How ironic that only a week or two after writing an article about pair locking, we would see this talk coming out of Black Hat 2013, demonstrating how juice jacking can be used to install malicious software. The talk is getting a lot of buzz with the media, but many security guys like myself are scratching our heads wondering why this is being considered “new” news. Granted, I can only make statements based on the abstract of the talk, but all signs seem to point to this as a regurgitation of the same type of juice jacking talks we saw at DefCon two years ago. Nevertheless, juice jacking is not only technically possible, but has been performed in the wild for a few years now. I have my own juice jacking rig, which I use for security research, and I have also retrofitted my iPad Mini with a custom forensics toolkit, capable of performing a number of similar attacks against iOS devices. Juice jacking may not be anything new, but it is definitely a serious consideration for potential high profile targets, as well as for those serious about data privacy.
Juice jacking, which has been around for a few years now, became much more feasible once the community at large learned how to talk to the phone using well documented code. Around 2009, a number of iOS developers wrote a library called libimobiledevice (available here) in an attempt to allow Linux desktops to sync with the iPhone. Version 1.0.0 was officially released in March 2010. This library essentially speaks the same protocols that iTunes does to communicate with the phone. In a nutshell, a service named lockdownd sits and listens on the iPhone on port 62078. By connecting to this port and speaking the correct protocol, it’s possible to spawn a number of different services on an iPhone or iPad. Among these services are the backup service, which can copy off all of your personal information from the device. There is also a software installation service which is how iTunes installs software on the phone. A number of other services can be invoked to do anything from launch a packet sniffer on the phone to downloading personal data through a number of other mechanisms. In fact, Apple even has a few services that I can only describe as “back doors” to copy personal data from your phone with no encryption whatsoever. This service is the key to getting almost any kind of data off of, or putting data onto, an iOS device. Since 2010, a number of developers and hackers have taken this code and copied it off into their own projects, or have learned from it in some way. A number of commercial forensics companies have used it to lift evidence off of iOS devices from within their products, and more wild hackers have taken to writing hacking tools for stealing everything form naked photos, to committing felony identity theft.
Juice jacking was popularized in 2011 at DefCon when someone built a small usb charging station, allowing people to steal a free charge. Because your iOS device uses the same cable both to charge and to sync, all you really need to attack an iPhone using these same interfaces is for a computer of some sort to be hooked up to the other end of the cable. Juice Jacking – in its purest form – is really just a social engineering hack; the victim is assuming that there is no computer on the other end of the power cable. As we all know, though, computers come in many forms, and it’s very easy to conceal a “computer” inside any innocuous looking “box”, like a charging adapter, a free charging station, or more commonly in the kind of alarm clock you’d find in a hotel room these days.
So how does juice jacking work? In order to talk to the phone and start all of these services up to steal data (or to install malware), the phone has to establish a pairing with whatever it’s connected to. The real flaw here is in Apple’s design: the phone doesn’t ask the user whether or not they want to allow or deny a device from pairing. It just pairs. Automatically. Every. Freaking. Time. So within a few seconds of attaching anything to your phone, a new pairing record is created and stored on the phone. What’s worse is this: the pairing record stays on the phone for the life of the phone, until the user decides to blow away their data by restoring it. So anything that’s ever paired with that phone you’re carrying – with or without your knowledge – can access all of the personal data on your phone, up until the last time you restored it. Feeling a little sick yet?
The pairing record exchange is a very simple one: the device connects to the phone and gets a copy of the phone’s public key. It then randomly generates its own public/private key pair, signs the device’s public key, and sends the signed public key and it’s own public key back to the phone, where everything is stored on disk so that it can later verify a device when it connects. (NOTE: This is a bit of a simplification; there are actually two public/private key pairs, one root CA and one host non-CA that is signed by the CA root cert, however, it does not appear that the “host” keys are used at all, only the root CA keys, suggesting Apple may have at one point been considering using an Apple CA to sign all pairings). This is the same thing iTunes does. Once connected, iTunes pairs your desktop machine with the phone using this same technique. This is only done once – the first time you connect the device to your desktop. The pairing record is written onto the phone into /var/root/Library/Lockdown/pair_records and on your Mac in /var/db/lockdown. This pairing record is essentially a “key”, granting your desktop access to the phone, even later on when it’s locked. The phone also sends back a key escrow record, which allows whatever it’s just paired with to access encrypted data whenever the device is locked. The pairing protocol is used by everything from libimobiledevice to iTunes and even in commercial forensic tools for law enforcement claiming they do a “logical acquisition” of an iPhone perform; they first create a pairing record to establish a trusted relationship with the device. After paired, the tool will then use that record to start up one or more services on the phone that allow their product to download personal information from it.
There are a few frightening things to know about how your iPhone or iPad communicate:
1. Pairing must take place over usb, but only takes a matter of seconds to perform. The device must either have no passcode, or be unlocked. NOTE: If you have “Require Passcode” set to anything other than “Immediate”, then it is also possible to pair with the device after you turn it off, until that time period expires.
2. Once any device has paired with your phone, that pairing record stays on your device until you blow it away by restoring the phone.
3. While the actual pairing process itself must take place over usb, at any time after that, the devices that paired with your phone can access everything on that phone over either usb *or wifi* regardless of whether or not you have wifi syncing turned on. This means that a hacker only needs a couple of seconds to pair with your device, and can then later on download all of your personal information off of the phone indefinitely if they can reach it over a network.
3a. In addition to being able to download all kinds of data from your phone wirelessly, a hacker can also take advantage of your phone’s “known wireless networks” to *force your phone* to join their network when you’re within range, so that they can attack the phone wirelessly. This is due to iOS default behavior to automatically join networks whose name they’ve seen before, such as “linksys” or “attwifi”.
3b. In addition to being able to connect over wifi, any hacker (or government agency) who can skirt around a cellular carrier’s firewalls might be able to connect to your phone over a cellular connection.
4. There are a number of back doors, which I am not at liberty to divulge, that an attacker can access to download personal information from your device regardless of whether or not you have backup encryption turned on, and regardless of whether your phone is locked or unlocked, once a pairing record has been established.
That tiny little pairing record is essentially a key to all of the data on your device. That’s why many law enforcement agencies are now seizing desktop machines on an arrest, so that they can grab a copy of this pairing record in order to unlock your phone. If you don’t use full disk encryption, a pairing record can most certainly be used from your desktop to download evidence from your phone. In the event that a piece of malware is given a copy of a pairing record, it can connect to the phone over usb or wifi and do a number of things that you wouldn’t wish on anyone.
Juice jacking is nothing new, and neither is Apple’s flagrant disregard for the security of iOS devices. Sadly, pairing security is only one of many design omissions Apple has made that leaves you, the end-user, vulnerable to everything from malicious hackers to government surveillance. It’s something to take seriously. That’s why I wrote pairlock, a free utility that users can install on their jailbroken iOS device to lock and unlock the device’s pairing capabilities. You can download it for free, or build it from the tiny bit of source code I’ve included in the article.