Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

May 2022
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Mar    

Archives

  • May 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • June 2021
  • January 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Security

AceDeceiver: Breaking Apple’s Cryptographic Leash

On March 16, 2016 by Jonathan Zdziarski

The past week, I’ve been writing all about cryptographic leashes and how they could be easily broken in the case of controlling FBI’s iOS backdoor. Surprisingly, the first serious example of this has surfaced this week. The researchers at Palo Alto Networks, who have been killing it lately with great iOS research, did a breakdown of a piece of Chinese malware known as AceDeceiver. AceDeceiver breaks the cryptographic leash baked into the iPhone’s App Store system, allowing an attacker to install applications on the host iPhone even after they’ve been revoked by Apple. While the malware, in its present form, isn’t likely to cause widespread damage, the vulnerabilities in Apple’s DRM that this presents could be used for far more malicious purposes.

AceDeceiver starts its life as malware on your desktop. In its present form, you’d have to be dumb enough to install a Chinese pirate app store in order to have to worry about this, but in a more malicious form, something like it could potentially be embedded as a trojan in legitimate software. The malware performs a man-in-the-middle attack between your computer and the App Store, and fudges the authorizations used to let your iPhone run purchased software. Think of the attack as forging a receipt, like paying for a set of towels at Target, then returning a different set. Apple has no way to check the towels (your apps) to make sure they’re the same ones, so the iPhone lets the app run since you have a valid receipt. It’s even worse than this, because the receipts aren’t tied to your iTunes account – you can pull someone else’s receipt out of the trash and return towels you never purchased. It’s this receipt that is re-used to install the malware’s own software on your iPhone by impersonating iTunes. The malware author can use his or her own receipts to load previously approved App Store software onto your phone.

There’s one catch to how AceDeceiver does this that is particularly dangerous: The applications it installs on your iPhone have been approved by Apple for the App Store, so rather than use enterprise certificates (which can be revoked), or developer certificates (which can also be revoked), the application is signed with an un-revokable Apple certificate. Even if Apple pulls the malicious application from the App Store, it has no way of revoking it from running on your device. AceDeceiver’s software got through Apple’s review process by lying dormant inside what looked like a legitimate app. It called home to a C2 server to see if it should activate itself. After the app review process completed, it was signed by Apple, and could be turned on to do damage. At this point, it didn’t matter that Apple removed it from the store – it was signed by Apple, and Apple can’t revoke their own certificate.

As I said, in its present form, it’s used primarily for piracy, however this could be easily converted into a piece of malware. Consider this scenario: You download a trojanized version of a legitimate application (such as Transmission, or anything else you’d find on the Internet). The trojan includes a piece of malware that was snuck into the App Store and then “turned on” later. Even if Apple has already revoked the application, the malware could still install it onto your non-jailbroken iOS device. This malware could be a decoy of a popular application you use, such as Gmail or Facebook, intended to steal your credentials (and download your data) when logging in.

I initially thought this was not a big deal, but as it turns out it can be. On the other hand, if you can get root on someone’s desktop, why would anybody go to all of the trouble of screwing around with apps? You can steal so much more from a user’s desktop that phishing for credentials seems almost tacky.

Overall this is a very tricky DRM exploit, but because it’s so deeply integrated into Apple’s design, it’s hard to fix. In fact, this flaw has been known for at least three years, and still goes unfixed in iOS. This particular design flaw wouldn’t allow something like FBiOS to run, but it does demonstrate that software control systems have weaknesses, and cryptographic leashes like this can be broken in ways that are extremely difficult to fix with a large customer base and an established distribution platform. Should a similar leash be found that would affect something like FBiOS, it would be catastrophic to Apple, and potentially leave hundreds of millions of devices exposed.

 

Archives

  • May 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • June 2021
  • January 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

May 2022
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Mar    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All website content Copyright © 2000-2022 by Jonathan Zdziarski