.

I have to wonder for a company that has a very public emphasis on hiring the best and brightest whether they really expect anyone to believe that surveillance was not intentional. Most security professionals balk at the idea of capturing packets from random airspace — it’s known to be unethical if not illegal in most contexts. Why Google did not properly account for the risks of surveillance is hard to understand.

Security

Basic Fuzzing Framework (BFF)

Leave a comment

A virtual machine can now be downloaded from CERT that is setup to find vulnerabilities in applications using a method known as “dumb fuzzing”. It is based upon the zzuf application.

To begin fuzzing on your own, simply follow these steps:

1. Unzip scripts.zip to c:\fuzz
2. Unzip DebianFuzz.zip to a directory of your choice.
3. Open DebianFuzz.vmx with VMware.
4. Create a snapshot in VMware
5. Power on the VM

You may need to verify that the shared folder is enabled in the VM preferences. Other virtualization products may work with some additional configuration. See the README.txt file in scripts.zip for more details.

Download your very own BFF today and start fuzzing.

Application tests have been required in PCI under requirement six for some time, but nothing like this. I wonder if the availability and ease of fuzzing will be noted in this October’s update to the requirements.

Security

Roll your own cell network (OpenBTS)

Leave a comment

I wrote recently about Mobile Device Economics and Security. The OpenBTS project could increase the rapid growth trend of wireless even more dramatically:

OpenBTS is an open-source Unix application that uses the Universal Software Radio Peripheral (USRP) to present a GSM air interface (“Um”) to standard GSM handset and uses the Asterisk software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in greenfields in the developing world.

Naturally a question of managed spectrum comes to mind. Yet another explanation of why regulation is good for commerce can be found in an OpenBTS implementation on an unregulated island that ran into trouble finding air space.