www.zdziarski.com Open in urlscan Pro
173.236.246.253  Public Scan

Form analysis
1 forms found in the DOM

GET https://www.zdziarski.com/blog/

<form role="search" method="get" id="header-searchform" action="https://www.zdziarski.com/blog/">
  <input type="text" placeholder="Type here &amp; click enter." name="s" id="header-s" autocomplete="off">
</form>

Text Content

Skip to content
 * About Me
 * Books
 * Photography
 * Papers
 * Security
 * Forensics
 * Essays
 * Christianity


CALENDAR

April 2024 M T W T F S S 1234567 891011121314 15161718192021 22232425262728 2930
 

« Mar    


ARCHIVES

 * March 2024
 * October 2023
 * July 2023
 * May 2023
 * February 2023
 * December 2022
 * November 2022
 * July 2022
 * May 2022
 * March 2022
 * January 2022
 * December 2021
 * November 2021
 * September 2021
 * July 2021
 * December 2020
 * November 2020
 * March 2020
 * September 2019
 * August 2019
 * August 2018
 * March 2018
 * March 2017
 * February 2017
 * January 2017
 * November 2016
 * October 2016
 * July 2016
 * April 2016
 * March 2016
 * February 2016
 * June 2015
 * March 2015
 * February 2015
 * December 2014
 * November 2014
 * October 2014
 * September 2014
 * August 2014
 * July 2014
 * June 2014
 * May 2014
 * April 2014
 * March 2014
 * January 2014
 * October 2013
 * September 2013
 * June 2013
 * May 2013
 * April 2013
 * December 2012
 * May 2012
 * September 2011
 * June 2011
 * August 2010
 * July 2010
 * May 2010
 * April 2010
 * February 2010
 * July 2009
 * May 2008
 * March 2008
 * January 2008
 * June 2007
 * August 2006
 * February 2006


CATEGORIES

 * Apple
 * Christianity
 * Essays
 * Forensics
 * General
 * Machine Learning
 * Music
 * Opinion
 * Photography
 * Politics
 * Security













Jonathan ZdziarskiDFIR, security, reverse engineering, photography, theology,
funky bass guitar. All opinions are my own.
 * About Me
 * Books
 * Photography
 * Papers
 * Security
 * Forensics
 * Essays
 * Christianity

Apple . Forensics . Security


HOW JUICE JACKING WORKS, AND WHY IT’S A THREAT

On June 3, 2013 by Jonathan Zdziarski

How ironic that only a week or two after writing an article about pair
locking,  we would see this talk coming out of Black Hat 2013, demonstrating how
juice jacking can be used to install malicious software. The talk is getting a
lot of buzz with the media, but many security guys like myself are scratching
our heads wondering why this is being considered “new” news. Granted, I can only
make statements based on the abstract of the talk, but all signs seem to point
to this as a regurgitation of the same type of juice jacking talks we saw at
DefCon two years ago. Nevertheless, juice jacking is not only technically
possible, but has been performed in the wild for a few years now. I have my own
juice jacking rig, which I use for security research, and I have also
retrofitted my iPad Mini with a custom forensics toolkit, capable of performing
a number of similar attacks against iOS devices. Juice jacking may not be
anything new, but it is definitely a serious consideration for potential high
profile targets, as well as for those serious about data privacy.



Juice jacking, which has been around for a few years now, became much more
feasible once the community at large learned how to talk to the phone using well
documented code. Around 2009, a number of iOS developers wrote a library called
libimobiledevice (available here) in an attempt to allow Linux desktops to sync
with the iPhone. Version 1.0.0 was officially released in March 2010. This
library essentially speaks the same protocols that iTunes does to communicate
with the phone. In a nutshell, a service named lockdownd sits and listens on the
iPhone on port 62078. By connecting to this port and speaking the correct
protocol, it’s possible to spawn a number of different services on an iPhone or
iPad. Among these services are the backup service, which can copy off all of
your personal information from the device. There is also a software installation
service which is how iTunes installs software on the phone. A number of other
services can be invoked to do anything from launch a packet sniffer on the phone
to downloading personal data through a number of other mechanisms. In fact,
Apple even has a few services to copy personal data from your phone with no
encryption whatsoever. This service is the key to getting almost any kind of
data off of, or putting data onto, an iOS device. Since 2010, a number of
developers and hackers have taken this code and copied it off into their own
projects, or have learned from it in some way. A number of commercial forensics
companies have used it to lift evidence off of iOS devices from within their
products, and more wild hackers have taken to writing hacking tools for stealing
everything form naked photos, to committing felony identity theft.

Juice jacking was popularized in 2011 at DefCon when someone built a small usb
charging station, allowing people to steal a free charge. Because your iOS
device uses the same cable both to charge and to sync, all you really need to
attack an iPhone using these same interfaces is for a computer of some sort to
be hooked up to the other end of the cable. Juice Jacking – in its purest form –
is really just a social engineering hack; the victim is assuming that there is
no computer on the other end of the power cable. As we all know, though,
computers come in many forms, and it’s very easy to conceal a “computer” inside
any innocuous looking “box”, like a charging adapter, a free charging station,
or more commonly in the kind of alarm clock you’d find in a hotel room these
days.

So how does juice jacking work? In order to talk to the phone and start all of
these services up to steal data (or to install malware), the phone has to
establish a pairing with whatever it’s connected to. The real flaw here is in
Apple’s design: the phone doesn’t ask the user whether or not they want to allow
or deny a device from pairing. It just pairs. Automatically. Every. Freaking.
Time. So within a few seconds of attaching anything to your phone, a new pairing
record is created and stored on the phone. What’s worse is this: the pairing
record stays on the phone for the life of the phone, until the user decides to
blow away their data by restoring it. So anything that’s ever paired with that
phone you’re carrying – with or without your knowledge – can access all of the
personal data on your phone, up until the last time you restored it. Feeling a
little sick yet?

The pairing record exchange is a very simple one: the device connects to the
phone and gets a copy of the phone’s public key. It then randomly generates its
own public/private key pair, signs the device’s public key, and sends the signed
public key and it’s own public key back to the phone, where everything is stored
on disk so that it can later verify a device when it connects. (NOTE: This is a
bit of a simplification; there are actually two public/private key pairs, one
root CA and one host non-CA that is signed by the CA root cert, however, it does
not appear that the “host” keys are used at all, only the root CA keys,
suggesting Apple may have at one point been considering using an Apple CA to
sign all pairings). This is the same thing iTunes does. Once connected, iTunes
pairs your desktop machine with the phone using this same technique. This is
only done once – the first time you connect the device to your desktop. The
pairing record is written onto the phone into
/var/root/Library/Lockdown/pair_records and on your Mac in /var/db/lockdown.
This pairing record is essentially a “key”, granting your desktop access to the
phone, even later on when it’s locked. The phone also sends back a key escrow
record, which allows whatever it’s just paired with to access encrypted data
whenever the device is locked. The pairing protocol is used by everything from
libimobiledevice to iTunes and even in commercial forensic tools for law
enforcement claiming they do a “logical acquisition” of an iPhone perform; they
first create a pairing record to establish a trusted relationship with the
device. After paired, the tool will then use that record to start up one or more
services on the phone that allow their product to download personal information
from it.

There are a few frightening things to know about how your iPhone or iPad
communicate:

1. Pairing must take place over usb, but only takes a matter of seconds to
perform. The device must either have no passcode, or be unlocked. NOTE: If you
have “Require Passcode” set to anything other than “Immediate”, then it is also
possible to pair with the device after you turn it off, until that time period
expires.

2. Once any device has paired with your phone, that pairing record stays on your
device until you blow it away by restoring the phone.

3. While the actual pairing process itself must take place over usb, at any time
after that, the devices that paired with your phone can access everything on
that phone over either usb *or wifi* regardless of whether or not you have wifi
syncing turned on. This means that a hacker only needs a couple of seconds to
pair with your device, and can then later on download all of your personal
information off of the phone indefinitely if they can reach it over a network.

3a. In addition to being able to download all kinds of data from your phone
wirelessly, a hacker can also take advantage of your phone’s “known wireless
networks” to *force your phone* to join their network when you’re within range,
so that they can attack the phone wirelessly. This is due to iOS default
behavior to automatically join networks whose name they’ve seen before, such as
“linksys” or “attwifi”.

3b. In addition to being able to connect over wifi, any hacker (or government
agency) who can skirt around a cellular carrier’s firewalls might be able to
connect to your phone over a cellular connection.

4. There are a number of techniques, which I am not at liberty to divulge, that
an attacker can access to download personal information from your device
regardless of whether or not you have backup encryption turned on, and
regardless of whether your phone is locked or unlocked, once a pairing record
has been established.

That tiny little pairing record is essentially a key to all of the data on your
device. That’s why many law enforcement agencies are now seizing desktop
machines on an arrest, so that they can grab a copy of this pairing record in
order to unlock your phone. If you don’t use full disk encryption, a pairing
record can most certainly be used from your desktop to download evidence from
your phone. In the event that a piece of malware is given a copy of a pairing
record, it can connect to the phone over usb or wifi and do a number of things
that you wouldn’t wish on anyone.

Juice jacking is nothing new, and neither is Apple’s flagrant disregard for the
security of iOS devices. Sadly, pairing security is only one of many design
omissions Apple has made that leaves you, the end-user, vulnerable to everything
from malicious hackers to government surveillance. It’s something to take
seriously. That’s why I wrote pairlock, a free utility that users can install on
their jailbroken iOS device to lock and unlock the device’s pairing
capabilities. You can download it for free, or build it from the tiny bit of
source code I’ve included in the article.

 




ARCHIVES

 * March 2024
 * October 2023
 * July 2023
 * May 2023
 * February 2023
 * December 2022
 * November 2022
 * July 2022
 * May 2022
 * March 2022
 * January 2022
 * December 2021
 * November 2021
 * September 2021
 * July 2021
 * December 2020
 * November 2020
 * March 2020
 * September 2019
 * August 2019
 * August 2018
 * March 2018
 * March 2017
 * February 2017
 * January 2017
 * November 2016
 * October 2016
 * July 2016
 * April 2016
 * March 2016
 * February 2016
 * June 2015
 * March 2015
 * February 2015
 * December 2014
 * November 2014
 * October 2014
 * September 2014
 * August 2014
 * July 2014
 * June 2014
 * May 2014
 * April 2014
 * March 2014
 * January 2014
 * October 2013
 * September 2013
 * June 2013
 * May 2013
 * April 2013
 * December 2012
 * May 2012
 * September 2011
 * June 2011
 * August 2010
 * July 2010
 * May 2010
 * April 2010
 * February 2010
 * July 2009
 * May 2008
 * March 2008
 * January 2008
 * June 2007
 * August 2006
 * February 2006

CALENDAR

April 2024 M T W T F S S 1234567 891011121314 15161718192021 22232425262728 2930
 

« Mar    

CATEGORIES

 * Apple
 * Christianity
 * Essays
 * Forensics
 * General
 * Machine Learning
 * Music
 * Opinion
 * Photography
 * Politics
 * Security

All Content Copyright (c) 2000-2024 by Jonathan Zdziarski, All Rights Reserved